Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Know where to start and where to focus attention in the implementation of a big data strategy.
Decide the most correct tools to use in order to solve enterprise data management problems.
Compare the TCO of a SQL (scale up) with a NoSQL (scale out) deployment to determine whether NoSQL will save costs.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
By defining your goals, framing solutions based on end-user workloads, and understanding the pros and cons of various solutions, you can visualize what success looks like for your VDI/DaaS deployment. This includes defining your KPIs by end-user experience, knowing the decision gates for a successful deployment, and defining your hypothesis for value to make your decision more accurate and gain C-suite buy-in.
Virtual desktop infrastructure (VDI)/desktop as a service (DaaS) users expect their user experience to be at least equal to that provided by a physical PC, and they do not care about the underlying infrastructure. If the experience is less, then IT has failed in the considerations for VDI/ DaaS. In this research we analyze the data that the IT industry tracks but doesn't use or sometimes even look at regarding user experience (UX).
Understanding the strengths and weaknesses in your in-house technical skills and business requirements will assist you in making the right decision when it comes to VDI or DaaS solutions. In the case of DaaS this will include a managed service provider for small to medium-sized IT teams. Many IT teams lack a seasoned IT project manager who can identify gaps, risks, and weaknesses in the organization's preparedness. Redeploy your IT staff to new roles that impact management and monitoring of UX.
Ultimately, IT needs to reduce its complexity, increase user satisfaction, reduce management and storage costs, and maintain a secure and effective environment for both the end user and the business. They must also ensure productivity standards throughout the considerations, strategically, tactically, and in support of a move to a VDI or DaaS solution.
Your Challenge With the evolution of VDI over the last 15-plus years, there has been a proliferation of solutions, such as Citrix desktop services, VMware Horizon, and in-house hypervisor solutions (e.g. ESX hosts). There has also been a great deal of growth and competition of DaaS and SaaS solutions in the cloud space. Hybrid work environments, remote from anywhere and any device, and the security concerns that go hand-in-hand with these strategies have certainly accelerated the move to VDI and DaaS. How will you manage and navigate the right solution for your organization? | Common Obstacles IT departments can encounter many obstacles to VDI and DaaS, many of which will be determined by your business model and other factors, such as:
| Info-Tech’s Approach By defining your end goals, framing solutions based on end-user workloads, and understanding the pros and cons of what solution(s) will meet your needs, you can visualize what success looks like.
|
Every IT organization needs to be asking what success looks like. If you do not consider how your end user will be impacted, whether they are doing something as simple as holding a team meeting with voice and video or working with highly technical workloads on a virtual environment, you will run into multiple issues that affect end-user satisfaction, productivity, and adoption. Understand the tension metrics that may conflict with meeting business objectives and KPIs.
Client-Driven InsightDifferent industries have different requirements and issues, so they look at solutions differently. Info-Tech InsightIf end-user experience is at the forefront of business requirements, then any solution that fits the business KPIs can be successful. |
|
Questions you should be asking before you create your RFP
| How would you rate the user experience on your VDI/DaaS solution?
Info-Tech InsightAsking critical use-case questions should give you a clear picture of the end-user experience outcome. |
Security is always quoted as a primary justification for VDI/DaaS, while UX is far down the list of KPIs. WHY?IT engineers use network and performance metrics to manage end-user complaints of “slowness,” which in reality is not what the user is experiencing.IT needs to invest in more meaningful metrics to manage end-user pain:
| ![]() (Source: Enterprise Strategy Group, 2020) |
The dimensions of end-user experience can be broken down into four distinct categories that will impact not only the end user but also the business. Picturing your landscape in this framework will help clearly define your considerations when deciding on whether a VDI or DaaS solution is right for your business. We will investigate how these scenarios impact the end user, what that means, and how that can guide the questions that you are asking as you move to an RFP. Info-Tech InsightIn the world of VDI and DaaS, if you do not get buy-in from the end user, the rate of adoption and the overall success of the implementation will prove difficult to measure. It will be impossible to calculate ROI even as you feel the impact of your TCO. | ![]() |
What IT measuresMost business KPI objectives concentrate on business goals, whether it be cost containment, security, simplification, ease of management, or centralization of apps and data, but rarely is there a KPI for end-user experience. You can’t fix what you can’t see. Putting a cost benefit to end-user satisfaction may come in the form of productivity. This may be a central reason why VDI has not been widely adopted as an architecture since it came to the marketplace more than 15 years ago. | ![]() |
Monitoring end-user metrics will mitigate the tension between business KPIs and end-user satisfaction
Metric | Description | ||
End-User | PERFORMANCE | Logon duration | Once the user puts in their password, how long does it take to get to their desktop? What is the measurement and how do you measure? |
App load time | When an app is launched by the user there should be immediate indication that it is loading. | ||
App response time | When the user performs a task, there should be no wait time, or hourglass icon, waiting for the app to catch up to the user input. (There is no succinct way to measure this.) | ||
Session response time | How does the user’s OS respond to I/O? The user should not experience any latency issues when doing a drag and drop, clicking on a menu item, or doing a search. | ||
AVAILABILITY | SLAs | When something goes wrong in the VDI/DaaS environment, how quickly can the user expect to get back to their tasks? | |
Geographic location | When all other considerations are configured correctly, the user experience may be impacted by their location. So, for example, a user working out of Mexico and logging into a VDI may experience latency based on location compared to a user in California, for example, where the resources are stored, managed, and monitored. | ||
Application availability | Much like app load time and response time, the only factor affecting the user experience is the back-end load on the app itself, for example a CAD or heavy resource app not properly resourced. | ||
FUNCTIONALITY | Configuration of user desktop | Degradation in functionality is caused by improper allocation of CPU, RAM, and GPU for the tasks at hand, creating a bad UX and end-user satisfaction score. | |
Graphics quality and responsiveness | The user should have the same experience as if on their own physical machine. A video experience should not have any lag in it, for example. MS Teams should not have latency or sound quality issues. | ||
Predictive analysis | Continuous performance and availability monitoring. | ||
END USER | Browser real user monitoring (RUM) | A real-time view into how the web application is performing from the point of view of a real end user. | |
Customer satisfaction score | Survey-based metrics on customer satisfaction. |
“If employees are the competitive edge and key differentiator for a business, I&O has a duty of care to ensure that the employees’ digital experience enables and does not impede the value of that asset.” (John Annand, Principal Director, Info-Tech Research Group)
Is security and data sovereignty the only reason?
Technical capability | |
AVAILABILITY | VDI is a better fit than DaaS in organizations that have limited or unreliable internet connectivity. |
FUNCTIONALITY | Application flexibility: Resource-intensive applications may require specific virtual desktop configurations, for example in-house GIS apps, CAD, and gaming software requiring specific GPU configurations. |
SECURITY | Data protection is often stated as a need to maintain an on-premises VDI solution, ensuring sensitive and highly privileged data does not travel across the internet. |
AVAILABILITY | While some cloud providers will allow you to bring your OS licensing along with a cloud migration, many subscriptions already include OS licensing, and you may be paying additional licensing costs. |
SECURITY | VDI makes sense if security and control are primary business KPIs, the IT resources are experienced virtual infrastructure engineers and administrators, and funding is not a hindrance. |
PERFORMANCE | When processing power is a functional requirement, such as CPU, GPU, and storage capacity, VDI offers performance benefits over a standard PC, reducing the need to deploy high-powered PCs to end users. |
“Though the desktops are moving to the cloud, accountability is not.” (Gary Bea, Director of Consulting Services and Technical Operations, Goliath Technologies)
Any device anywhere: key benefits of DaaS
Technical capability | Challenges | |
AVAILABILITY | Delivers a consistent user experience regardless of location or device. | Info-Tech InsightThe total cost of the solution will be higher than you anticipate, and management is complex. Additionally, your ability to set your conditions and controls is limited. Info-Tech InsightDepending on your technical abilities and experience with cloud services, you will likely benefit from professional third-party services, technical services, and consulting, which can be critical when deciding if DaaS can fit into your current IT architecture, processes, and security posture. |
SECURITY | Enhances security posture by eliminating your client VPN and keeping sensitive data off the endpoint device. | |
FUNCTIONALITY | Onboard and offboard users quickly and securely. | |
FUNCTIONALITY | Provides centralize workspace management. | |
FUNCTIONALITY | Scale up or down on demand with a consumption- and subscription-based contract. | |
FUNCTIONALITY | Significantly reduce operational overhead compared to managing a traditional VDI deployment. |
From an end-user experience perspective, what makes sense in terms of usage and cost?
Thin Client
| Desktop as a Service
| Thick Client
| Device as a Service
| Web Client
|
What is the better security posture and control plane? Clarify your stakeholders’ objectives, then see if VDI is an adequate solution.
![]() | Modernize and Transform Your End-User Computing Strategy Phase 3.2 of this research set covers virtual desktop infrastructure. |
![]() | Implement Desktop Virtualization and Transition to Everything as a Service Follow Info-Tech’s process for implementing the right desktop virtualization solution to create a project plan that will help ensure that you not only choose the right solution but also implement it effectively. |
![]() | Cloud Strategy Workbook Use this tool to assess cloud services (desktop-as-a-service). |
![]() | Desktop Virtualization TCO Calculator This tool is designed to help you understand what desktop virtualization looks like from a cost perspective. |
Anderson, Joseph. “Five Ways VDI Will Grow in 2022 Thanks to Hybrid Work.” StratoDesk, 28 Feb. 2022. Web.
Bowker, Mark. “Are Desktops Doomed? Trends in Digital Workspaces, VDI, and DaaS.” ESG, May 2020. Web.
“The CISO's Dilemma: How Chief Information Security Officers Are Balancing Enterprise Endpoint Security and Worker Productivity in Response to COVID-19.” Hysolate, Oct. 2020. Web.
King, Val. “Why the End-User Experience Is Not Good for Your Remote Workforce .” Whitehat Virtual Technologies, 2 Dec. 2021. Web.
Perry, Yifat. “VDI vs DaaS: 5 Key Differences and 6 Leading Solutions.” NetApp, 26 Aug. 2020. Web.
Rigg, Christian. “Best virtual desktop services 2022.” TechRadar, 20 Jan. 2022 . Web.
Seget, Vladan. “Key metrics to consider when assessing the performance of your VDI/DaaS environment.” vladan.fr, 19 April 2021. Web.
Spruijt, Ruben. “Why Should You Care About VDI and Desktop-as-a-Service?” Nutanix, 28 Jan. 2020. Web.
Stowers, Joshua. “The Best Desktop as a Service (DaaS) Providers 2022.” business.com, 21 Dec. 2021. Web.
“Virtual Desktop Infrastructure(VDI) Market 2022.” MarketWatch, 5 Jan. 2022. Web. Press release.
Zamir, Tal. “VDI Security Best Practices: Busting the Myths.” Hysolate, 29 Nov. 2021. Web.
Zychowicz, Paul. “Why do virtual desktop deployments fail?” Turbonomic Blog, 16 Dec. 2016. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Produce a prioritized list of high-demand infrastructure services.
Design workflows and create the first draft of the infrastructure services playbook.
Build a service rate sheet to track costs and develop better service capabilities.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Define and prioritize infrastructure services.
Identify candidate services for the Playbook.
1.1 Define the services you own.
1.2 Prioritize infrastructure services.
Affinity map of infrastructure services
Service pain points and root causes
A list of high-demand infrastructure services
Build workflows and an infrastructure services playbook.
Produce a draft infrastructure services playbook.
2.1 Design workflow for service delivery.
2.2 Add steps and requirements to the Services Playbook.
Documented service workflows
Infrastructure Services Playbook
Identify costs and mature service delivery capabilities.
Build an infrastructure service rate sheet.
Define next steps for infrastructure service capabilities.
3.1 Optimize infrastructure cost estimates.
3.2 Mature your I&O organization into a service broker.
Service Rate Sheet
Master list of infrastructure services
Action plan for Playbook implementation
"Managing a hybrid infrastructure environment is challenge enough. Add to this the pressure on IT Operations to deliver services faster and more continuously – it’s a recipe for boondoggle deployments, overcommitted staff, end-user frustration, and operational gridlock.
It’s not every service you provide that causes problems, so prioritize a few in-demand, painful services. Build and maintain durable, flexible processes that enable your team to provide consistent, repeatable services at a standard cost. Identify opportunities to improve service delivery.
You’ll save the business time and money and your own team significant grief." (Andrew Sharp, Research Manager, Infrastructure & Operations, Info-Tech Research Group)
In this blueprint, the first step will be to document infrastructure services to:
![]() |
Example:Create a new server resource in a virtual environment vs. public cloudIn a virtualized environment, provisioning processes can still be relatively siloed. In a software-defined environment, many steps require knowledge across the infrastructure stack. Better documentation will help your team deliver services outside their area of specialty. |
![]() |
Server is live |
Server is live |
The purpose behind DevOps is to reduce friction and deliver faster, more continuous, more automated services through the use of cross-functional teams.
DevOps: bridging Applications Development and Infrastructure & Operations by embracing a culture, practices, and tools born out of Lean and Agile methodologies.
"The bar has been raised for delivering technology products and services – what was good enough in previous decades is not good enough now." (Kim, Humble, Debois, Willis (2016))
Crawl
|
Walk
|
Run
|
![]() |
Demand for infrastructure services is usually driven by external requests or operational requirements. Prioritize services based on criticality, durability, frequency, availability, and urgency requirements.
Building and deploying toolsets is taking a long time | ||
Start
|
Stop
|
Continue
|
Cross-silo knowledge is needed: In a software-defined environment, building and launching a new server requires knowledge across the stack.
Server is live
Infrastructure & Operations are bound by two metrics:
Because tracking cost is integral to efficiency, cost and budget management, by proxy, is one of the most important Infrastructure & Operations metrics.
Cost management is not a numbers game. It is an indicator of how well infrastructure is managed.
Use Info-Tech’s methodology to get value faster from your infrastructure services playbook.
Phases |
Phase 1: Define and prioritize infrastructure services | Phase 2: Build the infrastructure services playbook | Phase 3: Identify costs and mature service delivery capabilities |
Steps |
1.1 Define the services you own | 2.1 Design workflows for service delivery | 3.1 Estimate infrastructure service costs |
1.2 Prioritize infrastructure services | 2.2 Add steps and requirements to the services playbook | 3.2 Mature your I&O organization into a service broker | |
Tools & Templates |
Infrastructure Services Playbook | Infrastructure Service Workflows | Service Rate Sheet |
Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.
This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.
This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Scoping (Call 1) Scope requirements, objectives, and stakeholders. Review the playbook toolset and methodology, and establish fit-for-need. |
Identify Services (Call 2) Brainstorm common infrastructure services your group provides. Consolidate the list and identify priority services. |
Create Service Workflows (Calls 3-4) Build Visio workflows for 2-3 priority services. |
Populate the Playbook (Calls 4-5) Add data to the playbook based on infrastructure service workflows |
Create a Rate Sheet for Costs (Call 6) Build a rate sheet that allows you to calculate costs for additional |
Your Guided Implementation will pair you with an advisor from our analyst team for the duration of your infrastructure services project.
Module 1 (Day 1) |
Module 1 (Day 1) |
Module 1 (Day 1) |
Offsite deliverables wrap-up (Day 5) | |
Activities | Define and Prioritize Infrastructure Services1.1 Assess current maturity of services and standardization processes. 1.2 Identify, group, and break out important infrastructure services. 1.3 Define service delivery pain points and perform root-cause analysis. 1.4 Prioritize services based on demand criteria. |
Build the Infrastructure Services Playbook2.1 Determine criteria for standard versus custom services. 2.2 Document standard workflows for better alignment and consistent delivery. 2.3 Build a flowchart for the identified high-demand service(s). 2.4 Outline information as it relates to the service lifecycle in the Playbook template. |
Identify Costs and Mature Service Delivery Capabilities4.1 Gather information for the rate sheet. 4.2 Choose an allocation method for overhead costs. 4.3 Select the right approach in the crawl, walk, run model for your organization. 4.4 Discuss the promotion plan and target revision dates for playbook and rate sheet. |
|
Deliverables |
|
|
|
PHASE 1 Define and prioritize infrastructure services |
1.1 Define the services you own |
1.2 Prioritize infrastructure services |
IT infrastructure & operations teams deliver services that fulfil requests, support projects, resolve problems, and operate systems.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
See if a custom-of-the-shelf process optimization makes sense.
Determine the right (level of) governance for your implementation.
Prepare for the overall implementation journey and gather your requirements. Then conduct a stage-gate assessment of this phase.
Conduct a stage-gate assessment after every step below.
Review your dispositions to ensure they align with your goals.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Analyze the current mix of programs and projects in your portfolio and assess the maturity of your current PPM processes.
Enhance and optimize your portfolio management processes to ensure portfolio criteria are clearly defined and consistently applied across the project lifecycle when making decisions about which projects to include or remove from the portfolio.
Implement your portfolio management improvement initiatives to ensure long-term sustainable adoption of new PPM practices.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Analyze the current mix of the portfolio to determine how to better organize it according to organizational goals and constraints.
Assess which PPM processes need to be enhanced to better organize the portfolio.
An analysis of the existing portfolio of projects (highlighting areas of concern).
An analysis of the maturity of current PPM processes and their ability to support the maintenance of an organized portfolio.
1.1 Pre-work: Prepare a complete project list.
1.2 Define existing portfolio categories, criteria, and targets.
1.3 Analyze the current portfolio mix.
1.4 Identify areas of concern with current portfolio mix.
1.5 Review the six COBIT sub-processes for portfolio management (APO05.01-06).
1.6 Assess the degree to which these sub-processes have been currently achieved at the organization.
1.7 Assess the degree to which portfolio-supporting IT governance and management processes exist.
1.8 Perform a gap analysis.
Analysis of the current portfolio mix
Assessment of COBIT alignment and gap analysis.
Define clear and usable portfolio criteria.
Record/design portfolio management processes that will support the consistent use of portfolio criteria at all stages of the project lifecycle.
Clearly defined and usable portfolio criteria.
A portfolio management framework that supports the consistent use of the portfolio criteria across all stages of the project lifecycle.
2.1 Identify determinants of the portfolio mix, criteria, and constraints.
2.2 Define the target mix, portfolio criteria, and portfolio metrics.
2.3 Identify sources of funding and resourcing.
2.4 Review and record the portfolio criteria based upon the goals and constraints.
2.5 Create a PPM improvement roadmap.
Portfolio criteria
Portfolio metrics for intake, monitoring, closure, termination, reprioritization, and benefits tracking
Portfolio Management Improvement Roadmap
Ensure that the portfolio criteria are used to guide decision making at each stage of the project lifecycle when making decisions about which projects to include or remove from the portfolio.
Processes that support decision making based upon the portfolio criteria.
Processes that ensure the portfolio remains consistently organized according to the portfolio criteria.
3.1 Ensure that the metrics used for each sub-process are based upon the standard portfolio criteria.
3.2 Establish the roles, accountabilities, and responsibilities for each sub-process needing improvement.
3.3 Outline the workflow for each sub-process needing improvement.
A RACI chart for each sub-process
A workflow for each sub-process
Ensure that the portfolio management improvement initiatives are sustainably adopted in the long term.
Stakeholder engagement.
Sustainable long-term adoption of the improved portfolio management practices.
4.1 Conduct a change impact analysis.
4.2 Create a stakeholder engagement plan.
Change Impact Analysis
Stakeholder Engagement Plan
Completed Portfolio Management SOP
With the exponential pace of technological change, an organization's success will depend largely on how well CIOs can evolve from technology evangelists to strategic business partners. This will require CIOs to effectively broker relationships to improve IT's effectiveness and create business value. A confidential journal can help you stay committed to fostering productive relationships while building trust to expand your sphere of influence.
Highly effective executives have in common the ability to successfully balance three things: time, personal capabilities, and relationships. Whether you are a new CIO or an experienced leader, the relentless demands on your time and unpredictable shifts in the organization’s strategy require a personal game plan to deliver business value. Rather than managing stakeholders one IT project at a time, you need an action plan that is tailored for unique work styles.
A personal relationship journal will help you:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use this research to create a personal relationship journal in four steps:
Use this exemplar to build a journal that is readily accessible, flexible, and easy to maintain.
As technology becomes increasingly important, an organization's success depends on the evolution of the modern CIO from a technology evangelist to a strategic business leader. The modern CIO will need to leverage their expansive partnerships to demonstrate the value of technology to the business while safeguarding their time and effort on activities that support their strategic priorities. CIOs struggling to transition risk obsolescence with the emergence of new C-suite roles like the Digital Transformation Officer, Chief Digital Officer, Chief Data Officer, and so on.
CIOs will need to flex new social skills to accommodate diverse styles of work and better predict dynamic situations. This means expanding beyond their comfort level to acquire new social skills. Having a clear understanding of one's own work style (preferences, natural tendencies, motivations, and blind spots) is critical to identify effective communication and engagement tactics.
Building trust is an art. Striking a balance between fulfilling your own goals and supporting others will require a carefully curated approach to navigate the myriad of personalities and work styles. A personal relationship journal will help you stay committed through these peaks and troughs to foster productive partnerships and expand your sphere of influence over the long term.
Joanne Lee
Principal, Research Director, CIO Advisory
Info-Tech Research Group
Your ChallengeIn today's unpredictable markets and rapid pace of technological disruptions, CIOs need to create business value by effectively brokering relationships to improve IT's performance. Challenges they face:
|
Common ObstaclesLimited span of influence. Mistaking formal roles in organizations for influence. Understanding what key individuals want and, more importantly, what they don't want. Lack of situational awareness to adapt communication styles to individual preferences and context. Leveraging different work styles to create a tangible action plan. Perceiving relationships as "one and done." |
Info-Tech's ApproachA personal relationship journal will help you stay committed to fostering productive relationships while building trust to expand your sphere of influence.
|
Highly effective executives have in common the ability to balance three things: time, personal capabilities, and relationships. Whether you are a new CIO or an experienced leader, the relentless demand on your time and unpredictable shifts in the organization's strategy will require a personal game plan to deliver business value. This will require more than managing stakeholders one IT project at a time: It requires an action plan that fosters relationships over the long term.
Stakeholder Management
A common term used in project management to describe the successful delivery of any project, program, or activity that is associated with organizational change management. The goal of stakeholder management is intricately tied to the goals of the project or activity with a finite end. Not the focus of this advisory research.
Relationship Management
A broad term used to describe the relationship between two parties (individuals and/or stakeholder groups) that exists to create connection, inclusion, and influence. The goals are typically associated with the individual's personal objectives and the nature of the interaction is seen as ongoing and long-term.
Continuum of Commitment
Info-Tech's framework that illustrates the different levels of commitment in a relationship. It spans from active resistance to those who are committed to actively supporting your personal priorities and objectives. This can be used to baseline where you are today and where you want the relationship to be in the future.
Work Style
A reference to an individual's natural tendencies and expectations that manifest itself in their communication, motivations, and leadership skills. This is not a behavior assessment nor a commentary on different personalities but observable behaviors that can indicate different ways people communicate, interact, and lead.
Glossary
CDxO: Chief Digital Officer
CDO: Chief Data Officer
CxO: C-Suite Executives
63% of CDxOs report directly to the CEO ("Rise of the Chief Digital Officer," CIO.com)
44% of organizations with a dedicated CDxO in place have a clear digital strategy versus 22% of those without a CDxO (KPMG/Harvey Nash CIO Survey)
The "good news": CIOs tend to have a longer tenure than CDxOs.
Source: "Age and Tenure of C-Suites," Korn Ferry
The "bad news": The c-suite is getting overcrowded with other roles like Chief Data Officer.
Source: "Chief Data Officer Study," PwC, 2022
The digital evolution has created the emergence of new roles like the Chief Digital Officer and Chief Data Officer. They are a response to bridge the skill gap that exists between the business and technology. CIOs need to focus on building effective partnerships to better communicate the business value generated by technology or they risk becoming obsolete.
From managing relationships with friends to key business partners, your success will come from having the right game plan. Productive relationships are more than managing stakeholders to support IT initiatives. You need to effectively influence those who have the potential to champion or derail your strategic priorities. Understanding differences in work styles is fundamental to adapting your communication approach to various personalities and situations.
Insight 1: Expand your sphere of influence
It's not just about gaining a volume of acquaintances. Figure out where you want to spend your limited time, energy, and effort to develop a network of professional allies who will support and help you achieve your strategic priorities.
Insight 2: Know thyself first and foremost
Healthy relationships start with understanding your own working style, preferences, and underlying motivations that drive your behavior and ultimately your expectations of others. A win/win scenario emerges when both parties' needs for inclusion, influence, and connection are met or mutually conceded.
Insight 3: Walk a mile in their shoes
If you want to build successful partnerships, you need to understand the context in which your stakeholder operates: their motivations, desires, priorities, commitments, and challenges. This will help you adapt as their needs shift and, moreover, leverage empathy to identify the best tactics for different working styles.
Insight 4: Nurturing relationships is a daily commitment
Building, fostering, and maintaining professional relationships requires a daily commitment to a plan to get through tough times, competing priorities, and conflicts to build trust, respect, and a shared sense of purpose.
Supplement your CIO journey with these related blueprints.
|
First 100 Days as CIO |
|
Become a Strategic CIO |
|
Improve IT Team Effectiveness |
|
Become a Transformational CIO |
What are the hallmarks of a healthy relationship with your key stakeholders?
"In my view, I work with partners like they are an extension of my team, as we rely on each other to achieve mutual success. Partnerships involve a deeper, more intimate relationship, where both parties are invested in the long-term success of the business."
Why is it important to understand your stakeholder's situation?
"It's crucial to remember that every IT project is a business project, and vice versa. As technology leaders, our role is to demystify technology by focusing on its business value. Empathy is a critical trait in this endeavor, as it allows us to see a stakeholder's situation from a business perspective, align better with the business vision and goals, and ultimately connect with people, rather than just technology."
How do you stay committed during tough times?
"I strive to leave emotions at the door and avoid taking a defensive stance. It's important to remain neutral and not personalize the issue. Instead, stay focused on the bigger picture and goals, and try to find a common purpose. To build credibility, it's also essential to fact-check assumptions regularly. By following these principles, I approach situations with a clear mind and better perspective, which ultimately helps achieve success."
In a recent conversation with a business executive about the evolving role of CIOs, she expressed: "It's the worst time to be perceived as a technology evangelist and even worse to be perceived as an average CIO who can't communicate the business value of technology."
This highlights the immense pressure many CIOs face when evolving beyond just managing the IT factory.
The modern CIO is a business leader who can forge relationships and expand their influence to transform IT into a core driver of business value.
Identify key stakeholders and their perception of IT's effectiveness
Identify and prioritize your key stakeholders. Be diligent with stakeholder identification. Use a broad view to identify stakeholders who are known versus those who are "hidden." If stakeholders are missed, then so are opportunities to expand your sphere of influence.
Assess stakeholder sentiments from Info-Tech's diagnostic reports and/or your organization's satisfaction surveys to help identify individuals who may have the greatest influence to support or detract IT's performance and those who are passive observers that can become your greatest allies. Determine where best to focus your limited time amid competing priorities by focusing on the long-term goals that support the organization's vision.
Understand which individuals can directly or indirectly influence your ability to achieve your priorities. Look inside and out, as you may find influencers beyond the obvious peers or executives in an organization. Influence can result from expansive connections, power of persuasion, and trust to get things done.
Visit Info-Tech's Diagnostic Programs
30-60 minutes
Start with the key stakeholders that are known to you. Take a 360-degree view of both internal and external connections. Leverage external professional & network platforms (e.g. LinkedIn), alumni connections, professional associations, forums, and others that can help flush out hidden stakeholders.
Use stakeholder satisfaction surveys like Info-Tech's Business Vision diagnostic as a starting point to identify those who are your allies and those who have the potential to derail IT's success, your professional brand, and your strategic priorities. Review the results of the diagnostic reports to flush out those who are:
Consider the following:
Key Output: Create a tab for your most critical stakeholders.
Download the Personal Relationship Management Journal Template.
Create a stakeholder profile to understand the context in which stakeholders operate.
Collect and analyze key information to understand the context in which your stakeholders operate. Use the information to derive insights about their mandate, accountabilities, strategic goals, investment priorities, and performance metrics and challenges they may be facing.
Stakeholder profiles can be used to help design the best approach for personal interactions with individuals as their business context changes.
If you are short on time, use this checklist to gather information:
Understanding what stakeholders want (and more importantly, what they don't) requires knowing their business and the personal and social circumstances underlying their priorities and behaviors.
Create a profile for each of your priority stakeholders to document their business context. Review all the information collected to understand their mandate, core accountability, and business capabilities. The context in which individuals operate is a window into the motivations, pressures, and vested interests that will influence the intersectionality between their expectations and yours.
Crushing demands and competing priorities can lead to tension and stress as people jockey to safeguard their time. Identify some observable challenges to create greater situational awareness. Possible underlying factors:
Adapt communication styles to the situational context in which your stakeholders operate
Each stakeholder has a preferred modality of working which is further influenced by dynamic situations. Some prefer to meet frequently to collaborate on solutions while others prefer to analyze data in solitude before presenting information to substantiate recommendations. However, fostering trust requires:
Adapting your communication style to create productive interactions will require a diverse arsenal of interpersonal skills that you can draw upon as situations shift. The ability to adapt your work style to dial any specific trait up or down will help to increase your powers of persuasion and influence.
"There are only two ways to influence human behavior: you can manipulate it, or you can inspire it." – Simon Sinek
Every individual has a preferred style of working. Determine work styles starting with self-awareness:
Through observation and situational awareness, we can make inferences about people's work style.
Where appropriate and when opportunities arise, ask individuals directly about their preferred work styles and method for communication. What is their preferred method of communication? During a normal course of interaction vs. for urgent priorities?
Consider the following when brainstorming engagement strategies for different work styles.
Think engagement strategies in different professional scenarios:
Use the Business Archetypes to brainstorm possible approaches for engaging with different work styles. Additional communication and engagement tactics may need to be considered based on circumstances and changing situations.
Be Relevant
Be Consistent and Accurate
Be Clear and Concise
Be Attentive and Authentic
"Good communication is the bridge between confusion and clarity."– Nat Turner (LinkedIn, 2020)
Moving from intent to action requires a plan to ensure you stay committed through the peaks and troughs.
Key elements of the action plan:
Investing in relationships is a long-term process. You need to accumulate enough trust to trade or establish coalitions to expand your sphere of influence. Even the strongest of professional ties will have their bouts of discord. To remain committed to building the relationship during difficult periods, use an action plan that helps you stay grounded around:
"Make intentional actions to set intentionality. Plans are good to keep you grounded and focused especially when relationship go through ups and down and there are changes: to new people and new relationships."
– Angela Diop, Senior Director, Executive Services, Info-Tech & former VP of Information Services with Unity Health Care
Establish your personal goals and expectations around what you are seeking from the relationship. Determine the strength of your current connection and identify where you want to move the relationship across the continuum of commitment.
Use insights from your stakeholder's profile to explore their span of influence and degree of interest in supporting your strategic priorities.
Based on your personal goals, identify where you want to move the relationship across the continuum of commitment: What are you hoping to achieve from the relationship? How will this help create a win/win situation for both you and the key stakeholder?
Fostering relationships take time and commitment. Utilizing metrics or personal success criteria for each of your focus areas will help you stay on track and find opportunities to make each engagement valuable instead of being transactional.
The strength of the relationship will help inform the level of time and effort needed to achieve your goals.
Cultivate your network and relationship with the goal of building emotional connection, understanding, and trust around your shared purpose and organization's vision through regular dialogue. Be mindful of transactional exchanges ("quid pro quo") to be strategic about its use. Treat every interaction as equally important regardless of agenda, duration, or channel of communication.
Everyone's time is valuable, and you need to come prepared with a clear understanding of why you are engaging. Think about the intentionality of the conversation:
Communication is built on both overt expressions and subtext. While verbal communication is the most recognizable form, non-lexical components of verbal communication (i.e. paralanguage) can alter stated vs. intended meaning. Engage with the following in mind:
Management plans are living documents and need to be flexible to adapt to changes in stakeholder context.
Building trust takes time and commitment. Treat every conversation with your key stakeholders as an investment in building the social capital to expand your span of influence when and where you need it to go. This requires making relationship management a daily habit. Action plans need to be a living document that is your personal journal to document your observations, feelings, and actions. Such a plan enables you to make constant adjustments along the relationship journey.
"Without involvement, there is no commitment. Mark it down, asterisk it, circle it, underline it."– Stephen Convey (LinkedIn, 2016)
While a personal relationship journal is not a formal performance management tool, identifying some tangible measures will improve the likelihood of aligning your intent with outcomes. Good measures will help you focus your efforts, time, and resources appropriately.
Keep the following in mind:
Knowledge Gained
New Concepts
Approach to Creating a Personal Journal
| Tech Trends and Priorities Research CentreAccess Info-Tech's Tech Trend reports and research center to learn about current industry trends, shifts in markets, and disruptions that are impacting your industry and sector. This is a great starting place to gain insights into how the ecosystem is changing your business and the role of IT within it. |
| Embed Business Relationship Management in ITCreate a business relationship management (BRM) function in your program to foster a more effective partnership with the business and drive IT's value to the organization. |
| Become a Transformational CIOCollaborate with the business to lead transformation and leave behind a legacy of growth. |
Content:
Info-Tech's Business Archetypes was created based on our analysis of the DiSC Profile and Myers-Briggs FIRO-B personality assessment tools that are focused on assessing interpersonal traits to better understand personalities.
The adaptation is due in part to Info-Tech's focus on not designing a personality assessment tool as this is neither the intent nor the expertise of our services. Instead, the primary purpose of this adaptation is to create a simple framework for our members to base their observations of behavioral cues to identify appropriate communication styles to better interact with key stakeholders.
Cautionary note:
Business archetypes are personas and should not be used to label, make assumptions and/or any other biased judgements about individual personalities. Every individual has all elements and aspects of traits across various spectrums. This must always remain at the forefront when utilizing any type of personality assessments or frameworks.
Click here to learn about DiSC Profile
Click here learn about FIRO-B
Click here learn about Experience Cube
DisC® is a personal assessment tool that was originally developed in 1928 by psychologist William Moulton Marston, who designed it to predict job performance. The tool has evolved and is now widely used by thousands of organizations around the world, from large government agencies and Fortune 500 companies to nonprofit and small businesses, to help improve teamwork, communication, and productivity in the workplace. The tool provides a common language people can use to better understand themselves and those they interact with - and use this knowledge to reduce conflict and improve working relationships.
DiSC is an acronym that stands for the four main personality profiles described in the Everything DiSC model: (D)ominance, (i)nfluence, (S)teadiness, (C)onscientiousness
People with (D) personalities tend to be confident and emphasize accomplishing bottom-line results.
People with (i) personalities tend to be more open and emphasize relationships and influencing or persuading others.
People with (S) personalities tend to be dependable and emphasize cooperation and sincerity.
People with (C) personalities tend to emphasize quality, accuracy, expertise, and competency.
The Fundamental Interpersonal Relations Orientation Behavior (FIRO-B®) tool has been around for forty years. The tool assesses your interpersonal needs and the impact of your behavior in the workplace. The framework reveals how individuals can shape and adapt their individual behaviors, influence others effectively, and build trust among colleagues. It has been an excellent resource for coaching individuals and teams about the underlying drivers behind their interactions with others to effectively build successful working relationships.
The FIRO framework addresses five key questions that revolve around three interpersonal needs. Fundamentally, the framework focuses on how you want to express yourself toward others and how you want others to behave toward you. This interaction will ultimately result in the universal needs for (a) inclusion, (b) control, and (c) affection. The insights from the results are intended to help individuals adjust their behavior in relationships to get what they need while also building trust with others. This will allow you to better predict and adapt to different situations in the workplace.
FIRO helps people recognize where they may be giving out mixed messages and prompts them to adapt their exhibited behaviors to build trust in their relationships. It also reveals ways of improving relationships by showing individuals how they are seen by others, and how this external view may differ from how they see themselves. Using this lens empowers people to adjust their behavior, enabling them to effectively influence others to achieve high performance.
In team settings, it is a rich source of information to explore motivations, underlying tensions, inconsistent behaviors, and the mixed messages that can lead to mistrust and derailment. It demonstrates how people may approach teamwork differently and explains the potential for inefficiencies and delays in delivery. Through the concept of behavioral flexibility, it helps defuse cultural stereotypes and streamline cross-cultural teams within organizations.
Go to this link to explore FIRO-B for Business
The Experience Cube model was developed by Gervase Bushe, a professor of Leadership and Organization at the Simon Fraser University's school of Business and a thought leader in the field of organizational behavior. The experience cube is intended as a tool to plan and manage conversations to communicate more effectively in the moment. It does this by promoting self-awareness to better reduce anxiety and adapt to evolving and uncertain situations.
Using the four elements of the experience cube (Observations, Thoughts, Feelings, and Wants) helps you to separate your experience with the situation from your potential judgements about the situation. This approach removes blame and minimizes defensiveness, facilitating a positive discussion. The goal is to engage in a continuous internal feedback loop that allows you to walk through all four quadrants in the moment to help promote self-awareness. With heightened self-awareness, you may (1) remain curious and ask questions, (2) check-in for understanding and clarification, and (3) build consensus through agreement on shared purpose and next steps.
Observations: Sensory data (information you take in through your senses), primarily what you see and hear. What a video camera would record.
Thoughts: The meaning you add to your observations (i.e. the way you make sense of them, including your beliefs, expectations, assumptions, judgments, values, and principles). We call this the "story you make up."
Feelings: Your emotional or physiological response to the thoughts and observations. Feelings words such as sad, mad, glad, scared, or a description of what is happening in your body.
Wants: Clear description of the outcome you seek. Wants go deeper than a simple request for action. Once you clearly state what you want, there may be different ways to achieve it.
Go to this link to explore more: Experience Cube
Joanne Lee
Principal, Research Director, CIO Advisory
Info-Tech Research Group
Joanne is a professional executive with over twenty-five years of experience in digital technology and management consulting spanning healthcare, government, municipal, and commercial sectors across Canada and globally. She has successfully led several large, complex digital and business transformation programs. A consummate strategist, her expertise spans digital and technology strategy, organizational redesign, large complex digital and business transformation, governance, process redesign, and PPM. Prior to joining Info-Tech Research Group, Joanne was a Director with KPMG's CIO Advisory management consulting services and the Digital Health practice lead for Western Canada. She brings a practical and evidence-based approach to complex problems enabled by technology.
Joanne holds a Master's degree in Business and Health Policy from the University of Toronto and a Bachelor of Science (Nursing) from the University of British Columbia.
Gord Harrison
Senior Vice President, Research and Advisory
Info-Tech Research Group
Gord Harrison, SVP, Research and Consulting, has been with Info-Tech Research Group since 2002. In that time, Gord leveraged his experience as the company's CIO, VP Research Operations, and SVP Research to bring the consulting and research teams together under his current role, and to further develop Info-Tech's practical, tactical, and value-oriented research product to the benefit of both organizations.
Prior to Info-Tech, Gord was an IT consultant for many years with a focus on business analysis, software development, technical architecture, and project management. His background of educational game software development, and later, insurance industry application development gave him a well-rounded foundation in many IT topics. Gord prides himself on bringing order out of chaos and his customer-first, early value agile philosophy keeps him focused on delivering exceptional experiences to our customers.
Angela Diop
Senior Director, Executive Services
Info-Tech Research Group
Angela has over twenty-five years of experience in healthcare, as both a healthcare provider and IT professional. She has spent over fifteen years leading technology departments and implementing, integrating, managing, and optimizing patient-facing and clinical information systems. She believes that a key to a healthcare organization's ability to optimize health information systems and infrastructure is to break the silos that exist in healthcare organizations.
Prior to joining Info-Tech, Angela was the Vice President of Information Services with Unity Health Care. She has demonstrated leadership and success in this area by fostering environments where business and IT collaborate to create systems and governance that are critical to providing patient care and sustaining organizational health.
Angela has a Bachelor of Science in Systems Engineering and Design from the University of Illinois and a Doctorate of Naturopathic Medicine from Bastyr University. She is a Certified CIO with the College of Healthcare Information Management Executives. She is a two-time Health Information Systems Society (HIMSS) Davies winner.
Edison Barreto
Senior Director, Executive Services
Info-Tech Research Group
Edison is a dynamic technology leader with experience growing different enterprises and changing IT through creating fast-paced organizations with cultural, modernization, and digital transformation initiatives. He is well versed in creating IT and business cross-functional leadership teams to align business goals with IT modernization and revenue growth. Over twenty-five years of Gaming, Hospitality, Retail, and F&B experience has given him a unique perspective on guiding and coaching the creation of IT department roadmaps to focus on business needs and execute successful changes.
Edison has broad business sector experience, including:
Hospitality, Gaming, Sports and Entertainment, IT policy and oversight, IT modernization, Cloud first programs, R&D, PCI, GRDP, Regulatory oversight, Mergers acquisitions and divestitures.
Mike Tweedie
Practice Lead, CIO Strategy
Info-Tech Research Group
Michael Tweedie is the Practice Lead, CIO – IT Strategy at Info-Tech Research Group, specializing in creating and delivering client-driven, project-based, practical research, and advisory. He brings more than twenty-five years of experience in technology and IT services as well as success in large enterprise digital transformations.
Prior to joining Info-Tech, Mike was responsible for technology at ADP Canada. In that role, Mike led several large transformation projects that covered core infrastructure, applications, and services and worked closely with and aligned vendors and partners. The results were seamless and transparent migrations to current services, like public cloud, and a completely revamped end-user landscape that allowed for and supported a fully remote workforce.
Prior to ADP, Mike was the North American Head of Engineering and Service Offerings for a large French IT services firm, with a focus on cloud adoption and complex ERP deployment and management; he managed large, diverse global teams and had responsibilities for end-to-end P&L management.
Mike holds a Bachelor's degree in Architecture from Ryerson University.
Carlene McCubbin
Practice Lead, People and Leadership
Info-Tech Research Group
Carlene McCubbin is a Research Lead for the CIO Advisory Practice at Info-Tech Research Group covering key topics in operating models & design, governance, and human capital development.
During her tenure at Info-Tech, Carlene has led the development of Info-Tech's Organization and Leadership practice and worked with multiple clients to leverage the methodologies by creating custom programs to fit each organization's needs.
Before joining Info-Tech, Carlene received her Master of Communications Management from McGill University, where she studied development of internal and external communications, government relations, and change management. Her education honed her abilities in rigorous research, data analysis, writing, and understanding the organization holistically, which has served her well in the business IT world.
Anubhav Sharma
Research Director, CIO Strategy
Info-Tech Research Group
Anubhav is a digital strategy and execution professional with extensive experience in leading large-scale transformation mandates for organizations both in North America and globally, including defining digital strategies for leading banks and spearheading a large-scale transformation project for a global logistics pioneer across ten countries. Prior to joining Info-Tech Research Group, he held several industry and consulting positions in Fortune 500 companies driving their business and technology strategies. In 2023, he was recognized as a "Top 50 Digital Innovator in Banking" by industry peers.
Anubhav holds an MBA in Strategy from HEC Paris, a Master's degree in Finance from IIT-Delhi, and a Bachelor's degree in Engineering.
Kim Osborne-Rodriguez
Research Director, CIO Strategy
Info-Tech Research Group
Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach to digital transformation, with a track record of supporting successful implementations.
Kim holds a Bachelor's degree in Mechatronics Engineering from University of Waterloo.
Amanda Mathieson
Research Director, People and Leadership
Info-Tech Research Group
Amanda joined Info-Tech Research Group in 2019 and brings twenty years of expertise working in Canada, the US, and globally. Her expertise in leadership development, organizational change management, and performance and talent management comes from her experience in various industries spanning pharmaceutical, retail insurance, and financial services. She takes a practical, experiential approach to people and leadership development that is grounded in adult learning methodologies and leadership theory. She is passionate about identifying and developing potential talent, as well as ensuring the success of leaders as they transition into more senior roles.
Amanda has a Bachelor of Commerce degree and Master of Arts in Organization and Leadership Development from Fielding Graduate University, as well as a post-graduate diploma in Adult Learning Methodologies from St. Francis Xavier University. She also has certifications in Emotional Intelligence – EQ-i 2.0 & 360, Prosci ADKAR® Change Management, and Myers-Briggs Type Indicator Step I and II.
Bacey, Christopher. "KPMG/Harvey Nash CIO Survey finds most organizations lack enterprise-wide digital strategy." Harvey Nash/KPMG CIO Survey. Accessed Jan. 6, 2023. KPMG News Perspective - KPMG.us.com
Calvert, Wu-Pong Susanna. "The Importance of Rapport. Five tips for creating conversational reciprocity." Psychology Today Magazine. June 30, 2022. Accessed Feb. 10, 2023. psychologytoday.com/blog
Coaches Council. "14 Ways to Build More Meaningful Professional Relationships." Forbes Magazine. September 16, 2020. Accessed Feb. 20, 2023. forbes.com/forbescoachescouncil
Council members. "How to Build Authentic Business Relationships." Forbes Magazine. June 15, 2021. Accessed Jan. 15, 2023. Forbes.com/business council
Deloitte. "Chief Information Officer (CIO) Labs. Transform and advance the role of the CIO." The CIO program. Accessed Feb. 5, 2021.
Dharsarathy, Anusha et al. "The CIO challenge: Modern business needs a new kind of tech leader." McKinsey and Company. January 27, 2020. Accessed Feb 2023. Mckinsey.com
DiSC profile. "What is DiSC?" DiSC Profile Website. Accessed Feb. 5, 2023. discprofile.com
FIRO Assessment. "Better working relationships". Myers Brigg Website. Resource document downloaded Feb. 10, 2023. myersbriggs.com/article
Fripp, Patricia. "Frippicisms." Website. Accessed Feb. 25, 2023. fripp.com
Grossman, Rhys. "The Rise of the Chief Digital Officer." Russell Reynolds Insights, January 1, 2012. Accessed Jan. 5, 2023. Rise of the Chief Digital Officer - russellreynolds.com
Kambil, Ajit. "Influencing stakeholders: Persuade, trade, or compel." Deloitte Article. August 9, 2017. Accessed Feb. 19, 2023. www2.deloitte.com/insights
Kambil, Ajit. "Navigating the C-suite: Managing Stakeholder Relationships." Deloitte Article. March 8, 2017. Accessed Feb. 19, 2023. www2.deloitte.com/insights
Korn Ferry. "Age and tenure in the C-suite." Kornferry.com. Accessed Jan. 6, 2023. Korn Ferry Study Reveals Trends by Title and Industry
Kumthekar, Uday. "Communication Channels in Project". Linkedin.com, 3 March 2020. Accessed April 27, 2023. Linkedin.com/Pulse/Communication Channels
McWilliams, Allison. "Why You Need Effective Relationships at Work." Psychology Today Magazine. May 5, 2022. Accessed Feb. 11, 2023. psychologytoday.com/blog
McKinsey & Company. "Why do most transformations fail? A conversation with Harry Robinson." Transformation Practice. July 2019. Accessed Jan. 10, 2023. Mckinsey.com
Mind Tools Content Team. "Building Good Work Relationships." MindTools Article. Accessed Feb. 11, 2023. mindtools.com/building good work relationships
Pratt, Mary. "Why the CIO-CFO relationship is key to digital success." TechTarget Magazine. November 11, 2021. Accessed Feb. 2023. Techtarget.com
LaMountain, Dennis. "Quote of the Week: No Involvement, No Commitment". Linkedin.com, 3 April 2016. Accessed April 27, 2023. Linkedin.com/pulse/quote-week-involvement
PwC Pulse Survey. "Managing Business Risks". PwC Library. 2022. Accessed Jan. 30, 2023. pwc.com/pulse-survey
Rowell, Darin. "3 Traits of a Strong Professional Relationship." Harvard Business Review. August 8, 2019. Accessed Feb. 20, 2023. hbr.org/2019/Traits of a strong professional relationship
Sinek, Simon. "The Optimism Company from Simon Sinek." Website. Image Source. Accessed, Feb. 21, 2023. simonsinek.com
Sinek, Simon. "There are only two ways to influence human behavior: you can manipulate it or you can inspire it." Twitter. Dec 9, 2022. Accessed Feb. 20, 2023. twitter.com/simonsinek
Whitbourne, Susan Krauss. "10 Ways to Measure the Health of Relationship." Psychology Today Magazine. Aug. 7, 2021. Accessed Jan. 30, 2023. psychologytoday.com/blog
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand the components of agility and what the optimal states are for service management agility.
Determine the current state of agility in the service management practice.
Create a roadmap for service management agility and present it to key stakeholders to obtain their support.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand agility and how it can complement service management.
Understand how the components of culture, structure, processes, and resources enable agility in service management.
Clear understanding of Agile principles.
Identifying opportunities for agility.
Understanding of how Agile principles align with service management.
1.1 Understand agility.
1.2 Understand how Agile methodologies can complement service management through culture, structure, processes, and resources.
Summary of Agile principles.
Summary of optimal components in culture, structure, processes, and resources that enable agility.
Assess your current organizational agility with respect to culture, structure, processes, and resources.
Identify your agility strengths and weaknesses with the agility score.
Understand your organization’s current enablers and constraints for agility.
Have metrics to identify strengths or weaknesses in culture, structure, processes, and resources.
2.1 Complete an agility assessment.
Assessment score of current state of agility.
Determine the gaps between the current and optimal states for agility.
Create a roadmap for service management agility.
Create a stakeholders presentation.
Have a completed custom roadmap that will help build sustainable agility into your service management practice.
Present the roadmap to key stakeholders to communicate your plans and get organizational buy-in.
3.1 Create a custom roadmap for service management agility.
3.2 Create a stakeholders presentation on service management agility.
Completed roadmap for service management agility.
Completed stakeholders presentation on service management agility.
The rapid technological evolution in platforms, processes, and applications is leading to gaps in the skills needed to manage and use data. Some common obstacles that could prevent you from identifying and building the data & analytics skills your organization needs include:
Skill deficiency is frequently stated as a roadblock to realizing corporate goals for data & analytics. Soft skills and technical skills are complementary, and data & analytics teams need a combination of both to perform effectively. Identify the essential skills and the gap with current skills that fit your organization’s data strategy to ensure the right skills are available at the right time and minimize pertinent risks.
Follow Info-Tech's advice on the roles and skills needed to support your data & analytics strategic growth objectives and how to execute an actionable plan:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
To generate business value from data, data leaders must first understand what skills are required to achieve these goals, identify the current skill gaps, and then develop skills development programs to enhance the relevant skills. Use Info-Tech's approach to identify and fill skill gaps to ensure you have the right skills at the right time.
Start with skills and roles identified as the highest priority through a high-level maturity assessment. From there, use this tool to determine whether the organization’s data & analytics team has the key role, the right combination of skill sets, and the right level competency for each skill. Create an actionable plan to develop skills and fill gaps.
In today's changing environment, data & analytics (D&A) teams have become an essential component, and it is critical for organizations to understand the skill and talent makeup of their D&A workforce. Chief data & analytics officers (CDAOs) or other equivalent data leaders can train current data employees or hire proven talent and quickly address skills gaps.
While developing technical skills is critical, soft skills are often left underdeveloped, yet lack of such skills is most likely why the data team would face difficulty moving beyond managing technology and into delivering business value.
Follow Info-Tech's methodology to identify and address skills gaps in today's data workplace. Align D&A skills with your organization's data strategy to ensure that you always have the right skills at the right time.
Ruyi Sun
Research Specialist,
Data & Analytics, and Enterprise Architecture
Info-Tech Research Group
The rapid technological evolution in platforms, processes, and applications is leading to gaps in the skills needed to manage and use data. Some critical challenges organizations with skills deficiencies might face include:
Some common obstacles that could prevent you from identifying and building the data and analytics (D&A) skills your organization needs are:
Follow Info-Tech's guidance on the roles and skills required to support your D&A strategic growth objectives and how to execute an actionable plan:
Skills gaps are a frequently named obstacle to realizing corporate goals for D&A. Soft skills and technical skills are complementary, and a D&A team needs both to perform effectively. Identify the essential skills and the gap with current skills required by your organization's data strategy to ensure the right skill is available at the right time and to minimize applicable risks.
60% of organizations identify skills gaps as the key barriers preventing business transformation (World Economic Forum, 2023)
43% of respondents agree the business area with the greatest need to address potential skills gaps is data analytics (McKinsey & Company, 2020)
87% of surveyed companies say they currently experience skills gaps or expect them within a few years (McKinsey & Company, 2020)
28% say their organizations make effective decisions on how to close skills gaps (McKinsey & Company, 2020)
According to BearingPoint's CDO survey, cultural challenges and limited data literacy are the main roadblocks to a CDO's success. To drill further into the problem and understand the root causes of the two main challenges, conduct a root cause analysis (RCA) using the Five Whys technique.
(Source: BearingPoint, 2020)
Problem: Poor data literacy is the top challenge CDOs face when increasing the value of D&A. Why?
Problem: Cultural challenge is one of the biggest obstacles to a CDO's success. Why?
As organizations strive to become more data-driven, most conversations around D&A emphasize hard skills. Soft skills like leadership and change management are equally crucial, and deficits there could be the root cause of the data team's inability to demonstrate improved business performance.
The process of achieving data centricity requires alignment between the data and business teams, and that requires soft skills.
Skills gaps are a frequently named obstacle to realizing corporate goals for D&A. Soft skills and technical skills are complementary, and a D&A team needs both to perform effectively. Identify the essential skills and the gap with current skills that fit your organization's data strategy to ensure the right skill is available at the right time and to minimize applicable risks.
Skills gaps are a frequently named obstacle to realizing corporate goals for D&A. Soft skills and technical skills are complementary, and a D&A team needs both to perform effectively. Identify the essential skills and the gap with current skills that fit your organization's data strategy to ensure the right skill is available at the right time and to minimize applicable risks.
Technological advancements will inevitably require new technical skills, but the most in-demand skills go beyond mastering the newest technologies. Soft skills are essential to data roles as the global workforce navigates the changes of the last few years.
Understanding and knowing your organization's data maturity level is a prerequisite to assessing your current skill and determining where you must align in the future.
One of the misconceptions that organizations have includes viewing skills development as a one-time effort. This leads to underinvestment in data team skills, risk of falling behind on technological changes, and failure to connect with business partners. Employees must learn to continuously adapt to the changing circumstances of D&A.
While the program must be agile and dynamic to reflect technological improvements in the development of technical skills, the program should always be anchored in soft skills because data management is fundamentally about interaction, collaboration, and people.
Seeking input and support across your business units can align stakeholders to focus on the right data analytics skills and build a data learning culture.
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Diagnostics and consistent frameworks used throughout all four options |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is four to six calls over the course of two to three months.
Phase 1 |
Phase 2 |
Phase 3 |
Call #1: Understand common data & analytics roles and skills, and your specific objectives and challenges. | Call #2: Assess the current data maturity level and competency of skills set. Identify the skills gap. | Call #3: Identify the relationship between current initiatives and capabilities. Initialize the corresponding roadmap for the data skills development program.
Call #4: (follow-up call) Touching base to follow through and ensure that benefits have received. |
Define Key Roles and Skills | Uncover the Skills Gap | Build an Actionable Plan |
AI and ML Specialist is projected to be the fastest-growing occupation in the next five years (World Economic Forum, 2023).
While tech roles take an average of 62 days to fill, hiring a senior data scientist takes 70.5 days (Workable, 2019). Start your recruitment cycle early for this demand.
CDOs act as impactful change agents ensuring that the organization's data management disciplines are running effectively and meeting the business' data needs. Only 12.0% of the surveyed organizations reported having a CDO as of 2012. By 2022, this percentage had increased to 73.7% (NewVantage Partners, 2022).
Sixty-five percent of respondents said lack of data literacy is the top challenge CDOs face today (BearingPoint, 2020). It has become imperative for companies to consider building a data literacy program which will require a dedicated data literacy team.
Technological advancements will inevitably require new technical skills, but the most in-demand skills go beyond mastering the newest technologies. Soft skills are essential to data roles as the global workforce navigates the changes of the last few years.
Tab 2. Skill & Role List
Objective: Review the library of skills and roles and customize them as needed to align with your organization's language and specific needs.
Download the Data & Analytics Assessment and Planning Tool
Define Key Roles and Skills | Uncover the Skills Gap | Build an Actionable Plan |
Understanding your organization's data maturity level is a prerequisite to assessing the skill sets you have today and determining where you need to align in the future.
Input: Current state capabilities, Use cases (if applicable), Data culture diagnostic survey results (if applicable)
Output: High-level maturity assessment, Prioritized list of data management focused area
Materials: Data Management Assessment and Planning Tool (optional), Data & Analytics Assessment and Planning Tool
Participants: Data leads, Business leads and subject matter experts (SMEs), Key business stakeholders
Prioritize these skills and roles based on your current maturity levels and what you intend to accomplish with your data strategy.
Download the Data & Analytics Assessment and Planning Tool
Input: Sample questions targeting the activities, challenges, and opportunities of each unit
Output: Identified skills availability
Materials: Whiteboard/Flip charts, Data & Analytics Assessment and Planning Tool
Participants: Data leads, Business leads and subject matter experts (SMEs), Key business stakeholders
Download the Data & Analytics Assessment and Planning Tool
Input: Current skills competency, Stakeholder interview results and findings
Output: Gap identification and analysis
Materials: Data & Analytics Assessment and Planning Tool
Participants: Data leads
Download the Data & Analytics Assessment and Planning Tool
Define Key Roles and Skills | Uncover the Skills Gap | Build an Actionable Plan |
One of the misconceptions that organizations have includes viewing skills development as a one-time effort. This leads to underinvestment in data team skills, risk of falling behind on technological changes, and failure to connect with business partners. Employees must learn to continuously adapt to the changing circumstances of D&A. While the program must be agile and dynamic to reflect technological improvements in the development of technical skills, the program should always be anchored in soft skills because data management is fundamentally about interaction, collaboration, and people.
Reskilling often indicates a change in someone's career path, so this decision requires a goal aligned with both individuals and the organization to establish a mutually beneficial situation.
When making reskilling decisions, organizations should also consider the relevance of the skill for different positions. For example, data administrators and data architects have similar skill sets, so reskilling is appropriate for these employees.
Upskilling tends to focus more on the soft skills necessary for more advanced positions. A data strategy lead, for example, might require design thinking training, which enables leaders to think from different perspectives.
Skill growth feasibility must also be considered. Some technical skills, particularly those involving cutting-edge technologies, require continual learning to maintain operational excellence. For example, a data scientist may require AI/ML skills training to incorporate use of modern automation technology.
For open positions and skills that are too resource-intensive to reskill or upskill, it makes sense to recruit new employees. Consider, however, time and cost feasibility of hiring. Some positions (e.g. senior data scientist) take longer to fill. To minimize risks, coordinate with your HR department and begin recruiting early.
The data team can collaborate with the human resources department to plan and develop internal training sessions aimed at specific skill sets.
This can also be accomplished through external training providers such as DCAM, which provides training courses on data management and analytics topics.
Colleges and universities can equip students with data analytics skills through formal education programs such as MBAs and undergraduate or graduate degrees in Data Science, Machine Learning, and other fields.
Investing time and effort to obtain certifications in the data & analytics field allows data workers to develop skills and gain recognition for continuous learning and self-improvement.
AWS Data Analytics and Tableau Data Scientist Certification are two popular data analytics certifications.
Some companies offer online courses in various subjects. Coursera and DataCamp are two examples of popular providers.
The organization can partner with a vendor who brings skills and talents that are not yet available within the organization. Employees can benefit from the collaboration process by familiarizing themselves with the project and enhancing their own skills.
The data team can engage with other departments that have previously done skills development programs, such as Finance and Change & Communications, who may have relevant resources to help you improve your business acumen and change management skills.
Seeking input and support across your business units can align stakeholders to focus on the right data analytics skills and build a data learning culture.
With a clear idea of skills needs and an executable strategy for training and reinforcing of concepts, HR programs and processes can help the data team foster a learning environment and establish a recruitment plan. The links below will direct you to blueprints produced by McLean & Company, a division of Info-Tech Research Group.
When integrating the skills of the future into workforce planning, determine the best approach for addressing the identified talent gaps – whether to build, buy, or borrow.
Integrate the future skills identified into the organization's workforce plan.
In cases where employee development is not feasible, the organization's talent acquisition strategy must focus more on buying or borrowing talent. This will impact the TA process. For example, sourcing and screening must be updated to reflect new approaches and skills.
If you have a talent acquisition strategy, assess how to integrate the new roles/skills into recruiting.
Review current organizational core competencies to determine if they need to be modified. New skills will help inform critical roles and competencies required in succession talent pools.
If no competency framework exists, use McLean & Company's Develop a Comprehensive Competency Framework blueprint.
Evaluate modified and new roles against the organization's compensation structure. Adjust them as necessary. Look at market data to understand compensation for new roles and skills.
Reassess your base pay structure according to market data for new roles and skills.
L&D plays a huge role in closing the skills gap. Build L&D opportunities to support development of new skills in employees.
Design an Impactful Employee Development Program to build the skills employees need in the future.
Input: Roles and skills required, Key decision points
Output: Actionable plan
Materials: Data & Analytics Assessment and Planning Tool
Participants: Data leads, Business leads and subject matter experts (SMEs), Key business stakeholders
Download the Data & Analytics Assessment and Planning Tool
Name | Position | Company |
Ruyi Sun | Research Specialist | Info-Tech Research Group |
Name | Position | Company |
Steve Wills | Practice Lead | Info-Tech Research Group |
Andrea Malick | Advisory Director | Info-Tech Research Group |
Annabel Lui | Principal Advisory Director | Info-Tech Research Group |
Sherwick Min | Technical Counselor | Info-Tech Research Group |
2022 Workplace Learning Trends Report.” Udemy, 2022. Accessed 20 June 2023.
Agrawal, Sapana, et al. “Beyond hiring: How companies are reskilling to address talent gaps.” McKinsey & Company, 12 Feb. 2020. Accessed 20 June 2023.
Bika, Nikoletta. “Key hiring metrics: Useful benchmarks for tech roles.” Workable, 2019. Accessed 20 June 2023.
Chroust, Tomas. “Chief Data Officer – Leaders of data-driven enterprises.” BearingPoint, 2020. Accessed 20 June 2023.
“Data and AI Leadership Executive Survey 2022.” NewVantage Partners, Jan 2022. Accessed 20 June 2023.
Dondi, Marco, et al. “Defining the skills citizens will need in the future world of work.” McKinsey & Company, June 2021. Accessed 20 June 2023.
Futschek, Gerald. “Algorithmic Thinking: The Key for Understanding Computer Science.” Lecture Notes in Computer Science, vol. 4226, 2006.
Howard, William, et al. “2022 HR Trends Report.” McLean & Company, 2022. Accessed 20 June 2023.
“Future of Jobs Report 2023.” World Economic Forum, May 2023. Accessed 20 June 2023.
Knight, Michelle. “What is Data Ethics?” Dataversity, 19 May 2021. Accessed 20 June 2023.
Little, Jim, et al. “The CIO Imperative: Is your technology moving fast enough to realize your ambitions?” EY, 22 Apr. 2022. Accessed 20 June 2023.
“MDM Roles and Responsibilities.” Profisee, April 2019. Accessed 20 June 2023.
“Reskilling and Upskilling: A Strategic Response to Changing Skill Demands.” TalentGuard, Oct. 2019. Accessed 20 June 2023.
Southekal, Prashanth. “The Five C's: Soft Skills That Every Data Analytics Professional Should Have.” Forbes, 17 Oct. 2022. Accessed 20 June 2023.
There is no one-size-fits-all approach to product delivery. For many organizations product delivery requires detailed project management practices, while for others it requires much less. Taking an outcome-first approach when planning your product transformation is critical to make the right decision on the balance between project and product management.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
The activities in this research will guide you through clarifying how you want to talk about projects and products, aligning project management and agility, specifying the different activities for project management, and identifying key differences with funding of products instead of projects.
7 Step 1.1: Clarify How You Want to Talk About Projects and Products
13 Step 1.2: Align Project Management and Agility
16 Step 1.3: Specify the Different Activities for Project Management
20 Step 1.4: Identify Key Differences in Funding of Products Instead of Projects
26 Bibliography
When moving to more product-centric delivery practices, many assume that projects are no longer necessary. That isn’t necessarily the case!
Product delivery can mean different things to different organizations, and in many cases it can involve the need to maintain both projects and project delivery.
Projects are a necessary vehicle in many organizations to drive value delivery, and the activities performed by project managers still need to be done by someone. It is the form and who is involved that will change the most.
![]() |
Ari Glaizel
|
Your Challenge
|
Common Obstacles
|
Info-Tech’s Approach
|
There is no one-size-fits-all approach to product delivery. For many organizations product delivery requires detailed project management practices, while for others it requires much less. Taking an outcome-first approach when planning your product transformation is critical to make the right decision on the balance between project and product management.
Project“A temporary endeavor undertaken to create a unique product, service, or result. The temporary nature of projects indicates a beginning and an end to the project work or a phase of the project work. Projects can stand alone or be part of a program or portfolio.” (PMBOK, PMI) |
![]() |
Product“A tangible solution, tool, or service (physical or digital) that enables the long-term and evolving delivery of value to customers and stakeholders based on business and user requirements.” (Deliver on Your Digital Product Vision, Info-Tech Research Group) |
Output: Your enterprise/organizational definition of products and projects
Participants: Executives, Product/project managers, Applications teams
Regardless of whether you recognize yourself as a “product-based” or “project-based” shop, the same basic principles should apply.
You go through a period or periods of project-like development to build or implement a version of an application or product.
You also have parallel services along with your project development that encompass the more product-based view. These may range from basic support and maintenance to full-fledged strategy teams or services like sales and marketing.
As your product transformation continues, projects can become optional and needed only as part of your organization’s overall delivery processes
Project | Product | |
Fund projects | — Funding –› | Fund teams |
Line-of-business sponsor | — Prioritization –› | Product owner |
Project owner | — Accountability –› | Product owner |
Makes specific changes to a product | —Product management –› | Improves product maturity and support of the product |
Assignment of people to work | — Work allocation –› | Assignment of work to product teams |
Project manager manages | — Capacity management –› | Team manages |
Product delivery requires significant shifts in the way you complete development and implementation work and deliver value to your users. Make the changes that support improving end-user value and enterprise alignment.
5-10 minutes
Output: Increased appreciation of the relationship between project and product delivery
Participants: Executives, Product/project managers, Applications teams
In product-centric, Agile teams, many roles that a project manager previously performed are now taken care of to different degrees by the product owner, delivery team, and process manager.
The overall change alters the role of project management from one that orchestrates all activities to one that supports, monitors, and escalates.
5-10 minutes
Output: An assessment of what is in the way to effectively deliver on Agile and product-focused projects
Participants: Executives, Product/project managers, Applications teams
![]() |
|
|
![]() |
5-10 minutes
Output: Current understanding of the role of project management in Agile/product delivery
Participants: Executives, Product/project managers, Applications teams
Project managers still have a role to play in Agile projects and products. Agreeing to what they should be doing is critical to successfully moving to a product-centric approach to delivery.
Autonomy
Fund what delivers value Fund long-lived delivery of value through products (not projects). Give autonomy to the team to decide exactly what to build. | Flexibility
Allocate iteratively Allocate to a pool based on higher-level business case. Provide funds in smaller amounts to different product teams and initiatives based on need. |
| Accountability
Measure and adjust Product teams define metrics that contribute to given outcomes. Track progress and allocate more (or less) funds as appropriate. | ![]() Info-Tech InsightChanges to funding require changes to product and Agile practices to ensure product ownership and accountability. |
(Adapted from Bain & Company)
TRADITIONAL PROJECTS WITH WATERFALL DELIVERY | TRADITIONAL PROJECTS WITH AGILE DELIVERY | PRODUCTS WITH AGILE PROJECT DELIVERY | PRODUCTS WITH AGILE DELIVERY | |
WHEN IS THE BUDGET TRACKED? |
Budget tracked by major phases | Budget tracked by sprint and project | Budget tracked by sprint and project | Budget tracked by sprint and release |
HOW ARE CHANGES HANDLED? |
All change is by exception | Scope change is routine; budget change is by exception | Scope change is routine; budget change is by exception | Budget change is expected on roadmap cadence |
WHEN ARE BENEFITS REALIZED? |
Benefits realization post project completion | Benefits realization ongoing throughout the life of the project | Benefits realization ongoing throughout the life of the product | Benefits realization ongoing throughout life of the product |
WHO DRIVES? |
Project Manager
|
Product Owner
|
Product Manager
|
Product Manager
|
ˆ ˆ
Hybrid Operating Environments |
As you evolve your approach to product delivery, you will be decoupling the expected benefits, forecast, and budget. Managing them independently will improve your ability adapt to change and drive the right outcomes!
Output: Understanding of funding principles and challenges
Participants: Executives, Product owners, Product managers, Project managers, Delivery managers
Global Digital Financial Services Company
This financial services company looked to drive better results by adopting more product-centric practices.
Results
|
![]() ![]() |
Deliver on Your Digital Product Vision
Implement Agile Practices That Work
Implement DevOps Practices That Work
Prepare an Actionable Roadmap for Your PMO
|
Deliver Digital Products at Scale
Extend Agile Practices Beyond IT
Spread Best Practices With an Agile Center of Excellence
Tailor IT Project Management Processes to Fit Your Projects
|
Cobb, Chuck. “Are there Project Managers in Agile?” High Impact Project Management, n.d. Web.
Cohn, Mike. “What Is a Product?” Mountain Goat Software, 6 Sept. 2016. Web.
Cobb, Chuck. “Agile Project Manager Job Description.” High Impact Project Management, n.d. Web.
“How do you define a product?” Scrum.org, 4 April 2017. Web.
Johnson, Darren, et al. “How to Plan and Budget for Agile at Scale.” Bain & Company, 8 Oct. 2019. Web.
“Product Definition.” SlideShare, uploaded by Mark Curphey, 25 Feb. 2007. Web.
Project Management Institute. A Guide to the Project Management Body of Knowledge (PMBOK Guide). 7th ed., Project Management Institute, 2021.
Schuurman, Robbin. “Scrum Master vs Project Manager – An Overview of the Differences.” Scrum.org, 11 Feb 2020. Web.
Schuurman, Robbin. “Product Owner vs Project Manager.” Scrum.org, 12 March 2020. Web.
Vlaanderen, Kevin. “Towards Agile Product and Portfolio Management.” Academia.edu, 2010. Web.
“What is a Developer in Scrum?” Scrum.org, n.d. Web.
“What is a Scrum Master?” Scrum.org, n.d. Web.
“What is a Product Owner?” Scrum.org, n.d. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Partner with the business to determine goals and establish high-level scope.
Find out what the target organization’s I&O looks like.
Build a plan to achieve a day 1 MVP.
Chart a roadmap for long-term integration.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Establish goals and conduct discovery.
Alignment with business goals
Documentation of target organization’s current state
0.1 Consult with stakeholders.
0.2 Establish M&A business goals.
0.3 Conduct target discovery.
0.4 Document own environment.
0.5 Clarify goals.
Stakeholder communication plan
M&A business goals
I&O M&A Discovery Template
Current state of organization
Assess risk and value of target organization.
Accurate scope of I&O integration
Risk mitigation plans
Value realization strategies
1.1 Scope I&O M&A project.
1.2 Assess risks.
1.3 Assess value.
I&O M&A Project Napkin
Risk assessment
Value assessment
Establish day 1 integration project plan.
Smoother day 1 integration
2.1 Determine Day 1 minimum viable operating model post M&A.
2.2 Identify gaps.
2.3 Build day 1 project plan.
2.4 Estimate required resources.
Day 1 project plan
Draw long-term integration roadmap.
Improved alignment with M&A goals
Greater realization of the deal’s value
3.1 Set long-term future state goals.
3.2 Create a long-term project plan.
3.3 Consult with business stakeholders on the long-term plan.
Long-term integration project plan
Prepare for organization and culture change.
Refine M&A I&O integration process.
Smoother change management
Improved M&A integration process
4.1 Complete a change management plan.
4.2 Conduct a process post-mortem.
Change management plan
Process improvements action items
Perform an insurance policy comparison with scores based on policy coverage and exclusions.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use this blueprint to score your potential cyber insurance policies and develop skills to overcome common insurance pitfalls.
Use these tools to gather cyber insurance requirements, prepare for the underwriting process, and compare policies.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Assess current maturity, establish a team, and choose a pilot business unit. Identify business processes, dependencies, and alternatives.
Define an objective impact scoring scale, estimate the impact of downtime, and set recovery targets.
Build a workflow of the current steps for business recovery. Identify gaps and risks to recovery. Brainstorm and prioritize solutions to address gaps and mitigate risks.
Present pilot project results and next steps. Create BCMS teams. Update and maintain BCMS documentation.
Use these tools and templates to assist in the creation of your BCP.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Define BCP scope, objectives, and stakeholders.
Prioritize BCP efforts and level-set scope with key stakeholders.
1.1 Assess current BCP maturity.
1.2 Identify key business processes to include in scope.
1.3 Flowchart key business processes to identify business processes, dependencies, and alternatives.
BCP Maturity Scorecard: measure progress and identify gaps.
Business process flowcharts: review, optimize, and allow for knowledge transfer of processes.
Identify workarounds for common disruptions to day-to-day continuity.
Define RTOs and RPOs based on your BIA.
Set recovery targets based business impact, and illustrate the importance of BCP efforts via the impact of downtime.
2.1 Define an objective scoring scale to indicate different levels of impact.
2.2 Estimate the impact of downtime.
2.3 Determine acceptable RTO/RPO targets for business processes based on business impact.
BCP Business Impact Analysis: objective scoring scale to assess cost, goodwill, compliance, and safety impacts.
Apply the scoring scale to estimate the impact of downtime on business processes.
Acceptable RTOs/RPOs to dictate recovery strategy.
Create a recovery workflow.
Build an actionable, high-level, recovery workflow that can be adapted to a variety of different scenarios.
3.1 Conduct a tabletop exercise to determine current recovery procedures.
3.2 Identify and prioritize projects to close gaps and mitigate recovery risks.
3.3 Evaluate options for command centers and alternate business locations (i.e. BC site).
Recovery flow diagram – current and future state
Identify gaps and recovery risks.
Create a project roadmap to close gaps.
Evaluate requirements for alternate business sites.
Extend the results of the pilot BCP and implement governance.
Outline the actions required for the rest of your BCMS, and the required effort to complete those actions, based on the results of the pilot.
4.1 Summarize the accomplishments and required next steps to create an overall BCP.
4.2 Identify required BCM roles.
4.3 Create a plan to update and maintain your overall BCP.
Pilot BCP Executive Presentation
Business Continuity Team Roles & Responsibilities
3. Maintenance plan and BCP templates to complete the relevant documentation (BC Policy, BCP Action Items, Recovery Workflow, etc.)
None of us needs to look very far to find a reason to have an effective business continuity plan.
From pandemics to natural disasters to supply chain disruptions to IT outages, there’s no shortage of events that can disrupt your complex and interconnected business processes. How in the world can anyone build a plan to address all these threats?
Don’t try to boil the ocean. Use these tactics to streamline your BCP project and stay on track:
No one can predict every possible disruption, but by following the guidance in this blueprint, you can build a flexible continuity plan that allows you to withstand the threats your organization may face.
Research Director,
IT Infrastructure & Operations Practice
Info-Tech Research Group
Senior Research Analyst,
IT Infrastructure & Operations Practice
Info-Tech Research Group
IT leaders, because of their cross-functional view and experience with incident management and DR, are often asked to lead BCP efforts.
As an IT leader you have the skill set and organizational knowledge to lead a BCP project, but you must enable business leaders to own their department’s BCP practices and outputs. They know their processes and, therefore, their requirements to resume business operations better than anyone else.
A business continuity plan (BCP) consists of separate but related sub-plans, as illustrated below. This blueprint enables you to:
A plan to restore IT application and infrastructure services following a disruption.
Info-Tech’s disaster recovery planning blueprint provides a methodology for creating the IT DRP. Leverage this blueprint to validate and provide inputs for your IT DRP.
A set of plans to resume business processes for each business unit. This includes:
A plan to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage.
Info-Tech’s Implement Crisis Management Best Practices blueprint provides a framework for planning a response to any crisis, from health and safety incidents to reputational damage.
Back when transactions were recorded on paper and then keyed into the mainframe system later, it was easier to revert to deskside processes. There is very little in the way of paper-based processes anymore, and as a result, it is increasingly difficult to resume business processes without IT.
Think about your own organization. What IT system(s) are absolutely critical to business operations? While you might be able to continue doing business without IT, this requires regular preparation and training. It’s likely a completely offline process and won’t be a viable workaround for long even if staff know how to do the work. If your data center and core systems are down, technology-enabled workarounds (such as collaboration via mobile technologies or cloud-based solutions) could help you weather the outage, and may be more flexible and adaptable for day-to-day work.
The bottom line:
Technology is a critical dependency for business processes. Consider the role IT systems play as process dependencies and as workarounds as part of continuity planning.
BCP for Business Unit A:
Scope → Pilot BIA → Response Plan → Gap Analysis
→ Lessons Learned:
= Ongoing governance, testing, maintenance, improvement, awareness, and training.
By comparison, a traditional BCP approach takes much longer to mitigate risk:
Organizational Risk Assessment and Business Impact Analysis → Solution Design to Achieve Recovery Objectives → Create and Validate Response Plans
A charitable foundation for a major state university engaged Info-Tech to support the creation of their business continuity plan.
With support from Info-Tech analysts and the tools in this blueprint, they worked with their business unit stakeholders to identify recovery objectives, confirm recovery capabilities and business process workarounds, and address gaps in their continuity plans.
The outcome wasn’t a pandemic plan – it was a continuity plan that was applicable to pandemics. And it worked. Business processes were prioritized, gaps in work-from-home and business process workarounds had been identified and addressed, business leaders owned their plan and understood their role in it, and IT had clear requirements that they were able and ready to support.
“The work you did here with us was beyond valuable! I wish I could actually explain how ready we really were for this…while not necessarily for a pandemic, we were ready to spring into action, set things up, the priorities were established, and most importantly some of the changes we’ve made over the past few years helped beyond words! The fact that the groups had talked about this previously almost made what we had to do easy.“ -- VP IT Infrastructure
Phases | Phase 1: Identify BCP Maturity and Document Process Dependencies | Phase 2: Conduct a BIA to Determine Acceptable RTOs and RPOs | Phase 3: Document the Recovery Workflow and Projects to Close Gaps | Phase 4: Extend the Results of the Pilot BCP and Implement Governance |
---|---|---|---|---|
Steps | 1.1 Assess current BCP maturity | 2.1 Define an objective impact scoring scale | 3.1 Determine current recovery procedures | 4.1 Consolidate BCP pilot insights to support an overall BCP project plan |
1.2 Establish the pilot BCP team | 2.2 Estimate the impact of downtime | 3.2 Identify and prioritize projects to close gaps | 4.2 Outline a business continuity management (BCM) program | |
1.3 Identify business processes, dependencies, and alternatives | 2.3 Determine acceptable RTO/RPO targets | 3.3 Evaluate BC site and command center options | 4.3 Test and maintain your BCP | |
Tools and Templates | ||||
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
BCP Business Impact Analysis Tool: Conduct and document a business impact analysis using this document.
BCP Recovery Workflows Example: Model your own recovery workflows on this example.
BCP Project Roadmap: Use this tool to prioritize projects that can improve BCP capabilities and mitigate gaps and risks.
BCP Relocation Checklists: Plan for and manage a site relocation – whether to an alternate site or work from home.
Summarize your organization's continuity capabilities and objectives in a 15-page, easy-to-consume template.
This document consolidates data from the supporting documentation and tools to the right.
Download Info-Tech’s BCP Summary Document
Focus less on risk, and more on recovery
Avoid focusing on risk and probability analysis to drive your continuity strategy. You never know what might disrupt your business, so develop a flexible plan to enable business resumption regardless of the event.
Small teams = good pilots
Choose a small team for your BCP pilot. Small teams are better at trialing new techniques and finding new ways to think about problems.
Calculate downtime impact
Develop and apply a scoring scale to develop a more-objective assessment of downtime impact for the organization. This will help you prioritize recovery.
It’s not no, but rather not now…
You can’t address all the organization’s continuity challenges at once. Prioritize high value, low effort initiatives and create a long-term roadmap for the rest.
Show Value Now
Get to value quickly. Start with one business unit with continuity challenges, and a small, focused project team who can rapidly learn the methodology, identify continuity gaps, and define solutions that can also be leveraged by other departments right away.
Lightweight Testing Exercises
Outline recovery capabilities using lightweight, low risk tabletop planning exercises. Our research shows tabletop exercises increase confidence in recovery capabilities almost as much as live exercises, which carry much higher costs and risks.
Info-Tech members told us they save an average of $44,522 and 23 days by working with an Info-Tech analyst on BCP (source: client response data from Info-Tech's Measured Value Survey).
Why do members report value from analyst engagement?
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
Diagnostic and consistent frameworks are used throughout all four options.
A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between eight to twelve calls over the course of four to six months.
Call 1: Scope requirements, objectives, and stakeholders. Identify a pilot BCP project.
Calls 2 - 4: Assess current BCP maturity. Create business process workflows, dependencies, alternates, and workarounds.
Calls 5 – 7: Create an impact scoring scale and conduct a BIA. Identify acceptable RTO and RPO.
Calls 8 – 9: Create a recovery workflow based on tabletop planning.
Call 10: Summarize the pilot results and plan next steps. Define roles and responsibilities. Make the case for a wider BCP program.
Contact your account representative for more information.
workshops@infotech.com | 1-888-670-8889
Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
---|---|---|---|---|---|
Identify BCP Maturity, Key Processes, and Dependencies | Conduct a BIA to Determine Acceptable RTOs and RPOs | Document the Current Recovery Workflow and Projects to Close Gaps | Identify Remaining BCP Documentation and Next Steps | Next Steps and Wrap-Up (offsite) | |
Activities |
1.1 Assess current BCP maturity. 1.2 Identify key business processes to include in scope. 1.3 Create a flowchart for key business processes to identify business processes, dependencies, and alternatives. |
2.1 Define an objective scoring scale to indicate different levels of impact. 2.2 Estimate the impact of a business disruption on cost, goodwill, compliance, and health & safety. 2.3 Determine acceptable RTOs/RPOs for selected business processes based on business impact. |
3.1 Review tabletop planning – what is it, how is it done? 3.2 Walk through a business disruption scenario to determine your current recovery timeline, RTO/RPO gaps, and risks to your ability to resume business operations. 3.3 Identify and prioritize projects to close RTO/RPO gaps and mitigate recovery risks. |
4.1 Assign business continuity management (BCM) roles to govern BCP development and maintenance, as well as roles required to execute recovery. 4.2 Identify remaining documentation required for the pilot business unit and how to leverage the results to repeat the methodology for remaining business units. 4.3 Workshop review and wrap-up. |
5.1 Finalize deliverables for the workshop. 5.2 Set up review time for workshop outputs and to discuss next steps. |
Deliverables |
|
|
|
|
|
1.1 Assess Current BCP Maturity
1.2 Establish the pilot BCP team
1.3 Identify business processes, dependencies, and alternatives
Define the scope for the BCP project: assess the current state of the plan, create a pilot project team and pilot project charter, and map the business processes that will be the focus of the pilot.
This step will walk you through the following activities:
This step involves the following participants:
You'll use the following tools & templates:
Establish current BCP maturity using Info-Tech’s ISO 22301-aligned BCP Maturity Scorecard.
This blueprint primarily addresses the first four sections in the scorecard, which align with the creation of the core components of your business continuity plan.
Info-Tech’s maturity scorecard is aligned with ISO 22301, the international standard that describes the key elements of a functioning business continuity management system or program – the overarching set of documents, practices, and controls that support the ongoing creation and maintenance of your BCP. A fully functional BCMS goes beyond business continuity planning to include crisis management, BCP testing, and documentation management.
Audit tools tend to treat every bullet point in ISO 22301 as a separate requirement – which means there’s almost 400 lines to assess. Info-Tech’s BCP Maturity Scorecard has synthesized key requirements, minimizing repetition to create a high-level self-assessment aligned with the standard.
A high score is a good indicator of likely success with an audit.
Download Info-Tech's BCP Maturity Scorecard
"The fact that this aligns with ISO is huge." - Dr. Bernard Jones MBCI, CBCP
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Assign roles and responsibilities for the BCP pilot project. Set milestones and timelines for the pilot.
Though IT is a critical dependency for most processes, IT shouldn’t own the business continuity plan. IT should be an internal BCP process consultant, and each business unit must own their plan.
IT should be an internal BCP consultant.
Why shouldn’t IT own the plan?
Info-Tech Insight
A goal of the pilot is to seed success for further planning exercises. This is as much about demonstrating the value of continuity planning to the business unit, and enabling them to own it, as it is about implementing the methodology successfully.
Outline roles and responsibilities on the pilot team using a “RACI” exercise. Remember, only one party can be ultimately accountable for the work being completed.
Board | Executive Team | BCP Executive Sponsor | BCP Team Leader | BCP Coordinator | Pilot Bus. Unit Manager | Expert Bus. Unit Staff | IT Manager | |
---|---|---|---|---|---|---|---|---|
Communicate BCP project status | I | I | I | A | R | C | C | I |
Assign resources to pilot BCP project | A | R | C | R | C | R | ||
Conduct continuity planning activities | I | A/R | R | R | R | R | ||
Create pilot BCP deliverables | I | A | R | R | C | C | C | |
Manage BCP documentation | I | A | C | R | I | C | C | |
Integrate results into BCMS | I | I | A | R | R | I | C | C |
Create overall BCP project plan | I | I | A | R | C | C |
R: Responsible for doing the work.
A: Accountable to ensure the activity/work happens.
C: Consulted prior to decision or action.
I: Informed of the decision/action once it’s made.
"Large teams excel at solving problems, but it is small teams that are more likely to come up with new problems for their more sizable counterparts to solve." – Wang & Evans, 2019
Small teams tend to be better at trialing new techniques and finding new ways to think about problems, both of which are needed for a BCP pilot project.
Many organizations begin their BCP project with a target business unit in mind. It’s still worth establishing whether this business unit meets the criteria below.
Good candidates for a pilot project:
These short descriptions establish the functions, expectations, and responsibilities of each role at a more granular level.
The Board and executives have an outsized influence on the speed at which the project can be completed. Ensure that communication with these stakeholders is clear and concise. Avoid involving them directly in activities and deliverable creation, unless it’s required by their role (e.g. as a business unit manager).
Project Role | Description |
---|---|
Board & Executive Team |
|
Executive Sponsor |
|
Pilot Business Unit Manager |
|
BCP Coordinator |
|
Expert Business Unit Staff |
|
IT Manager |
|
Other Business Unit Managers |
|
A skilled and committed coordinator is critical to building an effective and durable BCP.
Structure the role of the BCP Coordinator
The BCP Coordinator works with the pilot business unit as well as remaining business units to provide continuity and resolve discrepancies as they come up between business units.
Specifically, this role includes:
"We found it necessary to have the same person work with each business unit to pass along lessons learned and resolve contingency planning conflicts for common dependencies." – Michelle Swessel, PM and IT Bus. Analyst, Wisconsin Compensation Rating Bureau (WCRB)
This step will walk you through the following activities:
This step involves the following participants:
You'll use the following tools & templates:
Documented workflows, process dependencies, and workarounds when dependencies are unavailable.
Process review often results in discovering informal processes, previously unknown workarounds or breakdowns, shadow IT, or process improvement opportunities.
Note: A more in-depth analysis will be conducted later to refine priorities. The goal here is a high-level order of priority for the next steps in the planning methodology (identify business processes and dependencies).
Download Info-Tech’s Business Process Workflows Example
Policies and procedures manuals, if they exist, are often out of date or incomplete. Use these as a starting point, but don’t stop there. Identify the go-to staff members who are well versed in how a process works.
2.1 Define an objective impact scoring scale
2.2 Estimate the impact of downtime
2.3 Determine acceptable RTO/RPO targets
Assess the impact of business process downtime using objective, customized impact scoring scales. Sort business processes by criticality and by assigning criticality tiers, recovery time, and recovery point objectives.
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Define an impact scoring scale relevant to your business, which allows you to more-objectively assess the impact of business process downtime.
The activities in Phase 2 will help you set appropriate, acceptable recovery objectives based on the business impact of process downtime.
For example:
Create Impact Scoring Scales→Assess the impact of process downtime→Review overall impact of process downtime→Set Criticality Tiers→Set Recovery Time and Recovery Point Objectives
Work with the Business Unit Manager and Executive Sponsor to identify the maximum impact in each category to the entire business. Use a worst-case scenario to estimate the maximum for each scale. In the future, you can use this scoring scale to estimate the impact of downtime for other business units.
Cost estimates are like hand grenades and horseshoes: you don’t need to be exact. It’s much easier to get input and validation from other stakeholders when you have estimates. Even weak estimates are far better than a blank sheet.
Use just the impact scales that are relevant to your organization.
This step involves the following participants:
In this step, you’ll use these tools and templates:
Develop an objective view of the impact of downtime for key business processes.
Example: Highest total Goodwill, Compliance, and Safety impact score is 18.
Tier | Score Range | % of high score |
---|---|---|
Tier 1 - Gold | 9-18 | 50-100% |
Tier 2 - Silver | 5 to 9 | 25-50% |
Tier 3 - Bronze | 0 to 5 | 0-25% |
This step involves the following participants:
In this step, you’ll use these tools and templates:
Right-size recovery objectives based on business impact.
The impact of downtime for most business processes tends to look something like the increasing impact curve in the image to the right.
In the moments after a disruption, impact tends to be minimal. Imagine, for example, that your organization was suddenly unable to pay its suppliers (don’t worry about the reason for the disruption, for the moment). Chances are, this disruption wouldn’t affect many payees if it lasted just a few minutes, or even a few hours. But if the disruption were to continue for days, or weeks, the impact of downtime would start to spiral out of control.
In general, we want to target recovery somewhere between the point where impact begins, and the point where impact is intolerable. We want to balance the impact of downtime with the investment required to make processes more resilient.
Account for hard copy files as well as electronic data. If that information is lost, is there a backup? BCP can be the driver to remove the last resistance to paperless processes, allowing IT to apply appropriate data protection.
Set recovery time objectives and recovery point objectives in the “Debate Space”
RTOs and RPOs are business-defined, impact-aligned objectives that you may not be able to achieve today. It may require significant investments of time and capital to enable the organization to meet RTO and RPO.
Set a range for RTO for each Tier.
Tier | RTO |
---|---|
Tier 1 | 4 hrs- 24 hrs |
Tier 2 | 24 hrs - 72 hrs |
Tier 3 | 72 hrs - 120 hrs |
3.1 Determine current recovery procedures
3.2 Identify and prioritize projects to close gaps
3.3 Evaluate business continuity site and command center options
Outline business recovery processes. Highlight gaps and risks that could hinder business recovery. Brainstorm ideas to address gaps and risks. Review alternate site and business relocation options.
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Establish steps required for business recovery and current recovery timelines.
Identify risks & gaps that could delay or obstruct an effective recovery.
Step 2 - 2 hours
Establish command center.
Step 2: Risks
Step 2: Gaps
A good scenario is one that helps the group focus on the goal of tabletop planning – to discuss and document the steps required to recover business processes. We suggest choosing a scenario for your first exercise that:
An example: a gas leak at company HQ that requires the area to be cordoned off and power to be shut down. The business must resume processes from another location without access to materials, equipment, or IT services at the primary location.
A plan that satisfies the gas leak scenario should meet the needs of other scenarios that affect your normal workspace. Then use BCP testing to validate that the plan meets a wider range of incidents.
Notification
How will you be notified of a disaster event? How will this be escalated to leadership? How will the team responsible for making decisions coordinate (if they can’t meet on-site)? What emergency response plans are in place to protect health and safety? What additional steps are involved if there’s a risk to health and safety?
Assessment
Who’s in charge of the initial assessment? Who may need to be involved in the assessment? Who will coordinate if multiple teams are required to investigate and assess the situation? Who needs to review the results of the assessment, and how will the results of the assessment be communicated (e.g. phone bridge, written memo)? What happens if your primary mode of communication is unavailable (e.g. phone service is down)?
Declaration
Who is responsible today for declaring a disaster and activating business continuity plans? What are the organization’s criteria for activating continuity plans, and how will BCP activation be communicated? Establish a crisis management team to guide the organization through a wide range of crises by Implementing Crisis Management Best Practices.
Do the following:
Tabletop planning is most effective when you keep it simple.
Create one recovery workflow for all scenarios.
Traditional planning calls for separate plans for different “what-if” scenarios. This is challenging not just because it’s a lot more documentation – and maintenance – but because it’s impossible to predict every possible incident. Use the template, aligned to recovery of process dependencies, to create one recovery workflow for each business unit that can be used in and tested against different scenarios.
Download Info-Tech’s BCP Recovery Workflow Example
"We use flowcharts for our declaration procedures. Flowcharts are more effective when you have to explain status and next steps to upper management." – Assistant Director-IT Operations, Healthcare Industry
"Very few business interruptions are actually major disasters. It’s usually a power outage or hardware failure, so I ensure my plans address ‘minor’ incidents as well as major disasters."- BCP Consultant
Add the following data to your copy of the BCP Business Impact Analysis Tool.
Operating at a minimum acceptable functional level may not be feasible for more than a few days or weeks. Develop plans for immediate continuity first, then develop further plans for long-term continuity processes as required. Recognize that for longer term outages, you will evolve your plans in the crisis to meet the needs of the situation.
Work from and update the soft copy of your recovery workflow.
Info-Tech Insight
Remember that health and safety risks must be dealt with first in a crisis. The business unit recovery workflow will focus on restoring business operations after employees are no longer at risk (e.g. the risk has been resolved or employees have been safely relocated). See Implement Crisis Management Best Practices for ideas on how to respond to and assess a wide range of crises.
For some organizations, it’s not practical or possible to invest in the redundancy that would be necessary to recover in a timely manner from certain major events.
Leverage existing risk management practices to identify key high impact events that could present major business continuity challenges that could cause catastrophic disruptions to facility, IT, staffing, suppliers, or equipment. If you don’t have a risk register, review the scenarios on the next slide and brainstorm risks with the working group.
Work through tabletop planning to identify how you might work through an event like this, at a high level. In step 3.2, you can estimate the effort, cost, and benefit for different ideas that can help mitigate the damage to the business to help decision makers choose between investment in mitigation or accepting the risk.
Document any scenarios that you identify as outside the scope of your continuity plans in the “Scope” section of your BCP Summary document.
For example:
A single location manufacturing company is creating a BCP.
The factory is large and contains expensive equipment; it’s not possible to build a second factory for redundancy. If the factory is destroyed, operations can’t be resumed until the factory is rebuilt. In this case, the BCP outlines how to conduct an orderly business shutdown while the factory is rebuilt.
Contingency planning to resume factory operations after less destructive events, as well as a BCP for corporate services, is still practical and necessary.
Scenario Type | Considerations |
---|---|
Local hazard (gas leak, chemical leak, criminal incident, etc.) |
|
Equipment/building damage (fire, roof collapse, etc.) |
|
Regional natural disasters |
|
Supplier failure (IT provider outage, disaster at supplier, etc.) |
|
Staff (lottery win, work stoppage, pandemic/quarantine) |
|
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Identify and prioritize projects and action items that can improve business continuity capabilities.
Try to avoid debates about feasibility at this point. The goal is to get ideas on the board.
When you’re brainstorming solutions to problems, don’t stop with the first idea, even if the solution seems obvious. The first idea isn’t always the best or only solution – other ideas can expand on it and improve it.
Step 4: No formal process to declare a disaster and invoke business continuity.
Step 7: Alternate site could be affected by the same regional event as the main office.
Step 12: Need to confirm supplier service-level agreements (SLAs).
With COVID-19, most organizations have experience with mass work-from-home.
Review the following case studies. Do they reflect your experience during the COVID-19 pandemic?
Consider where your own work-from-home plans fell short.
People
→
Site & Facilities
→
External Services & Suppliers
→
Technology & Physical Assets
→
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Identify requirements for an alternate business site.
"There are horror stories about organizations that assumed things about their alternate site that they later found out they weren’t true in practice." – Dr. Bernard Jones, MBCI CBCP
If you choose a shared location as a BCP site, a regional disaster may put you in competition with other tenants for space.
For many organizations, a dedicated command center (TVs on the wall, maps and charts in filing cabinets) isn’t necessary. A conference bridge and collaboration tools allowing everyone to work remotely can be an acceptable offsite command center as long as digital options can meet your command center requirements.
Leverage the methodology and tools in this blueprint to define your return to normal (repatriation) procedures:
For more on supporting a business move back to the office from the IT perspective, see Responsibly Resume IT Operations in the Office
4.1 Consolidate BCP pilot insights to support an overall BCP project plan
4.2 Outline a business continuity management (BCM) program
4.3 Test and maintain your BCP
Summarize and consolidate your initial insights and documentation. Create a project plan for overall BCP. Identify teams, responsibilities, and accountabilities, and assign documentation ownership. Integrate BCP findings in DR and crisis management practices. Set guidelines for testing, plan maintenance, training, and awareness.
Participants
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Present results from the pilot BCP, and outline how you’ll use the pilot process with other business units to create an overall continuity program.
Structure the overall BCP program.
The BCP Summary document is the capstone to business unit continuity planning exercises. It consolidates your findings in a short overview of your business continuity requirements, capabilities, and maintenance procedures.
Info-Tech recommends embedding hyperlinks within the Summary to the rest of your BCP documentation to allow the reader to drill down further as needed. Leverage the following documents:
The same methodology described in this blueprint can be repeated for each business unit. Also, many of the artifacts from the BCP pilot can be reused or built upon to give the remaining business units a head start. For example:
You may need to create some artifacts that are site specific. For example, relocation plans or emergency plans may not be reusable from one site to another. Use your judgement to reuse as much of the templates as you can – similar templates simplify audit, oversight, and plan management.
Adjust the pilot charter to answer the following questions:
As with the pilot, choose a business unit, or business units, where BCP will have the greatest impact and where further BCP activities will have the greatest likelihood of success. Prioritize business units that are critical to many areas of the business to get key results sooner.
Work with one business unit at a time if:
Work with several business units at the same time if:
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Document BCP teams, roles, and responsibilities.
Document contact information, alternates, and succession rules.
A BCM program should:
Develop a Business Continuity Management Program
Phase 4 of this blueprint will focus on the following elements of a business continuity management program:
Schedule a call with an Info-Tech Analyst for help building out these core elements, and for advice on developing the rest of your BCM program.
BC management teams (including the secondary teams such as the emergency response team) have two primary roles:
Crisis leaders require strong crisis management skills:
Collectively, the team must include a broad range of expertise as well as strong planning skills:
Note: For specific BC team roles and responsibilities, including key resources such as Legal, HR, and IT SMEs required to prepare for and execute crisis management plans, see Implement Crisis Management Best Practices.
BCM Team: Govern business continuity, DR, and crisis management planning. Support the organization’s response to a crisis, including the decision to declare a disaster or emergency.
Emergency Response Teams: Assist staff and BC teams during a crisis, with a focus first on health and safety. There’s usually one team per location. Develop and maintain emergency response plans.
Emergency Response Teams: Assist staff and BC teams during a crisis, with a focus first on health and safety. There’s usually one team per location. Develop and maintain emergency response plans.
IT Disaster Recovery Team: Manage the recovery of IT services and data following an incident. Develop and maintain the IT DRP.
Business Unit BCP Teams: Coordinate business process recovery at the business unit level. Develop and maintain business unit BCPs.
“Planning Mode”
Executive Team → BC Management Team ↓
“Crisis Mode”
Executive Team ↔Crisis Management Team↓ ↔ Emergency Response Teams (ERT)
For more details on specific roles to include on these teams, as well as more information on crisis management, review Info-Tech’s blueprint, Implement Crisis Management Best Practices.
Track teams, roles, and contacts in this template. It is pre-populated with roles and responsibilities for business continuity, crisis management, IT disaster recovery, emergency response, and vendors and suppliers critical to business operations.
Track contact information in this template only if you don’t have a more streamlined way of tracking it elsewhere.
Download Info-Tech’s Business Continuity Teams and Roles Tool
Suppliers and vendors might include:
Supplier RTOs and RPOs should align with the acceptable RTOs and RPOs defined in the BIA. Where they do not, explore options for improvement.
Confirm the following:
Your BCP isn’t any one document. It’s multiple documents that work together.
Continue to work through any additional required documentation. Build a repository where master copies of each document will reside and can be updated as required. Assign ownership of document management to someone with an understanding of the process (e.g. the BCP Coordinator).
Governance | Recovery | ||
---|---|---|---|
BCMS Policy | BCP Summary | Core BCP Recovery Workflows | |
Business Process Workflows | Action Items & Project Roadmap | BCP Recovery Checklists | |
BIA | Teams, Roles, Contact Information | BCP Business Process Workarounds and Recovery Checklists | |
BCP Maturity Scorecard | BCP Project Charter | Additional Recovery Workflows | |
Business Unit Prioritization Tool | BCP Presentation |
Recovery documentation has a different audience, purpose, and lifecycle than governance documentation, and keeping the documents separate can help with content management. Disciplined document management keeps the plan current and accessible.
Use the following BCP outputs to inform your DRP:
PCP Outputs | DRP Activities | |
---|---|---|
Business processes defined | Identify critical applications | |
Dependencies identified:
|
↗ → |
Identify IT dependencies:
|
Recovery objectives defined:
|
→ |
Identify recovery objectives:
|
Projects identified to close gaps:
|
→ |
Identify projects to close gaps:
|
Info-Tech Insight
Don’t think of inconsistencies between your DRP and BCP as a problem. Discrepancies between the plans are part of the discovery process, and they’re an opportunity to have a conversation that can improve alignment between IT service capabilities and business needs. You should expect that there will be discrepancies – managing discrepancies is part of the ongoing process to refine and improve both plans.
BC/DR Planning Workflow
1. Collect BCP outputs that impact IT DRP (e.g. technology RTOs/RPOs).
2. As BCPs are done, BCP Coordinator reviews outputs with IT DRP Management Team.
3. Use the RTOs/RPOs from the BCPs as a starting point to determine IT recovery plans.
4. Identify investments required to meet business-defined RTOs/RPOs, and validate with the business.
5. Create a DR technology roadmap to meet validated RTOs/RPOs.
6. Review and update business unit BCPs to reflect updated RTOs/RPOs.
Shadow IT can be a symptom of larger service support issues. There should be a process for requesting and tracking non-standard services from IT with appropriate technical, security, and management oversight.
Assign the BCP Coordinator the task of creating a master list of BC projects, and then work with the BC management team to review and reprioritize this list, as described below:
Improving business continuity capabilities is a marathon, not a sprint. Change for the better is still change and introduces risk – massive changes introduce massive risk. Incremental changes help minimize disruption. Use Info-Tech research to deliver organizational change.
"Developing a BCP can be like solving a Rubik’s Cube. It’s a complex, interdepartmental concern with multiple and sometimes conflicting objectives. When you have one side in place, another gets pushed out of alignment." – Ray Mach, BCP Expert
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Create a plan to maintain the BCP.
Mastery comes through practice and iteration. Iterating on and testing your plan will help you keep up to date with business changes, identify plan improvements, and help your organization’s employees develop a mindset of continuity readiness. Maintenance drives continued success; don’t let your plan become stagnant, messy, and unusable.
Your BCM program should structure BCP reviews and updates by answering the following:
At a minimum, review goals should include:
Who leads reviews and updates documents?
The BCP Coordinator is likely heavily involved in facilitating reviews and updating documentation, at least at first. Look for opportunities to hand off document ownership to the business units over time.
How do we track reviews, tests, and updates?
Keep track of your good work by keeping a log of document changes. If you don’t have one, you can use the last tab on the BCP-DRP Maintenance Checklist.
When do we review the plan?
This tool helps you set a schedule for plan update activities, identify document and exercise owners, and log updates for audit and governance purposes.
Info-Tech Insight
Everyone gets busy. If there’s a meeting you can schedule months in advance, schedule it months in advance! Then send reminders closer to the date. As soon as you’re done the pilot BCP, set aside time in everyone’s calendar for your first review session, whether that’s three months, six months, or a year from now.
Use this template to:
If you require more detail to support your recovery procedures, you can use this template to:
Download Info-Tech’s BCP Process Workarounds & Recovery Checklists Template
Use this template to:
Download Info-Tech’s BCP Notification, Assessment, and Disaster Declaration Plan template
Use this template to:
These HR research resources live on the website of Info-Tech’s sister company, McLean & Company. Contact your Account Manager to gain access to these resources.
This blueprint outlined:
If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.
Contact your account representative for more information.
workshops@infotech.com
1-888-670-8889
Dr. Bernard A. Jones, MBCI, CBCP
Professor and Continuity Consultant Berkeley College
Dr. Jones is a professor at Berkeley College within the School of Professional Studies teaching courses in Homeland Security and Emergency Management. He is a member of the National Board of Directors for the Association of Continuity Professionals (ACP) as well as the Information & Publications Committee Chair for the Garden State Chapter of the ACP. Dr. Jones earned a doctorate degree in Civil Security Leadership, Management & Policy from New Jersey City University where his research focus was on organizational resilience.
Kris L. Roberson
Disaster Recovery Analyst Veterans United Home Loans
Kris Roberson is the Disaster Recovery Analyst for Veterans United Home Loans, the #1 VA mortgage lender in the US. Kris oversees the development and maintenance of the Veterans United Home Loans DR program and leads the business continuity program. She is responsible for determining the broader strategies for DR testing and continuity planning, as well as the implementation of disaster recovery and business continuity technologies, vendors, and services. Kris holds a Masters of Strategic Leadership with a focus on organizational change management and a Bachelors in Music. She is a member of Infragard, the National Association of Professional Women, and Sigma Alpha Iota, and holds a Project+ certification.
Trevor Butler
General Manager of Information Technology City of Lethbridge
As the General Manager of Information Technology with the City of Lethbridge, Trevor is accountable for providing strategic management and advancement of the city’s information technology and communications systems consistent with the goals and priorities of the corporation while ensuring that corporate risks are appropriately managed. He has 15+ years of progressive IT leadership experience, including 10+ years with public sector organizations. He holds a B.Mgt. and PMP certification along with masters certificates in both Project Management and Business Analysis.
Robert Miller
Information Services Director Witt/Kieffer
Bob Miller is the Information Services Director at Witt/Kieffer. His department provides end-user support for all company-owned devices and software for Oak Brook, the regional offices, home offices, and traveling employees. The department purchases, implements, manages, and monitors the infrastructure, which includes web hosting, networks, wireless solutions, cell phones, servers, and file storage. Bob is also responsible for the firm’s security planning, capacity planning, and business continuity and disaster preparedness planning to ensure that the firm has functional technology to conduct business and continue business growth.
Create a Right-Sized Disaster Recovery Plan
Close the gap between your DR capabilities and service continuity requirements.
Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind
Go beyond satisfying auditors to drive process improvement, consistent IT operations, and effective knowledge transfer.
Select the Optimal Disaster Recovery Deployment Model
Determine which deployment models, including hybrid solutions, best meet your DR requirements.
“Business Continuity Planning.” IT Examination HandBook. The Federal Financial Institution Examination Council (FFIEC), February 2015. Web.
“Business Continuity Plans and Emergency Contact Information.” FINRA, 12 February 2015. Web.
“COBIT 5: A Business Framework for the Governance and Management of Enterprise IT.” ISACA, n.d. Web.
Disaster Resource GUIDE. Emergency Lifeline Corporation, n.d. Web.
“DR Rules & Regulations.” Disaster Recovery Journal, March 2017. Web.
“Federal Information Security Management Act (FISMA).” Homeland Security, 2014. Web.
FEMA. “Planning & Templates.” FEMA, n.d. Web.
“FINRA-SEC-CFTC Joint Advisory (Regulatory Notice 13-25).” FINRA, August 2013. Web.
Gosling, Mel and Andrew Hiles. “Business Continuity Statistics: Where Myth Meets Fact.” Continuity Central, 24 April 2009. Web.
Hanwacker, Linda. “COOP Templates for Success Workbook.” The LSH Group, 2016. Web.
Potter, Patrick. “BCM Regulatory Alphabet Soup – Part Two.” RSA Link, 28 August 2012. Web.
The Good Practice Guidelines. Business Continuity Institute, 2013. Web.
Wang, Dashun and James A. Evans. “When Small Teams are Better than Big Ones.” Harvard Business Review, 21 February 2019. Web.
Your organization already has a digital strategy, but there is a lack of understanding of what digital means across the enterprise. Digital investments have been made in the past but failed to yield or demonstrate business value. Given the pace of change, the current digital strategy is outdated, and new digital opportunities need to be identified to inform the technology innovation roadmap.
Turn your digital strategy into a compelling change story that will create a unified vision of how you want to transform your business.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Knowing which digital opportunities create the greatest business value requires a structured approach to ideate, prioritize, and understand the value they create for the business to help inform the creation of your business case for investment approval.
Your Challenge | Common Obstacles | Solution |
---|---|---|
|
|
|
Info-Tech Insight
Turn your existing digital strategy into a compelling change story that will create a unified vision of how you want to transform your business.
By this point you have leveraged industry roundtables to better understand the art of the possible, exploring global trends, shifts in market forces, customer needs, emerging technologies, and economic forecasts to establish your business objectives and innovation goals. Now you need to formalize digital business strategy. | Phase 1: Industry Trends Report Phase 2: Digital Maturity Assessment Phase 3: Zero-In on Business Objectives Business and innovation goals are established through stakeholder interviews and a heatmap of your current capabilities for transformation. |
The goal of this phase is to ensure the scope of the current digital strategy reflects the right opportunities to allocate capital to resources, assets, and capabilities to drive strategic growth and operational efficiency.
There are three key activities outlined in this deck that that can be undertaken by industry members to help evolve their current digital business strategy.
Formalize your digital business strategy | Methodology | ||
Members Engaged
Info-Tech
| Phase 1: New Digital Opportunities | Phase 2: Evaluate Opportunities and Business Capabilities | Phase 3: Transform Stakeholder Journeys |
Content Leveraged
|
|
|
|
Deliverable: Client’s Digital Business Strategy | Phase 1: Deliverable
| Phase 2: Deliverables
| Phase 3: Deliverables
|
LEAPFROG IDEAS
The concept was originally developed in the area of industrial organizations and economic growth. Leapfrogging is the notion that organizations can identify opportunities to skip one or several stages ahead of their competitors.
DIGITAL OPPORTUNITIES
Opening of new possibilities to transform or change your business model and create operational efficiencies and customer experiences through the adoption of digital platforms, solutions, and capabilities.
INITIATIVES
Breakdown of opportunities into actionable initiatives that creates value for organizations through new or changes to business models, operational efficiencies, and customer experiences.
Host an ideation session to turn trends into growth opportunities with new leapfrog ideas.
Phase 1 | Phase 2 | Phase 3 |
Identify New Digitally Enabled Opportunities | Evaluate Opportunities and Business Capabilities | Transform Stakeholder Journeys |
1.1 IDENTIFY AND ASSEMBLE YOUR KEY STAKEHOLDERS | Build support and eliminate blind spots It is important to make sure the right stakeholders participate in this working group. Designing a digital strategy will require debate, insights, and business decisions from a broad perspective across the enterprise. The focus is on the value to be generated from digital. | Consider:
| Avoid:
|
1.2 ESTABLISH GUIDING PRINCIPLES | Define the guardrails to focus your ideas All ideas are great until you need one that works. Establish guiding principles that will help you establish the perimeters for turning big ideas into opportunities. | Consider:
| Avoid:
|
1.3 LEVERAGE STRATEGIC FORESIGHT TO IDENTIFY LEAPFROG IDEAS | Create space to elicit “big ideas” Leverage industry roundtables and trend reports imagining how digital solutions can help drive strategic growth and operational efficiency. Brainstorm new opportunities and discuss their viability to create value and better experiences for your stakeholders. | Consider:
| Avoid:
|
Identify digitally enabled opportunities | Industry Roundtables and Trend Reports Industry Trends Report Business Documents Digital Maturity Assessment | Activity: 2-4 hours |
Members Engaged
Info-Tech
| Hold a visioning session with key business executives (e.g., CIO, CEO, CFO, CCO, and COO) and others as needed. Here is a proposed agenda of activities for the ideation session:
| |
Content Leveraged
| ||
Deliverable:
|
Set yourself up for success with these three steps.
CIOs tasked with designing digital strategies must add value to the business. Given the goal of digital is to transform the business, CIOs will need to ensure they have both the mandate and support from the business executives. Designing the digital strategy is more than just writing up a document. It is an integrated set of business decisions to create a competitive advantage and financial returns. Establishing a forum for debates, decisions, and dialogue will increase the likelihood of success and support during execution. | 1. Confirm your role | 2. Identify Stakeholders | 3. Diverse Perspective |
The digital strategy aims to transform the business. Given the scope, validate your role and mandate to lead this work. Identify a business executive to co-sponsor. | Identify key decision-makers and influencers who can help make rapid decisions as well as garner support across the enterprise. | Don’t be afraid to include contrarians or naysayers. They will help reduce any blind spots but can also become the greatest allies through participation. |
Guiding principles help define the parameters of your digital strategy. They act as priori decisions that establish the guardrails to limit the scope of opportunities from the perspective of people, assets, capabilities, and budgets that are aligned with the business objectives. Consider these components when brainstorming guiding principles:
Consider these three components when brainstorming
Breadth | Digital strategy should span people, culture, organizational structure, governance, capabilities, assets, and technology. The guiding principle should cover a 3600 view across the entire organization. |
---|---|
Planning Horizon | Timing should anchor stakeholders to look to the long-term with an eye on the foreseeable future i.e., business value realization in one, two, and three years. |
Depth | Needs to encompass more than the enterprise view of lofty opportunities but establish boundaries to help define actionable initiatives (i.e., individual projects). |
IT Principle Name | IT Principle Statement |
1.Enterprise value focus | We aim to provide maximum long-term benefits to the enterprise as a whole while optimizing total costs of ownership and risks. |
2.Fit for purpose | We maintain capability levels and create solutions that are fit for purpose without over engineering them. |
3.Simplicity | We choose the simplest solutions and aim to reduce operational complexity of the enterprise. |
4.Reuse > buy > build | We maximize reuse of existing assets. If we can’t reuse, we procure externally. As a last resort, we build custom solutions. |
5.Managed data | We handle data creation and modification and use it enterprise-wide in compliance with our data governance policy. |
6.Controlled technical diversity | We control the variety of what technology platforms we use. |
7.Managed security | We manage security enterprise-wide in compliance with our security governance policy. |
8.Compliance to laws and regulations | We operate in compliance with all applicable laws and regulations. |
9.Innovation | We seek innovative ways to use technology for business advantage. |
10.Customer centricity | We deliver best experiences to our customers with our services and products. |
11.Digital by default | We always put digital solutions at the core of our plans for all viable solutions across the organization. |
12.Customer-centricity by design | We design new products and services with the goal to drive greater engagement and experiences with our customers. |
What is Strategic Foresight?
In times of increasing uncertainty, rapid change, market volatility, and complexity, the development of strategies can be difficult. Strategic foresight offers a solution.
Strategic foresight refers to an approach that uses a range of methodologies, such as scanning the horizon for emerging changes and signals, analyzing megatrends, and developing multiple scenarios to identify opportunities (source: OECD, 2022). However, it cannot predict the future and is distinct from:
Why is Strategic Foresight useful?
Explore Info-Tech’s Strategic Foresight Process Tool
“When situations lack analogies to the past, it’s hard to envision the future.”
- J. Peter Scoblic, HBR, 2020
Uncover important business and industry trends that can inform possibilities for technology innovation. Explore trends in areas such as:
Market research is critical in identifying factors external to your organization and identifying technology innovation that will provide a competitive edge. It’s important to evaluate the impact each trend or opportunity will have in your organization and market. Visit Info-Tech’s Trends & Priorities Research Center Visit Info-Tech’s Industry Coverage Research to get started. | Images are from Info-Tech’s Rethinking Higher Education Report and 2023 Tech Trends Report |
Understand how the environment is evolving in your industry
Scan the horizon to detect early signs of future changes or threats.
Horizon scanning involves scanning, analyzing, and communicating changes in an organization’s environment to prepare for potential threats and opportunities. Much of what we know about the future is based around the interactions and trajectory of macro trends, trends, and drivers. These form the foundations for future intelligence.
Macro Trends | A macro trend captures a large-scale transformative trend on a global scale that could impact your addressable market |
---|---|
Industry Trend | An industry trend captures specific use cases of the macro trend in relation to your market and industry. Consider this in terms of shifts in your market dynamics i.e., competitors, size, transaction, international trade, supply/demand, etc. |
Driver(s) | A driver is an underlying force causing the trend to occur. There can be multiple causal forces, or drivers, that influence a trend, and multiple trends can be influenced by the same causal force. |
Identify signals of change in the present and their potential future impacts.
Macro trends capture a global shift that can change the market and the industry. Here are examples of macro-trends to consider when scanning the horizon for your own organization:
Talent Availability | Customer Expectations | Emerging Technologies | Regulatory System | Supply Chain Continuity |
Decentralized workforce Hybrid workforce Diverse workforce Skills gap Digital workforce Multigenerational workforce | Personalization Digital experience Data ownership Transparency Accessibility On-demand Mobility | AI & robotics Virtual world Ubiquitous connectivity Genomics (nano, bio, smart….) Big data | Market control Economic shifts Digital regulation Consumer protection Global green | Resource scarcity Sustainability Supply chain digitization Circular supply chains Agility Outsource |
Understand which trends create opportunities or risks for your organization.
Key Concepts:
Once an organization has uncovered a set of trends that are of potential importance, a judgment must be made on which of the trends should be prioritized to understand their impact on your market and ultimately, the implications for your business or organization. Consider the following criteria to help you prioritize your trends.
Impact to Industry: The degree of impact the trend will have on your industry and market to create possibilities or risks for your business. Will this trend create opportunities for the business? Or does it pose a risk that we need to mitigate?
Relevance to Organization. The relevance of the trend to your organization. Does the trend align with the mission, vision, and business objectives of your organization?
Activity: 2-4hours
In order to determine which trends will have an impact on your industry and are relevant to your organization, you need to use a gating approach to short-list those that may create opportunities to capitalize on while you need to manage the ones that pose risk.
Impact | What does this trend mean for my industry and market? |
| |
Relevance | What opportunity or risk does it pose to my business/organization? |
|
![]() | ![]() |
Info-Tech Insight
While the scorecard may produce a ranking based on weighted metrics, you need to leverage the group discussion to help contextualize and challenge assumptions when validating the priority. The room for debate is important to truly understand whether a trend is a fad or a fact that needs to be addressed.
Determining the root cause(s) of a trend is an important precursor to understanding the how, why, and to what extent a trend will impact your industry and market.
Trend analysis can be a valuable approach to reduce uncertainties about the future and an opportunity to understand the underlying drivers (forces) that may be contributing to a shift in pattern. Understanding the drivers is important to help determine implication on your organization and potential opportunities.
INDUSTRY
Healthcare Exemplar
Macro Trends (Transformative change) | Industry Trend (A pattern of change…) | Drivers (“Why”….) |
Accessibility | Increase in wait times | Aging population leading to global workforce shortage |
New models of care e.g., diversify scope of practice | Address capacity issues |
Understanding the drivers is not about predicting the future. Don’t get stuck in “analysis paralysis.” The key objective is to determine what opportunities and risks the trend and its underlying driver pose to your business. This will help elicit leapfrog opportunities that can be funneled into actionable initiatives.
Other examples…
Dimensions | Macro-Trends | Industry Trend | Driver |
Social | Demographic shift | Global shortage of healthcare workers | Workforce age |
Customer expectations | Patients as partners | Customer demographics | |
Technology | AI and robotics | Early detection of cancer | Patient outcomes |
Ubiquitous connectivity | Virtual health | Capacity | |
Economic | Recession | Cost-savings | Sustainability |
Consumer spending | Value-for-money | Prioritization | |
Environment | Climate change | Shift in manufacturers | ESG compliant vendors |
Pandemic | Supply chain disruption | Local production | |
Political | Regulatory | Consolidation of professional colleges | Operational efficiency |
De-regulation | New models of care | New service (business) model |
Industry
Healthcare
Artificial Intelligence (AI) in Precision Medicine (Genomics)
Precision Medicine has become very popular over the recent years fueled by research but also political and patient demands to focus more on better outcomes vs. profits. A cancer care center in Canada wanted to look at what was driving this popularity but more importantly, what this potentially meant to their current service delivery model and operations and what opportunities and risks they needed to address in the foreseeable future. They determined the following drivers:
INDUSTRY
Healthcare Exemplar
Category | Macro-Trends | Industry Trends (Use-Case) | Drivers | Impact to Industry | Impact to Business |
---|---|---|---|---|---|
Talent Availability | Diverse workforce | Aboriginal health | Systemic inequities | Brand and legal | Policies in place |
Hybrid workforce | Virtual care | COVID-19 and infectious disease | New models of care | New digital talent | |
Customer Expectation | Personalization | On-demand care | Patient experience | Patients as consumers | New operating model |
Digital experience | Patient portals | Democratization of data | Privacy and security | Capacity | |
Emerging Technologies | Internet of Things (IoT) | Smart glucometers | Greater mobility | System redesign | Shift from hospital to home care |
Quantum computing | Genomic sequencing | Accelerate analysis | Improve quality of data analysis | Faster to clinical trial and delivery | |
Regulatory System | Consumer protection | Protect access to sensitive patient data | HIPPA legislation | Restrict access to health record | Electronic health records |
Global green | Green certification for redev. projects | Political optics | Higher costs | Contract management | |
Supply Chain | Supply chain disruptions | Surgical strategic sourcing | Preference cards | Quality | Organizational change management |
New pharma entrants | Telco’s move into healthcare | Demand/supply | Funding model | Resource competition |
Turn trends into growth opportunities.
To thrive in the digital age, organizations must innovate big, leverage internal creativity, and prepare for flexibility.
In this digital era, organizations are often playing catch up to a rapidly evolving technological landscape and following a strict linear approach to innovation. However, this linear catch-up approach does not help companies get ahead of competitors. Instead, organizations must identify avenues to skip one or several stages of technological development to leapfrog ahead of their competitors.
“The best way to predict the future is to invent it.”
– Alan Kay
Leapfrogging takes place when an organization introduces disruptive innovation into the market and sidesteps competitors, who are unable to mobilize to respond to the opportunities.
Go from trend insights into ideas for opportunities
Brainstorm ways to generate leapfrog ideas from trend insights.
Dealing with trends is one of the most important tasks for innovation. It provides the basis of developing the future orientation of the organization. However, being aware of a trend is one thing, to develop strategies for response is another.
To identify the impact the trend has on the organization, consider the four areas of growth for the organization:
INDUSTRY: Healthcare
SOURCE: Memorial Sloan Kettering Cancer Center
Machine Learning Sensor to Sniff Out Cancer
Challenge | Solution | Results |
---|---|---|
Timely access to diagnostic services is a key indicator of a cancer patient’s prognosis i.e., outcome. Early detection of cancer means the difference between life and death for cancer patients. Typically, cancer biomarkers need to be present to detect cancer. Often the presence of these biomarkers is late in the disease state when the cancer cells have likely spread, resulting in suspicions of cancer only when the patient does not feel well or suspects something is wrong. | Researchers in partnership with IBM Watson at Memorial Sloan Kettering Cancer Center (MSK) have created a tool that can sniff for and identify cancer in a blood sample using machine learning. Originally, MSK worked with IBM Watson to identify machine learning as an emerging technology that could drive early cancer detection without the use of cancer biomarkers. But they needed to find specific use cases. After a series of concept prototypes, they were able to use machine learning to detect patterns in blood cells vs. cancer biomarkers to detect cancer disease. | Machine learning was an emerging trend that researchers at MSK felt held great promise. They needed to turn the trend into tangible opportunities by identifying some key use cases that could be prototyped. Computational tools in oncology have the ability to greatly reduce clinician labor, improve the consistency of variant classification, and help accelerate the analytics of vast amounts of clinical data that would be prone to errors and delays when done manually. |
Additional Examples in the Appendix
Example of leapfrog ideas that can generate opportunities for consideration
Trend | New Customer | New Market | New Business or Operating Model | New Service Offering |
---|---|---|---|---|
What trend(s) pose a significant impact on your business? | New stakeholder segment | Enter or create new markets | Adjust the business or operating model to capture change in how the business creates and delivers value | Introduce new digital products, services and experiences |
Virtualize Registration | Empower patients as consumers of healthcare partners | Direct B2C to close gap between providers and patients by removing middle administrative overhead. | 24/7 On-Demand Patient Portal | Leverage AI to develop chatbots and on-demand |
Phase 1 Deliverable
Example of output from phase 1 ideation session
Business Objectives | New Customers (Customer Experience) | New Markets (Health Outcomes) | New Business or Operating Models (Operational Excellence) | New Service Offering (Value for Money) |
---|---|---|---|---|
Description: | Focus on improving experiences for patients and providers | Improve quality and standards of care to continually drive better health outcomes | Deliver care better, faster, and more efficiently | Reduce cost per capital of delivery care and increase value for services |
Trends: |
|
|
|
|
Digital Opportunities: |
|
|
|
|
Build a better understanding of the opportunities and their impact on your business.
Phase 1 | Phase 2 | Phase 3 |
Identify New Digitally Enabled Opportunities | Evaluate Opportunities and Business Capabilities | Transform Stakeholder Journeys |
2.1 CREATE OPPORTUNITY PROFILES | Evaluate each opportunity Some opportunities will have an immediate and significant impact on your business. Some may have a significant impact but on a longer time scale or some may be unlikely to have a significant impact at all. Understanding these trends is an important context for your digital business strategy. | Consider:
| Avoid:
|
2.2 UNDERSTAND THE IMPACT OF OPPORTUNITIES ON BUSINESS CAPABILITIES | Understand the impact across your value chains Each opportunity has the potential to impact multiple areas of your business. Prioritize where to start acting on new opportunities based on your business objectives and capabilities. You need to assess their impacts across value chains. Does the opportunity impact existing value chain(s) or create a new value chain? | Consider:
| Avoid:
|
Discussion Framework:
In your discussion, evaluate each opportunity to assess assumptions, value drivers, and benefits.
Ideas matter, but not all ideas are created equal. Now that you have elicited opportunities, discuss the assumptions, risks, and benefits associated with each new digital opportunity.
Design Thinking
Leverage the guiding principles as the guardrails to limit the scope of your new digital opportunities. You may want to consider taking a design-thinking approach to innovation by discussing the merits of each opportunity based on:
Feasibility: Able to Execute. Do we have the capabilities to deliver e.g., the right skills, partners, technology, and leadership?
Viability: Delivers Value. Will this idea meet business goals e.g., cost, revenue, and benefits?
Transform the Business | |||
---|---|---|---|
Must Prioritize | Should Plan | Drive Digital Experiences | |
Build Digital Capabilities | High Value/Low Complexity
| High Value/High Complexity
| |
Low Value/Low Complexity
| Low Value/High Complexity
| ||
Could Have | Don’t Need | ||
Transform Operations | |||
IMPACT ↑ | COMPLEXITY ⇒ |
Example:
An example of a template to capture the output of discussion.
Description of Opportunity: ADT is a critical function of registration that triggers patient identification to support services and billing. Currently, ADT is a heavily manual process with a high degree of errors as a result of human intervention. There is an opportunity to leverage intelligent automation by using RPA and AI. | Alignment With Business Objectives Improve patient outcome Drive operational efficiency and effectiveness Better experiences for patients | Business Architecture This opportunity may impact the following business capabilities:
| |
Benefits & Outcomes
| Key Risks & Assumptions
| ||
Opportunity Owner VP, Health Information Management (HIM) | Incremental Value Reduce errors in patient identity |
|
Each opportunity has the potential to impact multiple areas of your business. Prioritize where to start acting on new opportunities based on your business objectives and capabilities.
You will need:
| Activity: 1-2 hours
|
+ | |
![]() | ⇒![]() |
This will help identify the impact on your business capabilities.
As we identify and prioritize the opportunities available to us, we need to assess impacts on value chains. Does the opportunity directly impact an existing value chain? Or does it open us to the creation of a new value chain?
The value chain perspective allows an organization to identify how to best minimize or enhance impacts and generate value.
As we move from opportunity to impact, it is important to break down opportunities into the relevant pieces so we can see a holistic picture of the sources of differentiation.
In this example, intelligent automation for referral and admission would create opportunity to virtualize repeatable tasks.
Understand the impact of opportunities across the value chain and possibilities of new or better stakeholder experiences.
Phase 1 | Phase 2 | Phase 3 |
Identify New Digitally Enabled Opportunities | Evaluate Opportunities and Business Capabilities | Transform Stakeholder Journeys |
3.1 IDENTIFY STAKEHOLDER PERSONA | Understand WHO gains value from the value chain To define a stakeholder scenario, you need to understand whom we are mapping for. Developing stakeholder personas is a great way to understand their needs through a lens of empathy. | Consider:
| Avoid:
|
3.2 BUILD A STAKEHOLDER JOURNEY | Identify opportunities to transform the stakeholder experience A stakeholder or customer journey helps teams visualize the impact of a given opportunity through a value chain. This exercise uncovers the specific initiatives and features that should be considered in the evolution of the digital strategy. | Consider:
| Avoid:
|
3.3 BREAKDOWN OPPORTUNITIES INTO INITIATIVES ALIGNED TO BUSINESS OBJECTIVES | Unlock key initiatives to deliver value Opportunities need to be broken down into actionable initiatives that can be turned into business cases with clear goals, benefits realization, scope, work plans, and investment ask. | Consider:
| Avoid:
|
Conduct a journey mapping exercise to further refine and identify value streams to transform.
Stakeholder Journey Mapping | Digital Business Strategy Blueprint | Activity: 4-6 hours Our analysts can guide and support you, where needed.
Key Concepts: Value Stream: a set of activities to create and capture value for and from the end consumer. Value Chain: a string of end-to-end processes that creates value for the consumer. Journey Scenario: a specific use case across a value chain (s). |
Members Engaged
Info-Tech
|
| |
Content Leveraged
| ||
Deliverable:
|
Download the Define Your Digital Business Strategy blueprint for Customer Journey Mapping Activities
From value chain to journey scenario.
Stakeholder personas and scenarios help us build empathy towards our customers. It helps put us into the shoes of a stakeholder and relate to their experience to solve problems or understand how they experience the steps or processes required to accomplish a goal. A user persona is a valuable basis for stakeholder journey mapping.
A stakeholder persona is a fictitious profile to represent a customer or a user segment. Creating this persona helps us understand who your customers really are and why they are using your service or product.
A stakeholder scenario describes the situation the journey map addresses. Scenarios can be real (for existing products and services) or anticipated.
Learn more about applying design thinking methodologies
To define a stakeholder scenario, we need to understand who we are mapping for. In each value chain, we identified a stakeholder who gains value from that value chain. We now need to develop a stakeholder persona: a representation of the end user to gain a strong understanding of who they are, what they need, and their pains and gains.
One of the best ways to flesh out your stakeholder persona is to engage with the stakeholders directly or to gather the input of those who may engage with them within the organization.
For example, if we want to define a journey map for a student, we might want to gather the input of students or teaching faculty that have firsthand encounters with different student types and are able to define a common student type.
Info-Tech Insight
Run a survey to understand your end users and develop a stronger picture of who they are and what they are seeking to gain from your organization.
For your digital strategy, leverage the existing and opportunity value chains identified in phases 1 and 2 for journey mapping.
Identify two existing value chains to be transformed. In section 1, we identified existing value chains to be transformed. For example, your stakeholder persona is a registration clerk who is part of the Health Information Management team responsible for registering and adjudicating patient identity. | ![]() |
Identify one new value chain. In section 2, we identified a new value chain. However, for a new opportunity, the scenario is more complex as it may capture many different areas of a value chain. Subsequently, a journey map for a new opportunity may require mapping all parts of the value chain. | ![]() |
Stakeholder demographics Name: Anne Age: 35 Occupation: HIM Clerk Location: Unity Hospital System | Pains What are their frustrations, fears, and anxieties?
|
What do they need to do? What do they want to get done? How will they know they are successful?
| Gains What are their wants, needs, hopes, and dreams?
|
Now that we understand who we are mapping for, we need to define a journey statement to capture the stakeholder journey.
Leverage the following format to define the journey statement.
“As a [stakeholder], I need to [prioritized value chain task], so that I can [desired result or overall goal].”
Conduct a journey mapping exercise to identify opportunities for innovation or automation.
A journey-based approach helps an organization understand how a stakeholder moves through a process and interacts with the organization in the form of touch points, channels, and supporting characters. By identifying pain points in the journey and the activity types, we can identify opportunities for innovation and automation along the journey.
Embrace design-thinking methodologies to elevate the stakeholder journey and build a competitive advantage for your organization.
0. Name: Annie Smith
Age: 35
Occupation: HIM Registration Clerk for Unity Hospital System
![]() | 0.Stakeholder Persona A fictitious profile of a representative stakeholder group that shares a common yet discrete set of characteristics that embodies how they think, feel, and act. 1. Journey (Value Chain) Describes the end-to-end steps or processes that a customer takes across the value chain that groups a set of activities, interactions, touch-points, and experiences. 2. Persona’s Goals Exemplifies what the persona is thinking and wanting across each specific step of their journey. 3. Nature of Activity (see detailed definition in this section) This section captures two key components: 1) the description of the action or interaction between the personas to achieve their goals, and 2) the classification of the activity to determine the feasibility for automation. The type is based on four main characteristics: 1) routine cognitive, 2) non-routine cognitive , 3) routine manual, and 4) non-routine manual. 4. Type of Touch-Point The channel by which a persona interacts or touches products, services, the organization, or information. 5. Key Moments & Pain Points Captures the emotional experience and value of the persona across each step and interaction. 6. Metrics This section captures the KPIs used to measure the experience, process or activity today. Future KPIs will need to be developed to measure the opportunities. 7. Opportunities refer to both the possible initiatives to address the persona’s pain points, and the ability to enable business goals. |
Example
We identified opportunities for automation
Categorize the activity type to identify opportunities for automation. While there is no perfect framework for automation, this 4x4 matrix provides a general guide to identifying automation opportunities for consideration.
Info-Tech Insight
Automation is more than a 1:1 relationship between the defined task or job and automation. When considering automation, look for opportunities to: 1) streamline across multiple processes, 2) utilize artificial intelligence to augment or virtualize manual tasks, and 3) create more structured data to allow for improved data quality over the long-term.
Stakeholder: HIM Clerks
Journey: Follow-up visit of 80-year-old diabetes patient at diabetic clinic outpatient
Journey (Value Chain) | Appointment | Registration | Identity Reconciliation | Eligibility Verification | Treatment Consult |
---|---|---|---|---|---|
Persona’s Goals |
|
|
|
|
|
Nature of Activity | Priority | Priority | Investigate – ROI | Investigate – ROI | Defer |
Type of Touchpoint |
|
|
|
|
|
Pain Points & Gains |
|
|
|
|
|
Metrics | Time to appointment | Time to enrollment | Patient mis-match | Provider mis-match | Percentage of errors in billing codes |
Opportunities |
|
|
|
|
|
Opportunity 1 Virtual Registration | » | Business Goals | ||||
Initiatives | Health Outcomes | Stakeholder Experience | New Models of Care | Operational Efficiency | ||
| ✓ | ✓ | ✓ | |||
| ✓ | ✓ | ✓ | |||
| ✓ | ✓ | ||||
| ✓ | ✓ | ✓ | |||
Opportunity 2 Machine Learning Pre-Cancer Diagnosis | » | Business Goals | ||||
Initiatives | Health Outcomes | Stakeholder Experience | New Models of Care | Operational Efficiency | ||
| ✓ | ✓ | ||||
| ✓ | ✓ | ✓ | ✓ | ||
| ✓ | ✓ | ✓ | ✓ | ||
| ✓ | ✓ | ✓ | ✓ |
Info-Tech Insight
Evaluate if an opportunity will require a series of discrete activities to execute and/or if they can be a stand-alone initiative.
After completing all three phases of activities in this blueprint, you will have compiled a list of new and planned digital initiatives for prioritization and business case development in the next phase. Example: Consolidated List of Digital Initiatives | The next step will focus on prioritizing and building a business case for your top digital initiatives. |
Additional Examples
Examples of leapfrog ideas that can generate opportunities for consideration
Example 1 Finance | Trend | New Customer | New Market | New Business or Operating Model | New Service Offering |
---|---|---|---|---|---|
What trend(s) pose a significant impact on your business? | New customer segments | Enter or create new markets | Adjust the business or operating model to capture change in how the business creates and delivers value | Introduce new digital products, services, and experiences | |
Open banking | Account integrators (AISPs) | Payment integrators | Data monetization | Social payments | |
Example 2: Retail | Trend | New Customer | New Market | New Business or Operating Model | New Service Offering |
What trend(s) pose a significant impact on your business? | New customer segments | Enter or create new markets | Adjust the business or operating model to capture change in how the business creates and delivers value | Introduce new digital products, services, and experiences | |
Virtual cashier (RFID Enablement) | Big-box retailers | Brick & mortar stores | Automated stores driving new customer experiences | Digital cart |
Every idea is a good one, unless you need one that works.
Additional Exemplars in Appendix
Examples of leapfrog ideas that can generate opportunities for consideration
Example 3: Manufacturing | Trend | New Customer | New Market | New Business or Operating Model | New Service Offering |
---|---|---|---|---|---|
What trend(s) pose a significant impact on your business? | New customer segments | Enter or create new markets | Adjust the business or operating model to capture change in how the business creates and delivers value | Introduce new digital products, services, and experiences | |
IT/OT convergence | Value-added resellers | New geographies | Train quality-control algorithms and sell as a service to other manufacturers | Quality control as a service |
Persona Journey Map: International/Domestic Departure
Persona: Super Traveler
Name: Annie Smith
Age: 35
Occupation: Engineer, Global Consultant
Journey Activity Name: Inspired to Travel
Persona’s Goals | What Am I Thinking?
|
---|---|
Nature of Activity | What Am I Doing?
|
Type of Touchpoint |
|
Key moments & pain points | How Am I Feeling?
|
Metrics |
|
Opportunities |
|
Tech Trends and Priorities Research Center
Industry Reference Architecture
Contact Your Account Manager
![]() Joanne Lee Principal, Research Director, CIO Strategy Info-Tech Research Group | ![]() Kim Osborne-Rodgriguez Research Director, CIO Strategy Info-Tech Research Group |
Joanne is an executive with over 25 years of in digital technology and management consulting across both public and private entities from solution delivery to organizational redesign across Canada and globally. Prior to joining Info-Tech Research Group, Joanne was a management consultant within KPMG’s CIO management consulting services and the Western Canada Digital Health Practice lead. She has held several executive roles in the industry with the most recent position as Chief Program Officer for a large $450M EHR implementation. Her expertise spans cloud strategy, organizational design, data and analytics, governance, process redesign, transformation, and PPM. She is passionate about connecting people, concepts, and capital. Joanne holds a Master’s in Business and Health Policy from the University of Toronto and a Bachelor of Science (Nursing) from the University of British Columbia. | Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach to digital transformation, with a track record of supporting successful implementations. Kim holds a Bachelor’s degree in Mechatronics Engineering from University of Waterloo. |
![]() Jack Hakimian Vice President, Research Info-Tech Research Group | Charl Lombard President, Digital Transformation Consulting Info-Tech Research Group |
Jack has more than 25 years of technology and management consulting experience. He has served multi-billion dollar organizations in multiple industries including Financial Services and Telecommunications. Jack also served a number of large public sector institutions. Prior to joining the Info-Tech Research Group, he worked for leading consulting players such as Accenture, Deloitte, EY, and IBM. Jack led digital business strategy engagements as well as corporate strategy and M&A advisory services for clients across North America, Europe, the Middle East, and Africa. He is a seasoned technology consultant who has developed IT strategies and technology roadmaps, led large business transformations, established data governance programs, and managed the deployment of mission-critical CRM and ERP applications. He is a frequent speaker and panelist at technology and innovation conferences and events and holds a Master’s degree in Computer Engineering as well as an MBA from the ESCP-EAP European School of Management. | Charl has more than 20 years of professional services experience, “majoring” in digital transformation and strategic topics. He has led multiple successful Digital Transformation programs across a range of industries like Information technology, hospitality, Advanced Industries, High Tech, Entertainment, Travel and Transport, Insurance & Financial Services, Metals & Mining, Electric Power, Renewable Energy, Telecoms, Manufacturing) across different geographics (i.e., North America, EU, Africa) in both private and public sectors. Prior to joining Info-Tech Research Group, Charl was the Vice President of Global Product Management and Strategy (Saber Hospitality Solution), Associate President, McKinsey Transformation Practice, e-Business Practice for PwC, and tech start-up founder and investor. Charl is a frequent speaker at innovation and digital transformation conferences and holds an MBA from the University of Cape Town Graduate School of Business, and a bachelor’s degree from the University of Pretoria, South Africa. |
![]() Mike Tweedie Practice Lead, CIO Strategy Info-Tech Research Group | Michael Alemany Vice President, Digital Transformation Consulting Info-Tech Research Group |
Mike Tweedie brings over 25 years of experience as a technology executive. He’s led several large transformation projects across core infrastructure, application, and IT services as the head of Technology at ADP Canada. He was also the Head of Engineering and Service Offerings for a large French IT services firm, focused on cloud adoption and complex ERP deployment and management. Mike holds a Bachelor’s degree in Architecture from Ryerson University. | Michael is a leader in Info-Tech’s digital transformation consulting practice. He brings over 10 years of experience working with companies across a range of industries. His work experience includes ~4.5 years at McKinsey & Company where he led large-scale transformations for fortune 500 companies. Prior to joining Info-Tech, he worked for Sabre Corp., an SaaS platform provider for the travel and hospitality sector, leading Product Strategy & Operations. Michael holds an MBA from the Tuck School of Business at Dartmouth and a B.S in Business Strategy from Brigham Young University. |
![]() Duane Cooney Executive Counselor, Healthcare Info-Tech Research Group | Denis Goulet Senior Workshop Director Info-Tech Research Group |
Duane brings over 30 years of experiences a healthcare IT leader with a passion for the transformation of people, processes, and technology. He has led large-scale health technology transformation and operations across the enterprise. Before joining Info-Tech, Duane served as the Deputy CIO, Senior Information Technology Director, and Enterprise Architect for both public not-for-profit and private sectors. He has a Bachelors in Computer Science and is a graduate of EDS Operations. He holds certifications in EHR, LEAN/Agile, ITIL, and PMP. | Denis is an IAF Certified Professional Facilitator who has helped organizations and technology executives develop IT strategies for small to large global enterprises. He firmly believes in a collaborative value-driven approach. Prior to joining Info-Tech Research Group, Denis held several industry positions as CIO, Chief Administrative Office (City Manager), General Manager, and Vice President of Engineering. Denis holds an MBA from Queen’s University and a Diploma in Technology Engineering and Executive Municipal Management. |
![]() Jay Cappis Executive Advisor, Real-Estate Info-Tech Research Group | Christine Brick Executive Advisor, Financial Services |
Jay brings over 30 years of experience in management and technology across small and medium enterprises to large global enterprises including Exxon and Xerox. His cross-industry experience includes professional services, commercial real estate, oil and gas, digital start-ups, insurance, and aerospace. Jay has led business process improvements and change management and has expertise in software development lifecycle management and DevOps practices. | Christine brings over 20 years in IT transformation across DevOps, infrastructure, operations, supply chain, IT Strategy, modernization, cost optimization, data management, and operational risk. She brings expertise in business transformation, mergers and acquisitions, vendor selection, and contract management. |
Bhatia, AD. “Transforming through disruptions: A conversation with Dan Antonelli. Transformation Insights.” McKinsey & Company. January 31, 2022. Web
Bertoletti, Antonella and Peter Eeles. “Use an IT Maturity Model.” IBM Garage Methodology. Web. accessed May 30, 2022.
Catlin, Tanguy, Jay Scanlan, and Paul Willmott. “Raising your Digital Quotient.” McKinsey Quarterly. June 1, 2015. Article
Custers, Heidi. “Digital Blueprint. Reference Architecture.” Deloitte Digital.Accessed May 15, 2022.
Coundouris, Anthony. “Reviewed: The Top 5 Digital Transformation Frameworks in 2020.” Run-frictionless Blog. Accessed May 15, 2022. Web.
Daub, Matthias and Anna Wiesinger. “Acquiring the Capabilities you need to go digital.” Business Technology Office – McKinsey and Company. March 2015. Web.
De La Boutetiere, Alberto Montagner and Angelika Reich. “Unlocking success in digital transformations.” McKinsey and Company. October 2018. Web.
“Design Thinking Defined.” IDEO.com. November 21, 2022. Web.
Dorner, Karle and David Edelman. “What ‘Digital’ really means.” McKinsey Digital. July 2015. Web
“Everything Changed. Or Did it? Harvey Nash KPMG CIO Survey 2020.” KPMG, 2020
Kane, Gerald C., Doug Palmer, Ahn Nguyen Phillips, David Kiron, Natasha Buckley. “Aligning the organization for its digital future.” Findings from the 2016 Digital Business Global Executive Study and Research Project. MIT Sloan Management Review. July 26, 2016. Web
LaBerge, Laura, et al. “How COVID-19 has pushed companies over the technology tipping point—and transformed business forever.” McKinsey, 5 Oct. 2020. Accessed 14 June 2021
Mindtools Content Team. “Cause and Effect Analysis.” Mindtools.com. November 21, 2022. Web.
“Strategic Foresight.” OECD.org. November 21, 2022, Web
Sall, Sherman, Dan Lichtenfeld. “The Digital ME Method. Turning digital opportunities into customer engagement and business growth.” Sygnific. 2017. Web.
Scoblic, J. Peter. “Learning from the Future. How to make robust strategy in times of deep uncertainty.” Harvard Business Review, August 2020.
Silva, Bernardo and Schoenwaelder, Tom. ‘Why Good Strategies fail. Addressing the three critical strategic tensions.” Deloitte Monitor Group. 2019.
You heard the message before, and yet.... and yet it does not sink in.
In july 2019 already, according to retruster:
This is ... this means we, as risk professionals may be delivering our messsage the wrong way. So, I really enjoyed my colleague Nick Felix (who got it from Alison Francis) sending me the URL of this video: Enjoy, but mostly: learn, because we want our children to enjoy the fruits of our work.
The complex nature of data investment leads to de-scoping and delivery of data services that do not meet business needs or give value to the business. Subject matter experts are hired to resolve the problem, but their success is impacted by absent architecture, technology, and organizational alignment.
Walking through a book of architecture building plans with a personal guide is cheaper and faster than employing an architect to build and design your home.
Info-Tech's approach provides a proven methodology that includes the following:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Info-Tech's approach provides a proven methodology that includes following:
Data practice & platform pre-build pattern templates based on Info-Tech data reference patterns and data platform design best practices.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Establish business context and value.
Business context and strategic driver.
1.1 Understand/confirm the organization's strategic goals
1.2 Classify the strategic goals and map to business drivers
1.3 Identify the business capabilities that the strategy focuses on
1.4 Identify the business processes realizing the strategy
Business context and strategic drivers
Prioritized business capabilities and processes
Data culture survey results analysis
Identify your top initiatives.
High-value business-aligned data initiative.
2.1 Highlight data-related outcomes/goals to realize to fulfill the business goal
2.2 Map business data initiatives to the business strategic goals
2.3 Prioritize data initiatives
High-value, business-aligned data initiatives
Analyze data challenges.
Clear understanding of the data challenges.
3.1 Map data challenges to Info-Tech data challenges
3.2 Review Info-Tech data capabilities based on prioritized initiatives
3.3 Discuss data platform and practice next steps
List of data challenges preventing data maturation with the organization
Map data capability.
Prioritized data capability.
4.1 Map data challenges to Info-Tech data challenges
4.2 Review Info-Tech data capabilities based on prioritized initiatives
4.3 Discuss data platform and practice next steps
Required data capabilities
Data platform and practice – plan
Initialized data management RACI
The build or optimization of your data practice and data platform must be predicated on a thorough understanding of the organization’s goals, objectives, and priorities and the business capabilities and process they are meant to support and enable.
Formalizing your practice or constructing your platform just for the sake of doing so often results in an initiative that is lengthy, costly, fizzles out, does not deliver business value, and ends up being considered a failure.
Leverage Info-Tech’s approach and incorporate our pre-built models and patterns to effectively navigate that crucial and often difficult phase upfront of comprehensively defining business data needs so you can ultimately realize faster time-to-delivery of your overall data practice and platform.
![]() |
Rajesh Parab
|
![]() |
Crystal Singh
|
Situation
|
Complication
|
Resolution
|
The true value of data comes from defining intentional relationships between the business and the data through a well thought out data platform and practice.
![]() I can’t access the data. I don’t trust the data in the report. It takes too long to get to the data for decision making |
|
|
![]() Use the road-tested patterns and frameworks in our blueprint to break the perpetual data solution cycle. Focus on the value that a data and analytics platform will bring rather than focusing on the data problems alone. |
Build Your Data Practice and PlatformBring Your Data Strategy to Life |
![]() ![]() |
CONVENTIONAL WISDOM
Attempting to Solve Your Data Problems
|
BREAK THE CYCLE
Solving Your Data Problems
|
CONTINUOUS PHASE: ROADMAP, SPONSORSHIP FEEDBACK AND DELIVERY
Develop a roadmap to establish the practice and implement the architecture as designed. Ensure continuous alignment of the practice and architecture with the business landscape. |
![]() |
Phase-by-Phase Approach
|
Only 14.29% of Transportation and Logistics respondents agree BI and Analytics Process and Technology are sufficient | What is a diagnostic?
Our diagnostics are the simplest way to collect the data you need, turn it into actionable insights, and communicate with stakeholders across the organization. |
52.54% of respondents from the healthcare industry are unaware of their organization’s data security policy | ||
Ask the Right Questions
Use our low-effort surveys to get the data you need from stakeholders across the organization. |
Use Our Diagnostic Engine
Our diagnostic engine does all the heavy lifting and analysis, turning your data into usable information. |
Communicate & Take Action
Wow your executives with the incredible insights you've uncovered. Then, get to action: make IT better. |
||
On average only 40% agree that they have the reporting when needed
(Source: Info-Tech’s Data Culture Diagnostic, 53 Organizations, 3138 Responses) |
35% of respondents feel that a governance body is in place looking at strategic data
Build a Data-Driven Strategy Using Info-Tech Diagnostic ProgramsMake informed IT decisions by starting your diagnostic program today. Your account manager is waiting to help you. |
![]() |
![]() |
![]() |
The first step is to align business strategy with data strategy and then start building your data practice and data platform |
![]() |
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Diagnostics and consistent frameworks used throughout all four options |
Phase 1 –
Define Your Data Requirements and Conduct Your Data Discovery |
Phase 2 –
Design Your Data Practices |
Phase 3 –
Architect Your Data Platform |
|
Phase Steps |
|
|
|
Phase Outcomes | Business-aligned data initiatives and capabilities that address data challenges and realize business strategic objectives | Comprehensive data practice design based on the required business and data capabilities | Data platform design based on Info-Tech data architecture reference pattern and prioritized data initiatives and capabilities |
Workshop Overview |
Contact your account representative for more information.
|
Info-Tech’s Workshop support for Build Your Data Practice and Platform. | ![]() |
||
Workshop
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." |
Workshop 1 | Workshop 2 | Workshop 3 |
Workshop 1: | Contact your account representative for more information.
|
Day 1 | Day 2 | Day 3 | Day 4 | |
Establish Business Context and Value |
Identify Your Top Initiatives |
Analyze Data Challenges |
Map Data Capability |
|
Activities | 1.1 Understand/confirm your organization’s strategic goals 1.2 Classify the strategic goals and map to business drivers 1.3 Identify the business capabilities that the strategy focus is on 1.4 Identify the business processes realizing the strategy |
2.1 Highlight data-related outcomes /goals to realize to fulfill the business goal 2.2 Map business data initiatives to the business strategic goals 2.3 Prioritize Data initiatives |
3.1 Understand data management capabilities and framework 3.2 Classify business data requirements using Info-Tech’s classification approach 3.3 Highlight data challenges in your current environment |
4.1 Map data challenges to Info-Tech data challenges 4.2 Review Info-Tech data capabilities based on prioritized initiative 4.3 Discuss Data Platform and Practice Next Steps |
Deliverables |
|
|
|
|
Participants | Business stakeholder, Business leader Business Subject Matter Expert, Data IT sponsor (CIO), Head of Data, Data Architect | Business stakeholder, Business leader Business Subject Matter Expert, Data IT sponsor (CIO), Head of Data, Data Architect | Data experts, Business Subject Matter Expert, Head of Data, Data Architect | Data experts, Business Subject Matter Expert, Head of Data, Data Architect |
Workshop 2: | Contact your account representative for more information.
|
Day 1 | Day 2 | Day 3 | Day 4 | |
Plan Your Data Practices |
Design Your Data Practices 1 |
Design Your Data Practices 2 |
Design Your Data Practices 3 |
|
Activities | Prerequisite: Business context, business data requirement, and data capabilities 1.1 Understand data practice framework 1.2 Define your practice implementation approach 1.3 Review and update data management RACI |
2.1 Understand Info-Tech data practice patterns for each prioritized practice 2.2 Define your practice setup for each prioritized practice 2.3 Highlight critical processes for each practice |
3.1 Understand Info-Tech data practice patterns for each prioritized practice 3.2 Define your practice setup for each prioritized practice 3.3 Highlight critical processes for each practice |
4.1 Understand Info-Tech data practice patterns for each prioritized practice 4.2 Define your practice setup for each prioritized practice 4.3 Highlight critical processes for each practice 4.4 Discuss data platform and practice next steps |
Deliverables |
|
|
|
|
Participants | Data experts, Business Subject Matter Expert, Head of Data, Data Architect | Data experts, Business Subject Matter Expert, Head of Data, Data Architect | Data experts, Business Subject Matter Expert, Head of Data, Data Architect | Data experts, Business Subject Matter Expert, Head of Data, Data Architect |
Workshop 3: | Contact your account representative for more information.
|
Day 1 | Day 2 | Day 3 | Day 4 | |
Data Platform Overview | Update Data Platform Reference Architecture | Design Your Data Platform | Design Your Data Practices 4 | |
Activities | Prerequisite: Business context, business data requirement, and data capabilities 1.1 Understand data platform framework and data capabilities 1.2 Understand key data architecture principles and best practices 1.3 Shortlist data platform patterns | 2.1 Map and identify data capabilities to data platform components 2.2 Build data platform architecture using Info-Tech data platform reference architecture 2.3 Highlight critical processes for each practice | 3.1 Design your target data platform using Info-Tech’s data platform template 3.2 Identify new capabilities and components in your platform design | 4.1 Identify new capabilities and component in your platform design 4.2 Discuss data platform initiatives |
Deliverables |
|
|
|
|
Participants | Data experts, Business Subject Matter Expert, Head of Data, Data Architect | Data experts, Business Subject Matter Expert, Head of Data, Data Architect | Data experts, Business Subject Matter Expert, Head of Data, Data Architect | Data experts, Business Subject Matter Expert, Head of Data, Data Architect |
Phase 1
1.1 Define Your Data Requirements
|
Phase 2 | Phase 3 |
A blend of business leaders and business SMEs together with the Data Strategy team.
Key personnel from IT/Data team: (Data Architect, Data Engineers, Head of Head of Reporting and Analytics)
Most organizations go through an organizational redesign to:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
The purpose of this storyboard is to provide a four-phased approach to organizational redesign.
Use this templated Communication Deck to ensure impacted stakeholders have a clear understanding of why the new organizational structure is needed and what that structure will look like.
This template provides IT leaders with an opportunity to present their case for a change in organizational structure and roles to secure the funding and buy-in required to operate in the new structure.
This Workbook allows IT and business leadership to work through the steps required to complete the organizational redesign process and document key rationale for those decisions.
Refer to this tool when working through the redesign process to better understand the operating model sketches and the capability definitions. Each capability has been tied back to core frameworks that exist within the information and technology space.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Lay the foundation for your organizational redesign by establishing a set of organizational design principles that will guide the redesign process.
Clearly articulate why this organizational redesign is needed and the implications the strategies and context will have on your structure.
1.1 Define the org design drivers.
1.2 Document and define the implications of the business context.
1.3 Align the structure to support the strategy.
1.4 Establish guidelines to direct the organizational design process.
Clear definition of the need to redesign the organizational structure
Understanding of the business context implications on the organizational structure creation.
Strategic impact of strategies on organizational design.
Customized Design Principles to rationalize and guide the organizational design process.
Select and customize an operating model sketch that will accurately reflect the future state your organization is striving towards. Consider how capabilities will be sourced, gaps in delivery, and alignment.
A customized operating model sketch that informs what capabilities will make up your IT organization and how those capabilities will align to deliver value to your organization.
2.1 Augmented list of IT capabilities.
2.2 Capability gap analysis
2.3 Identified capabilities for outsourcing.
2.4 Select a base operating model sketch.
2.5 Customize the IT operating model sketch.
Customized list of IT processes that make up your organization.
Analysis of which capabilities require dedicated focus in order to meet goals.
Definition of why capabilities will be outsourced and the method of outsourcing used to deliver the most value.
Customized IT operating model reflecting sourcing, centralization, and intended delivery of value.
Translate the operating model sketch into a formal structure with defined functional teams, roles, reporting structure, and responsibilities.
A detailed organizational chart reflecting team structures, reporting structures, and role responsibilities.
3.1 Categorize your IT capabilities within your defined functional work units.
3.2 Create a mandate statement for each work unit.
3.3 Define roles inside the work units and assign accountability and responsibility.
3.4 Finalize your organizational structure.
Capabilities Organized Into Functional Groups
Functional Work Unit Mandates
Organizational Chart
Ensure the successful implementation of the new organizational structure by strategically communicating and involving stakeholders.
A clear plan of action on how to transition to the new structure, communicate the new organizational structure, and measure the effectiveness of the new structure.
4.1 Identify and mitigate key org design risks.
4.2 Define the transition plan.
4.3 Create the change communication message.
4.4 Create a standard set of FAQs.
4.5 Align sustainment metrics back to core drivers.
Risk Mitigation Plan
Change Communication Message
Standard FAQs
Implementation and sustainment metrics.
Allison Straker
Research Director,
Organizational Transformation
Brittany Lutes
Senior Research Analyst,
Organizational Transformation
An organizational structure is much more than a chart with titles and names. It defines the way that the organization operates on a day-to-day basis to enable the successful delivery of the organization’s information and technology objectives. Moreover, organizational design sees beyond the people that might be performing a specific role. People and role titles will and often do change frequently. Those are the dynamic elements of organizational design that allow your organization to scale and meet specific objectives at defined points of time. Capabilities, on the other hand, are focused and related to specific IT processes.
Redesigning an IT organizational structure can be a small or large change transformation for your organization. Create a structure that is equally mindful of the opportunities and the constraints that might exist and ensure it will drive the organization towards its vision with a successful implementation. If everyone understands why the IT organization needs to be structured that way, they are more likely to support and adopt the behaviors required to operate in the new structure.
Your organization needs to reorganize itself because:
Many organizations struggle when it comes redesigning their IT organizational structure because they:
Successful IT organization redesign includes:
A successful redesign requires a strong foundation and a plan to ensure successful adoption. Without these, the organizational chart has little meaning or value.
Organizational design is a challenge for many IT and digital executives
69% of digital executives surveyed indicated challenges related to structure, team silos, business-IT alignment, and required roles when executing on a digital strategy.
To overcome these barriers:
75% The percentage of change efforts that fail.
55% The percentage of practitioners who identify how information flows between work units as a challenge for their organization.
IT organizational design refers to the process of aligning the organization’s structure, processes, metrics, and talent to the organization’s strategic plan to drive efficiency and effectiveness.
Why is the right IT organizational design so critical to success? |
||
Adaptability is at the core of staying competitive today |
Structure is not just an organizational chart |
Organizational design is a never-ending process |
Digital technology and information transparency are driving organizations to reorganize around customer responsiveness. To remain relevant and competitive, your organizational design must be forward looking and ready to adapt to rapid pivots in technology or customer demand. |
The design of your organization dictates how roles function. If not aligned to the strategic direction, the structure will act as a bungee cord and pull the organization back toward its old strategic direction (ResearchGate.net, 2014). Structure supports strategy, but strategy also follows structure. |
Organization design is not a one-time project but a continuous, dynamic process of organizational self-learning and continuous improvement. Landing on the right operating model will provide a solid foundation to build upon as the organization adapts to new challenges and opportunities. |
Organizational design the process in which you intentionally align the organizational structure to the strategy. It considers the way in which the organization should operate and purposely aligns to the enterprise vision. This process often considers centralization, sourcing, span of control, specialization, authority, and how those all impact or are impacted by the strategic goals.
Operating models provide an architectural blueprint of how IT capabilities are organized to deliver value. The placement of the capabilities can alter the culture, delivery of the strategic vision, governance model, team focus, role responsibility, and more. Operating model sketches should be foundational to the organizational design process, providing consistency through org chart changes.
The organizational structure is the chosen way of aligning the core processes to deliver. This can be strategic, or it can be ad hoc. We recommend you take a strategic approach unless ad hoc aligns to your culture and delivery method. A good organizational structure will include: “someone with authority to make the decisions, a division of labor and a set of rules by which the organization operates” (Bizfluent, 2019).
The capstone of this change initiative is an easy-to-read chart that visualizes the roles and reporting structure. Most organizations use this to depict where individuals fit into the organization and if there are vacancies. While this should be informed by the structure it does not necessarily depict workflows that will take place. Moreover, this is the output of the organizational design process.
All three elements of the Technology Value Trinity work in harmony to delivery business value and achieve strategic needs. As one changes, the others need to change as well.
How do these three elements relate?
Too often strategy, organizational design, and governance are considered separate practices – strategies are defined without teams and resources to support. Structure must follow strategy.
Like a story, a strategy without a structure to deliver on it is simply words on paper.
Books begin by setting the foundation of the story.
Introduce your story by:
The plot cannot thicken without the foundation. Your organizational structure and chart should not exist without one either.
The steps to establish your organizational chart - with functional teams, reporting structure, roles, and responsibilities defined – cannot occur without a clear definition of goals, need, and context. An organizational chart alone won’t provide the insight required to obtain buy-in or realize the necessary changes.
Conclude your story through change management and communication.
Good stories don’t end without referencing what happened before. Use the literary technique of foreshadowing – your change management must be embedded throughout the organizational redesign process. This will increase the likelihood that the organizational structure can be communicated, implemented, and reinforced by stakeholders.
Once your IT strategy is defined, it is critical to identify the capabilities that are required to deliver on those strategic initiatives. Each initiative will require a combination of these capabilities that are only supported through the appropriate organization of roles, skills, and team structures.
For each phase of this blueprint, its important to consider change management. These are the points when you need to communicate the structure changes:
Do not undertake an organizational redesign initiative if you will not engage in change management practices that are required to ensure its successful adoption.
Given that the organizational redesign is intended to align with the overall vision and objectives of the business, many of the metrics that support its success will be tied to the business. Adapt the key performance indicators (KPIs) that the business is using to track its success and demonstrate how IT can enable the business and improve its ability to reach those targets.
The percentage of resources dedicated to strategic priorities and initiatives supported by IT operating model. While operational resources are necessary, ensuring people are allocating time to strategic initiatives as well will drive the business towards its goal state. Leverage Info-Tech’s IT Staffing Assessment diagnostic to benchmark your IT resource allocation.
Assess the improvement in business satisfaction overall with IT year over year to ensure the new structure continues to drive satisfaction across all business functions. Leverage Info-Tech’s CIO Business Vision diagnostic to see how your IT organization is perceived.
The degree of clarity that IT employees have around their role and its core responsibilities can lead to employee engagement and retention. Consider measuring this core job driver by leveraging Info-Tech’s Employee Engagement Program.
Measure customer satisfaction with technology-enabled business services or products and improvements in technology-enabled client acquisition or retention processes. Assess the percentage of users satisfied with the quality of IT service delivery and leverage Info-Tech’s End-User Satisfaction Survey to determine improvements.
Phase |
1. Establish the Organizational Design Foundation |
2. Create the Operating Model Sketch |
3. Formalize the Organizational Structure |
4. Plan for Implementation and Change |
---|---|---|---|---|
Phase Outcomes |
Lay the foundation for your organizational redesign by establishing a set of organizational design principles that will guide the redesign process. |
Select and customize an operating model sketch that will accurately reflect the future state your organization is striving towards. Consider how capabilities will be sourced, gaps in delivery, and alignment. |
Translate the operating model sketch into a formal structure with defined functional teams, roles, reporting structure, and responsibilities. |
Ensure the successful implementation of the new organizational structure by strategically communicating and involving stakeholders. |
Organizational redesign processes focus on defining the ways in which you want to operate and deliver on your strategy – something an organizational chart will never be able to convey.
Focus on your organization, not someone else's’. Benchmarking your organizational redesign to other organizations will not work. Other organizations have different strategies, drivers, and context.
An operating model sketch that is customized to your organization’s specific situation and objectives will significantly increase the chances of creating a purposeful organizational structure.
If you follow the steps outlined in the first three phases, creating your new organizational chart should be one of the fastest activities.
Throughout the creation of a new organizational design structure, it is critical to involve the individuals and teams that will be impacted.
You could have the best IT employees in the world, but if they aren’t structured well your organization will still fail in reaching its vision.
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Communication Deck
Communicate the changes to other key stakeholders such as peers, managers, and staff.
Workbook
As you work through each of the activities, use this workbook as a place to document decisions and rationale.
Reference Deck
Definitions for every capability, base operating model sketches, and sample organizational charts aligned to those operating models.
Job Descriptions
Key deliverable:
Executive Presentation
Leverage this presentation deck to gain executive buy-in for your new organizational structure.
INDUSTRY: Government
SOURCE: Analyst Interviews and Working Sessions
IT was tasked with providing equality to the different business functions through the delivery of shared IT services. The government created a new IT organizational structure with a focus on two areas in particular: strategic and operational support capabilities.
When creating the new IT structure, an understanding of the complex and differing needs of the business functions was not reflected in the shared services model.
As a result, the new organizational structure for IT did not ensure adequate meeting of business needs. Only the operational support structure was successfully adopted by the organization as it aligned to the individual business objectives. The strategic capabilities aspect was not aligned to how the various business lines viewed themselves and their objectives, causing some partners to feel neglected.
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
Diagnostics and consistent frameworks are used throughout all four options.
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is 8 to 12 calls over the course of 4 to 6 months.
Phase 1
Call #1: Define the process, understand the need, and create a plan of action.
Phase 2
Call #2: Define org. design drivers and business context.
Call #3: Understand strategic influences and create customized design principles.
Call #4: Customize, analyze gaps, and define sourcing strategy for IT capabilities.
Call #5: Select and customize the IT operating model sketch.
Phase 3
Call #6: Establish functional work units and their mandates.
Call #7: Translate the functional organizational chart to an operational organizational chart with defined roles.
Phase 4
Call #8: Consider risks and mitigation tactics associated with the new structure and select a transition plan.
Call #9: Create your change message, FAQs, and metrics to support the implementation plan.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 |
Day 2 |
Day 3 |
Day 4 |
Day 5 |
|
---|---|---|---|---|---|
Establish the Organizational Redesign Foundation |
Create the Operating Model Sketch |
Formalize the Organizational Structure |
Plan for Implementation and Change |
Next Steps and |
|
Activities |
1.1 Define the org. design drivers. 1.2 Document and define the implications of the business context. 1.3 Align the structure to support the strategy. 1.4 Establish guidelines to direct the organizational design process. |
2.1 Augment list of IT capabilities. 2.2 Analyze capability gaps. 2.3 Identify capabilities for outsourcing. 2.4 Select a base operating model sketch. 2.5 Customize the IT operating model sketch. |
3.1 Categorize your IT capabilities within your defined functional work units. 3.2 Create a mandate statement for each work unit. 3.3 Define roles inside the work units and assign accountability and responsibility. 3.4 Finalize your organizational structure. |
4.1 Identify and mitigate key org. design risks. 4.2 Define the transition plan. 4.3 Create the change communication message. 4.4 Create a standard set of FAQs. 4.5 Align sustainment metrics back to core drivers. |
5.1 Complete in-progress deliverables from previous four days. 5.2 Set up review time for workshop deliverables and to discuss next steps. |
Deliverables |
|
|
|
|
|
PART 1: DESIGN |
PART 2: STRUCTURE |
PART 3: IMPLEMENT |
|||
---|---|---|---|---|---|
IT Organizational Architecture |
Organizational Sketch |
Organizational Structure |
Organizational Chart |
Transition Strategy |
Implement Structure |
1. Define the organizational design drivers, business context, and strategic alignment. 2. Create customized design principles. 3. Develop and customize a strategically aligned operating model sketch. 4. Define the future-state work units. 5. Create future-state work unit mandates. |
6. Define roles by work unit. 7. Turn roles into jobs with clear capability accountabilities and responsibilities. 8. Define reporting relationships between jobs. 9. Assess options and select go-forward organizational sketch. |
11. Validate organizational sketch. 12. Analyze workforce utilization. 13. Define competency framework. 14. Identify competencies required for jobs. |
15. Determine number of positions per job 16. Conduct competency assessment. 17. Assign staff to jobs. 18. Build a workforce and staffing plan. |
19. Form an OD implementation team. 20. Develop change vision. 21. Build communication presentation. 22. Identify and plan change projects. 23. Develop organizational transition plan. |
24. Train managers to lead through change. 25. Define and implement stakeholder engagement plan. 26. Develop individual transition plans. 27. Implement transition plans. |
Risk Management: Create, implement, and monitor risk management plan.
HR Management: Develop job descriptions, conduct job evaluation, and develop compensation packages.
Monitor and Sustain Stakeholder Engagement
This phase will walk you through the following activities:
1.1 Define the organizational redesign driver(s)
1.2 Create design principles based on the business context
1.3a (Optional Exercise) Identify the capabilities from your value stream
1.3b Identify the capabilities required to deliver on your strategies
1.4 Finalize your list of design principles
This phase involves the following participants:
Changes are most successful when leaders clearly articulate the reason for the change – the rationale for the organizational redesign of the IT function. Providing both staff and executive leaders with an understanding for this change is imperative to its success. Despite the potential benefits to a redesign, they can be disruptive. If you are unable to answer the reason why, a redesign might not be the right initiative for your organization.
Employees who understand the rationale behind decisions made by executive leaders are 3.6 times more likely to be engaged.
Successful adoption of the new organizational design requires change management from the beginning. Start considering how you will convey the need for organizational change within your IT organization.
All aspects of your IT organization’s structure should be designed with the business’ context and strategic direction in mind.
Use the following set of slides to extract the key components of your drivers, business context, and strategic direction to land on a future structure that aligns with the larger strategic direction.
Driver(s) can originate from within the IT organization or externally. Ensuring the driver(s) are easy to understand and articulate will increase the successful adoption of the new organizational structure.
Defines the interactions that occur throughout the organization and between the organization and external stakeholders. The context provides insight into the environment by both defining the purpose of the organization and the values that frame how it operates.
The IT strategy should be aligned to the overall business strategy, providing insight into the types of capabilities required to deliver on key IT initiatives.
Where are we today?
Determine the current overall maturity level of the IT organization.
Where do we want to be as an organization?
Use the inputs from Info-Tech’s diagnostic data to determine where the organization should be after its reorganization.
How can you leverage these results?
The result of these diagnostics will inform the design principles that you’ll create in this phase.
CIO Business Vision Diagnostic
Management & Governance Diagnostic
Effectiveness is a concern:
New capabilities are needed:
Lack of business understanding
Workforce challenges
Avoid change for change’s sake. Restructuring could completely miss the root cause of the problem and merely create a series of new ones.
1-2 hours
Input |
Output |
|
|
Materials |
Participants |
|
|
Record the results in the Organizational Design Communications Deck
Workforce Considerations:
Business Context Consideration |
IT Org. Design Implication |
Culture: Culture, "the way we do things here,” has huge implications for executing strategy, driving engagement, and providing a guiding force that ensures organizations can work together toward common goals.
|
Consider whether your organization’s culture can accept the operating model and organizational structure changes that make sense on paper. Certain cultures may lean toward particular operating models. For example, the demand-develop-service operating model may be supported by a cooperative culture. A traditional organization may lean towards the plan-build-run operating model. Ensure you have considered your current culture and added exercises to support it. If more capacity is required to accomplish the goals of the organization, you’ll want to prepare the leaders and explain the need in your design principles (to reflect training, upskilling, or outsourcing). Unionized environments require additional consideration. They may necessitate less structural changes, and so your principles will need to reflect other alternatives (hiring additional resources, creative options) to support organizational needs. Hybrid or fully remote workforces may impact how your organization interacts. |
Business Context Consideration | IT Org. Design Implication |
Control & Governance: It is important to consider how your organization is governed, how decisions are made, and who has authority to make decisions. Strategy tells what you do, governance validates you’re doing the right things, and structure is how you execute on what’s been approved.
| Organizations that require more controls may lean toward more centralized governance. Organizations that are looking to better enable and empower their divisions (products, groups, regions, etc.) may look to embed governance in these parts of the organization. For enterprise organizations, consider where IT has authority to make decisions (at the global, local, or system level). Appropriate governance needs to be built into the appropriate levels. |
Business Context Consideration | IT Org. Design Implication |
Financial Constraints: Follow the money: You may need to align your IT organization according to the funding model.
| Determine if you can move forward with a new model or if you can adjust your existing one to suit the financial constraints. If you have no say over your funding, pre-work may be required to build a business case to change your funding model before you look at your organizational structure – without this, you might have to rule out centralized and focus on hybrid/centralized. If you don’t control the budget (funding comes from your partners), it will be difficult to move to a more centralized model. A federated business organization may require additional IT governance to help prioritize across the different areas. Budgets for digital transformation might come from specific areas of the business, so resources may need to be aligned to support that. You’ll have to consider how you will work with those areas. This may also impact the roles that are going to exist within your IT organization – product owners or division owners might have more say. |
Business Context Consideration | IT Org. Design Implication |
Business Perspective of IT: How the business perceives IT and how IT perceives itself are sometimes not aligned. Make sure the business’ goals for IT are well understood.
Business Organization Structure and Growth:
| If IT needs to become more of a business partner, you’ll want to define what that means to your organization and focus on the capabilities to enable this. Educating your partners might also be required if you’re not aligned. For many organizations, this will include stakeholder management, innovation, and product/project management. If IT and its business partners are satisfied with an order-taker relationship, be prepared for the consequences of that. A global organization will require different IT needs than a single location. Specifically, site reliability engineering (SRE) or IT support services might be deployed in each region. Organizations growing through mergers and acquisitions can be structured differently depending on what the organization needs from the transaction. A more centralized organization may be appropriate if the driver is reuse for a more holistic approach, or the organization may need a more decentralized organization if the acquisitions need to be handled uniquely. |
Business Context Consideration | IT Org. Design Implication |
Sourcing Strategy:
Change Tolerance:
| Your sourcing strategy affects your organizational structure, including what capabilities you group together. Since managing outsourced capabilities also includes the need for vendor management, you’ll need to ensure there aren’t too many capabilities required per leader. Look closely at what can be achieved through your operating model if IT is done through other groups. Even though these groups may not be in scope of your organization changes, you need to ensure your IT team works with them effectively. If your organization is going to push back if there are big structural changes, consider whether the changes are truly necessary. It may be preferred to take baby steps – use an incremental versus big-bang approach. A need for incremental change might mean not making a major operating model change. |
Business Context Consideration | IT Org Design. Implication |
Stakeholder Engagement & Focus: Identify who your customers and stakeholders are; clarify their needs and engagement model.
Business Vision, Services, and Products: Articulate what your organization was built to do.
| For a customer or user focus, ensure capabilities related to understanding needs (stakeholder, UX, etc.) are prioritized. Hybrid, decentralized, or demand-develop-service models often have more of a focus on customer needs. Outsourcing the service desk might be a consideration if there’s a high demand for the service. A differentiation between these users might mean there’s a different demand for services. Think broadly in terms of your organizational vision, not just the tactical (widget creation). You might need to choose an operating model that supports vision. Do you need to align your organization with your value stream? Do you need to decentralize specific capabilities to enable prioritization of the key capabilities? |
1-3 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Communications Deck
Designing your IT organization requires an assessment of what it needs to be built to do:
The IT organization must reflect your business needs:
1 hour
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Communications Deck
Ensure that you have a clear view of the goals and initiatives that are needed in your organization. Your IT, digital, business, and/or other strategies will surface the IT capabilities your organization needs to develop. Identify the goals of your organization and the initiatives that are required to deliver on them. What capabilities are required to enable these? These capabilities will need to be reflected in your design principles.
Sample initiatives and capabilities from an organization’s strategies
1 hour
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Communications Deck
Your organizational design principles should define a set of loose rules that can be used to design your organizational structure to the specific needs of the work that needs to be done. These rules will guide you through the selection of the appropriate operating model that will meet your business needs. There are multiple ways you can hypothetically organize yourself to meet these needs, and the design principles will point you in the direction of which solution is the most appropriate as well as explain to your stakeholders the rationale behind organizing in a specific way. This foundational step is critical: one of the key reasons for organizational design failure is a lack of requisite time spent on the front-end understanding what is the best fit.
1-3 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Communications Deck
Design Principle |
Description |
Decision making |
We will centralize decision making around the prioritization of projects to ensure that the initiatives driving the most value for the organization as a whole are executed. |
Fit for purpose |
We will build and maintain fit-for-purpose solutions based on business units’ unique needs. |
Reduction of duplication |
We will reduce role and application duplication through centralized management of assets and clearly differentiated roles that allow individuals to focus within key capability areas. |
Managed security |
We will manage security enterprise-wide and implement compliance and security governance policies. |
Reuse > buy > build |
We will maximize reuse of existing assets by developing a centralized application portfolio management function and approach. |
Managed data |
We will create a specialized data office to provide data initiatives with the focus they need to enable our strategy. |
Design Principle |
Description |
Controlled technical diversity |
We will control the variety of technology platforms we use to allow for increased operability and reduction of costs. |
Innovation |
R&D and innovation are critical – we will build an innovation team into our structure to help us meet our digital agenda. |
Resourcing |
We will separate our project and maintenance activities to ensure each are given the dedicated support they need for success and to reduce the firefighting mentality. |
Customer centricity |
The new structure will be directly aligned with customer needs – we will have dedicated roles around relationship management, requirements, and strategic roadmapping for business units. |
Interoperability |
We will strengthen our enterprise architecture practices to best prepare for future mergers and acquisitions. |
Cloud services |
We will move toward hosted versus on-premises infrastructure solutions, retrain our data center team in cloud best practices, and build roles around effective vendor management, cloud provisioning, and architecture. |
This phase will walk you through the following activities:
2.1 Augment the capability list
2.2 Heatmap capabilities to determine gaps in service
2.3 Identify the target state of sourcing for your IT capabilities
2.4 Review and select a base operating model sketch
2.5 Customize the selected overlay to reflect the desired future state
This phase involves the following participants:
Obtain desire from stakeholders to move forward with organizational redesign initiative by involving them in the process to gain interest. This will provide the stakeholders with assurance that their concerns are being heard and will help them to understand the benefits that can be anticipated from the new organizational structure.
“You’re more likely to get buy-in if you have good reason for the proposed changes – and the key is to emphasize the benefits of an organizational redesign.”
Just because people are aware does not mean they agree. Help different stakeholders understand how the change in the organizational structure is a benefit by specifically stating the benefit to them.
Capabilities
Competencies
1-3 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Workbook
Assess the gaps between where you currently are and where you need to be. Evaluate how critical and how effective your capabilities are:
Remember to identify what allows the highly effective capabilities to perform at the capacity they are. Leverage this when increasing effectiveness elsewhere.
High Gap
There is little to no effectiveness (high gap) and the capability is highly important to your organization.
Medium Gap
Current ability is medium in effectiveness (medium gap) and there might be some priority for that capability in your organization.
Low Gap
Current ability is highly effective (low gap) and the capability is not necessarily a priority for your organization.
1-3 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Workbook
There are a few different “types” of outsourcing:
Insourcing |
Staff Augmentation |
Managed Service |
Competitive Advantage |
|
---|---|---|---|---|
Description |
The organization maintains full responsibility for the management and delivery of the IT capability or service. |
Vendor provides specialized skills and enables the IT capability or service together with the organization to meet demand. |
Vendor completely manages the delivery of value for the IT capability, product or service. |
Vendor has unique skills, insights, and best practices that can be taught to staff to enable insourced capability and competency. |
Benefits |
|
|
|
|
Drawbacks |
|
|
|
|
Capability |
Capacity |
Outsourcing Model |
---|---|---|
Low |
Low |
Your solutions may be with you for a long time, so it doesn’t matter whether it is a strategic decision to outsource development or if you are not able to attract the talent required to deliver in your market. Look for a studio, agency, or development shop that has a proven reputation for long-term partnership with its clients. |
Low |
High |
Your team has capacity but needs to develop new skills to be successful. Look for a studio, agency, or development shop that has a track record of developing its customers and delivering solutions. |
High |
Low |
Your organization knows what it is doing but is strapped for people. Look at “body shops” and recruiting agencies that will support short-term development contracts that can be converted to full-time staff or even a wholesale development shop acquisition. |
High |
High |
You have capability and capacity for delivering on your everyday demands but need to rise to the challenge of a significant, short-term rise in demand on a critical initiative. Look for a major system integrator or development shop with the specific expertise in the appropriate technology. |
Sourcing Criteria | Description | |
---|---|---|
Determine whether you’ll outsource using these criteria | 1. Critical or commodity | Determine whether the component to be sourced is critical to your organization or if it is a commodity. Commodity components, which are either not strategic in nature or related to planning functions, are likely candidates for outsourcing. Will you need to own the intellectual property created by the third party? Are you ok if they reuse that for their other clients? |
2. Readiness to outsource | Identify how easy it would be to outsource a particular IT component. Consider factors such as knowledge transfer, workforce reassignment or reduction, and level of integration with other components. Vendor management readiness – ensuring that you have sufficient capabilities to manage vendors – should also be considered here. | |
3. In-house capabilities | Determine if you have the capability to deliver the IT solutions in-house. This will help you establish how easy it would be to insource an IT component. | |
4. Ability to attract resources (internal vs. outsourced) | Determine if the capability is one that is easily sourced with full-time, internal staff or if it is a specialty skill that is best left for a third-party to source. | |
Determine your sourcing model using these criteria | 5. Cost | Consider the total cost (investment and ongoing costs) of the delivery of the IT component for each of the potential sourcing models for a component. |
6. Quality | Define the potential impact on the quality of the IT component being sourced by the possible sourcing models. | |
7. Compliance | Determine whether the sourcing model would fit with regulations in your industry. For example, a healthcare provider would only go for a cloud option if that provider is HIPAA compliant. | |
8. Security | Identify the extent to which each sourcing option would leave your organization open to security threats. | |
9. Flexibility | Determine the extent to which the sourcing model will allow your organization to scale up or down as demand changes. |
1-3 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Workbook
An IT operating model sketch is a visual representation of the way your IT organization needs to be designed and the capabilities it requires to deliver on the business mission, strategic objectives, and technological ambitions. It ensures consistency of all elements in the organizational structure through a clear and coherent blueprint.
The visual should be the optimization and alignment of the IT organization’s structure to deliver the capabilities required to achieve business goals. Additionally, it should clearly show the flow of work so that key stakeholders can understand where inputs flow in and outputs flow out of the IT organization. Investing time in the front end getting the operating model right is critical. This will give you a framework to rationalize future organizational changes, allowing you to be more iterative and your model to change as the business changes.
Every structure decision you make should be based on an identified need, not on a trend.Build your IT organization to enable the priorities of the organization.
Centralized |
Hybrid |
Decentralized |
|
---|---|---|---|
Advantages |
|
|
|
Disadvantages |
|
|
|
Decentralization can take a number of different forms depending on the products the organization supports and how the organization is geographically distributed. Use the following set of explanations to understand the different types of decentralization possible and when they may make sense for supporting your organizational objectives.
Decentralization by lines of business (LoB) aligns decision making with business operating units based on related functions or value streams. Localized priorities focus the decision making from the CIO or IT leadership team. This form of decentralization is beneficial in settings where each line of business has a unique set of products or services that require specific expertise or flexible resourcing staffing between the teams.
Decentralization by product line organizes your team into operationally aligned product families to improve delivery throughput, quality, and resource flexibility within the family. By adopting this approach, you create stable product teams with the right balance between flexibility and resource sharing. This reinforces value delivery and alignment to enterprise goals within the product lines.
Geographical decentralization reflects a shift from centralized to regional influences. When teams are in different locations, they can experience a number of roadblocks to effective communication (e.g. time zones, regulatory differences in different countries) that may necessitate separating those groups in the organizational structure, so they have the autonomy needed to make critical decisions.
Functional decentralization allows the IT organization to be separated by specialty areas. Organizations structured by functional specialization can often be organized into shared service teams or centers of excellence whereby people are grouped based on their technical, domain, or functional area within IT (Applications, Data, Infrastructure, Security, etc.). This allows people to develop specialized knowledge and skills but can also reinforce silos between teams.
1 hour
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Workbook
The following bridges might be necessary to augment your divisions:
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Workbook
Document the final operating model sketch in the Communications Deck
This phase will walk you through the following activities:
3.1 Create work units
3.2 Create work unit mandates
3.3 Define roles inside the work units
3.4 Finalize the organizational chart
3.5 Identify and mitigate key risks
This phase involves the following participants:
You don’t have to make the change in one big bang. You can adopt alternative transition plans such as increments or pilots. This allows people to see the benefits of why you are undergoing the change, allows the change message to be repeated and applied to the individuals impacted, and provides people with time to understand their role in making the new organizational structure successful.
“Transformational change can be invigorating for some employees but also highly disruptive and stressful for others.”
Without considering the individual impact of the new organizational structure on each of your employees, the change will undoubtedly fail in meeting its intended goals and your organization will likely fall back into old structured habits.
The organizational sketch is the outline of the organization that encompasses the work units and depicts the relationships among them. It’s important that you create the structure that’s right for your organization, not one that simply fits with your current staff’s skills and knowledge. This is why Info-Tech encourages you to use your operating model as a mode of guidance for structuring your future-state organizational sketch.
The organizational sketch is made up of unique work units. Work units are the foundational building blocks on which you will define the work that IT needs to get done. The number of work units you require and their names will not match your operating model one to one. Certain functional areas will need to be broken down into smaller work units to ensure appropriate leadership and span of control.
A work unit is a functional group or division that has a discrete set of processes or capabilities that it is responsible for, which don’t overlap with any others. Your customized list of IT capabilities will form the building blocks of your work units. Step one in the process of building your structure is grouping IT capabilities together that are similar or that need to be done in concert in the case of more complex work products. The second step is to iterate on these work units based on the organizational design principles from Phase 1 to ensure that the future-state structure is aligned with enablement of the organization’s objectives.
Here is a list of example work units you can use to brainstorm what your organization’s could look like. Some of these overlap in functionality but should provide a strong starting point and hint at some potential alternatives to your current way of organizing.
1-3 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Workbook
A group consists of two or more individuals who are working toward a common goal. Group formation is how those individuals are organized to deliver on that common goal. It should take into consideration the levels of hierarchy in your structure, the level of focus you give to processes, and where power is dispersed within your organizational design.
Importance: Balance highly important capabilities with lower priority capabilities
Specialization: The scope of each role will be influenced by specialized knowledge and a dedicated leader
Effectiveness: Group capabilities that increase their efficacy
Span of Control: Identify the right number of employees reporting to a single leader
Smaller organizations will require less specialization simply out of necessity. To function and deliver on critical processes, some people might be asked to wear several hats.
When you say you are looking for a team that is a “jack of all trades,” you are likely exceeding appropriate cognitive loads for your staff and losing productivity to task switching.
Complexity: More complex work should have fewer direct reports. This often means the leader will need to provide lots of support, even engaging in the work directly at times.
Demand: Dynamic shifts in demand require more managerial involvement and therefore should have a smaller span of control. Especially if this demand is to support a 24/7 operation.
Competency Level: Skilled employees should require less hands-on assistance and will be in a better position to support the business as a member of a larger team than those who are new to the role.
Purpose: Strategic leaders are less involved in the day-to-day operations of their teams, while operational leaders tend to provide hands-on support, specifically when short-staffed.
Pick your poison…
It’s important to understand the impacts that team design has on your services and products. The solutions that a team is capable of producing is highly dependent on how teams are structured. For example, Conway’s Law tells us that small distributed software delivery teams are more likely to produce modular service architecture, where large collocated teams are better able to create monolithic architecture. This doesn’t just apply to software delivery but also other products and services that IT creates. Note that small distributed teams are not the only way to produce quality products as they can create their own silos.
The work unit mandate should provide a quick overview of the work unit and be clear enough that any reader can understand why the work unit exists, what it does, and what it is accountable for.
Each work unit will have a unique mandate. Each mandate should be distinguishable enough from your other work units to make it clear why the work is grouped in this specific way, rather than an alternative option. The mandate will vary by organization based on the agreed upon work units, design archetype, and priorities.
Don’t just adopt an example mandate from another organization or continue use of the organization’s pre-existing mandate – take the time to ensure it accurately depicts what that group is doing so that its value-added activities are clear to the larger organization.
The Office of the CIO will be a strategic enabler of the IT organization, driving IT organizational performance through improved IT management and governance. A central priority of the Office of the CIO is to ensure that IT is able to respond to evolving environments and challenges through strategic foresight and a centralized view of what is best for the organization.
The Project Management Office will provide standardized and effective project management practices across the IT landscape, including an identified project management methodology, tools and resources, project prioritization, and all steps from project initiation through to evaluation, as well as education and development for project managers across IT.
The Solutions Development Group will be responsible for the high-quality development and delivery of new solutions and improvements and the production of customized business reports. Through this function, IT will have improved agility to respond to new initiatives and will be able to deliver high-quality services and insights in a consistent manner.
1-3 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Workbook
Now that you have identified the main units of work in the target IT organization, it is time to identify the roles that will perform that work. At the end of this step, the key roles will be identified, the purpose statement will be built, and accountability and responsibility for roles will be clearly defined. Make sure that accountability for each task is assigned to one role only. If there are challenges with a role, change the role to address them (e.g. split roles or shift responsibilities).
Do not bias your role design by focusing on your existing staff’s competencies. If you begin to focus on your existing team members, you run the risk of artificially narrowing the scope of work or skewing the responsibilities of individuals based on the way it is, rather than the way it should be.
1-3 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Workbook
Despite popular belief, there is no such thing as the Spotify model, and organizations that structured themselves based on the original Spotify drawing might be missing out on key opportunities to obtain productivity from employees.
The primary goal of any product delivery team is to improve the delivery of value for customers and the business based on your product definition and each product’s demand. Each organization will have different priorities and constraints, so your team structure may take on a combination of patterns or may take on one pattern and then transform into another.
Delivery Team Structure Patterns |
How Are Resources and Work Allocated? |
|
---|---|---|
Functional Roles |
Teams are divided by functional responsibilities (e.g. developers, testers, business analysts, operations, help desk) and arranged according to their placement in the software development lifecycle (SDLC). |
Completed work is handed off from team to team sequentially as outlined in the organization’s SDLC. |
Shared Service and Resource Pools |
Teams are created by pulling the necessary resources from pools (e.g. developers, testers, business analysts, operations, help desk). |
Resources are pulled whenever the work requires specific skills or pushed to areas where product demand is high. |
Product or System |
Teams are dedicated to the development, support, and management of specific products or systems. |
Work is directly sent to the teams who are directly managing the product or directly supporting the requester. |
Skills and Competencies |
Teams are grouped based on skills and competencies related to technology (e.g. Java, mobile, web) or familiarity with business capabilities (e.g. HR, Finance). |
Work is directly sent to the teams who have the IT and business skills and competencies to complete the work. |
Functional Roles | Shared Service and Resource Pools | Product or System | Skills and Competencies |
---|---|---|---|
When your people are specialists versus having cross-functional skills | Leveraged when specialists such as Security or Operations will not have full-time work on the product | When you have people with cross-functional skills who can self-organize around a product’s needs | When you have a significant investment in a specific technology stack |
![]() | ![]() | ![]() | ![]() |
For more information about delivering in a product operating model, refer to our Deliver Digital Products at Scale blueprint.
1-3 hours
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Workbook & Executive Communications Deck
Every organizational structure will include certain risks that should have been considered and accepted when choosing the base operating model sketch. Now that the final organizational structure has been created, consider if those risks were mitigated by the final organizational structure that was created. For those risks that weren’t mitigated, have a tactic to control risks that remain present.
1-3 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Workbook
This phase will walk you through the following activities:
4.1 Select a transition plan
4.2 Establish the change communication messages
4.3 Be consistent with a standard set of FAQs
4.4 Define org. redesign resistors
4.5 Create a sustainment plan
This phase involves the following participants:
Change management is: |
Managing a change that requires replanning and reorganizing and that causes people to feel like they have lost control over aspects of their jobs. – Padar et al., 2017 |
People Process Technology |
PREPARE | A | Awareness: Establish the need for organizational redesign and ensure this is communicated well. |
This blueprint is mostly focused on the prepare and transition components. |
D | Desire: Ensure the new structure is something people are seeking and will lead to individual benefits for all. |
||
TRANSITION | K | Knowledge: Provide stakeholders with the tools and resources to function in their new roles and reporting structure. |
|
A | Ability: Support employees through the implementation and into new roles or teams. |
||
FUTURE | R | Reinforcement: Emphasize and reward positive behaviors and attitudes related to the new organizational structure. |
Implementation Plan |
Transition Plan: Identify the appropriate approach to making the transition, and ensure the transition plan works within the context of the business. |
Communication Strategy: Create a method to ensure consistent, clear, and concise information can be provided to all relevant stakeholders. |
|
Plan to Address Resistance: Given that not everyone will be happy to move forward with the new organizational changes, ensure you have a method to hear feedback and demonstrate concerns have been heard. |
|
Employee Development Plan: Provide employees with tools, resources, and the ability to demonstrate these new competencies as they adjust to their new roles. |
|
Monitor and Sustain the Change: Establish metrics that inform if the implementation of the new organizational structure was successful and reinforce positive behaviors. |
As a result, your organization must adopt OCM practices to better support the acceptance and longevity of the changes being pursued.
Incremental Change |
Transformational Change |
Organizational change management is highly recommended and beneficial for projects that require people to:
|
Organizational change management is required for projects that require people to:
|
How you transition to the new organizational structure can be heavily influenced by HR. This is the time to be including them and leveraging their expertise to support the transition “how.”
Description | Pros | Cons | Example | |
Big Bang Change | Change that needs to happen immediately – “ripping the bandage off.” |
|
| A tsunami in Japan stopped all imports and exports. Auto manufacturers were unable to get parts shipped and had to immediately find an alternative supplier. |
Incremental Change | The change can be rolled out slower, in phases. |
|
| A change in technology, such as HRIS, might be rolled out one application at a time to ensure that people have time to learn and adjust to the new system. |
Pilot Change | The change is rolled out for only a select group, to test and determine if it is suitable to roll out to all impacted stakeholders. |
|
| A retail store is implementing a new incentive plan to increase product sales. They will pilot the new incentive plan at select stores, before rolling it out broadly. |
1-3 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Workbook
Success of your new organizational structure hinges on adequate preparation and effective communication.
The top challenge facing organizations in completing the organizational redesign is their organizational culture and acceptance of change. Effective planning for the implementation and communication throughout the change is pivotal. Make sure you understand how the change will impact staff and create tailored plans for communication.
65% of managers believe the organizational change is effective when provided with frequent and clear communication.
Leaders of successful change spend considerable time developing a powerful change message, i.e. a compelling narrative that articulates the desired end state, and that makes the change concrete and meaningful to staff.
The organizational change message should:
2 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Workbook
Be Clear |
|
Be Consistent |
|
Be Concise |
|
Be Relevant |
|
As a starting point for building an IT organizational design implementation, look at implementing an FAQ that will address the following:
Questions to consider answering:
1 hour
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Workbook
People resist changes for many reasons. When it comes to organizational redesign changes, some of the most common reasons people resist change include a lack of understanding, a lack of involvement in the process, and fear.
Assess employee to determine competency levels and interests.
Employee drafts development goals; manager reviews.
Manager helps with selection of development activities.
Manager provides ongoing check-ins, coaching, and feedback.
Sustain the change by following through with stakeholders, gathering feedback, and ensuring that the change rationale and impacts are clearly understood. Failure to so increases the potential that the change initiative will fail or be a painful experience and cost the organization in terms of loss of productivity or increase in turnover rates.
Obtaining qualitative feedback from employees, customers, and business partners can provide insight into where the new organizational structure is operating optimally versus where there are further adjustments that could be made to support the change.
1 hour
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the Organizational Design Workbook
Jardena London
Transformation Catalyst, Rosetta Technology Group
Jodie Goulden
Consultant | Founder, OrgDesign Works
Shan Pretheshan
Director, SUPA-IT Consulting
Chris Briley
CIO, Manning & Napier
Dean Meyer
President N. Dean Meyer and Associates Inc.
Jimmy Williams
CIO, Chocktaw Nation of Oklahoma
Cole Cioran, Managing Partner
Dana Daher, Research Director
Hans Eckman, Principal Research Director
Ugbad Farah, Research Director
Ari Glaizel, Practice Lead
Valence Howden, Principal Research Director
Youssef Kamar, Senior Manager, Consulting
Carlene McCubbin, Practice Lead
Baird Miller, Executive Counsellor
Josh Mori, Research Director
Rajesh Parab, Research Director
Gary Rietz, Executive Counsellor
“A Cheat Sheet for HR Professionals: The Organizational Development Process.” AIHR, 2021. Web.
Acharya, Ashwin, Roni Lieber, Lissa Seem, and Tom Welchman. “How to identify the right ‘spans of control’ for your organization.” McKinsey, 21 December 2017. Web.
Anand. N., and Jean-Louis Barsoux. “What everyone gets wrong about change management. Harvard Business Review, December 2017. Web.
Atiken, Chris. “Operating model design-first principles.” From Here On, 24 August 2018. Web.
“Avoid common digital transformation challenges: Address your IT Operating Model Now.” Sofigate, 5 May 2020. Web.
Baumann, Oliver, and Brian Wu. “The many dimensions of research on designing flat firms.” Journal of Organizational Design, no. 3, vol. 4. 09 May 2022.Web.
Bertha, Michael. “Cross the project to product chasm.” CIO, 1 May 2020. Web.
Blenko, Marcia, and James Root. “Design Principles for a Robust Operating Model.” Bain & Company, 8 April 2015. Web.
Blenko, Marcia, Leslie Mackrell, and Kevin Rosenberg. “Operating models: How non-profits get from strategy to results.” The Bridge Span Group, 15 August 2019. Web.
Boulton, Clint. “PVH finds perfect fit in hybrid IT operating model amid pandemic.” CIO, 19 July 2021. Web.
Boulton, Clint. “Why digital disruption leaves no room for bimodal IT.” CIO, 11 May 2017. Web.
Bright, David, et al. “Chapter 10: Organizational Structure & Change.” Principles of Management, OpenStax, Rice University, 20 March 2019. Book.
Campbell, Andrew. “Design Principles: How to manage them.” Ashridge Operating Models. 1 January 2022. Web.
D., Maria. “3 Types of IT Outsourcing Models and How to Choose Between Them.” Cleveroad, 29 April 2022. Web.
Devaney, Eric. “9 Types of Organizational Structure Every Company Should Consider.” HubSpot, 11 February 2022. Web.
Devaney, Erik. “The six building blocks of organizational structure.” Hubspot, 3 June 2020. Web.
Eisenman, M., S. Paruchuri, and P. Puranam. “The design of emergence in organizations.” Journal of Organization Design, vol. 9, 2020. Web.
Forbes Business Development Council. “15 Clear Signs It’s Time to Restructure the Business.” Forbes, 10 February 2020. Web.
Freed, Joseph. “Why Cognitive Load Could Be The Most Important Employee Experience Metric In The Next 10 Years.” Forbes, 30 June 2020. Web.
Galibraith, Jay. “The Star Model.” JayGalbraith.com, n.d. Web.
Girod, Stéphane, and Samina Karim. “Restructure or reconfigure?” Harvard Business Review, April 2017. Web.
Goldman, Sharon. “The need for a new IT Operating Model: Why now?” CIO, 27 August 2019. Web.
Halapeth, Milind. “New age IT Operating Model: Creating harmony between the old and the new.” Wirpo, n.d. Web.
Harvey, Michelle. “Why a common operating model is efficient for business productivity.” CMC, 10 May 2020. Web.
Helfand, Heidi. “Dynamic Reteaming.” O’Reilly Media, 7 July 2020. Book.
JHeller, Martha. “How Microsoft CIO Jim DuBois changed the IT Operating Model.” CIO, 2 February 2016. Web.
Heller, Martha. “How Stryker IT Shifted to a global operating model.” CIO, 19 May 2021. Web.
Heller, Michelle. “Inside blue Shields of California’s IT operating model overhaul.” CIO, 24 February 2021. Web.
Hessing, Ted. “Value Stream Mapping.” Six Sigma Study Guide, 11 April 2014. Web.
Huber, George, P. “What is Organization Design.” Organizational Design Community, n.d. Web.
Indeed Editorial Team. “5 Advantages and Disadvantages of the Matrix Organizational Structure.” Indeed, 23 November 2020. Web.
Indeed Editorial Team. “How to plan an effective organization restructure.” Indeed, 10 June 2021. Web.
“Insourcing vs Outsourcing vs Co-Sourcing.” YML Group, n.d. Web.
“Investing in more strategic roles.” CAPS Research, 3 February 2022. Web.
Jain, Gagan. “Product IT Operating Model: The next-gen model for a digital work.” DevOps, 22 July 2019. Web.
Kane, Gerald, D. Plamer, and Anh Phillips. “Accelerating Digital Innovation Inside and Out.” Deloitte Insights, 4 June 2019. Web.
Krush, Alesia. “IT companies with ‘flat’ structures: utopia or innovative approach?” Object Style, 18 October 2018. Web.
Law, Michael. “Adaptive Design: Increasing Customer Value in Your Organisation.” Business Agility Institute, 5 October 2020. Web.
LucidContent Team. “How to get buy-in for changes to your organizational structure.” Lucid Chart, n.d. Web.
Matthews, Paul. “Do you know the difference between competence and capability?” The People Development Magazine, 25 September 2020. Web.
Meyer, Dean N. “Analysis: Common symptoms of organizational structure problems.” NDMA, n.d. Web.
Meyer, N. Dean. “Principle-based Organizational Structure.” NDMA Publishing, 2020. Web.
Morales Pedraza, Jorge. Answer to posting, “What is the relationship between structure and strategy?” ResearchGate.net, 5 March 2014. Web.
Nanjad, Len. “Five non-negotiables for effective organization design change.” MNP, 01 October 2021. Web.
Neilson, Gary, Jaime Estupiñán, and Bhushan Sethi. “10 Principles of Organizational Design.” Strategy & Business, 23 March 2015. Web.
Nicastro, Dom. “Understanding the Foundational Concepts of Organizational Design.” Reworked, 24 September 2020. Web.
Obwegeser, Nikolaus, Tomoko Yokoi, Michael Wade, and Tom Voskes. “7 Key Principles to Govern Digital Initiatives.” MIT Sloan, 1 April 2020. Web.
“Operating Models and Tools.” Business Technology Standard, 23 February 2021. Web.
“Organizational Design Agility: Journey to a combined community.” ODF-BAI How Space, Organizational Design Forum, 2022. Web.
“Organizational Design: Understanding and getting started.” Ingentis, 20 January 2021. Web.
Padar, Katalin, et al. “Bringing project and change management roles into sync.” Journal of Change Management, 2017. Web.
Partridge, Chris. “Evolve your Operating Model- It will drive everything.” CIO, 30 July 2021. Web.
Pijnacker, Lieke. “HR Analytics: role clarity impacts performance.” Effectory, 25 September 2019. Web.
Pressgrove, Jed. “Centralized vs. Federated: Breaking down IT Structures.” Government Technology, March 2020. Web.
Sherman, Fraser. “Differences between Organizational Structure and Design.” Bizfluent, 20 September 2019. Web.
Skelton, Matthew, and Manual Pais. “Team Cognitive Load.” IT Revolution, 19 January 2021. Web.
Skelton, Matthew, and Manual Pais. Team Topologies. IT Revolution Press, 19 September 2019. Book
Spencer, Janet, and Michael Watkins. “Why organizational change fails.” TLNT, 26 November 2019. Web.
Storbakken, Mandy. “The Cloud Operating Model.” VMware, 27 January 2020. Web.
"The Qualities of Leadership: Leading Change.” Cornelius & Associates, 2010. Web.
“Understanding Organizational Structures.” SHRM, 31 August 2021. Web.
"unfix Pattern: Base.” AgilityScales, n.d. Web.
Walker, Alex. “Half-Life: Alyx helped change Valve’s Approach to Development.” Kotaku, 10 July 2020. Web.
"Why Change Management.” Prosci, n.d. Web.
Wittig, Cynthia. “Employees' Reactions to Organizational Change.” OD Practioner, vol. 44, no. 2, 2012. Web.
Woods, Dan. “How Platforms are neutralizing Conway’s Law.” Forbes, 15 August 2017. Web.
Worren, Nicolay, Jeroen van Bree, and William Zybach. “Organization Design Challenges. Results from a practitioner survey.” Journal of Organizational Design, vol. 8, 25 July 2019. Web.
Internal and external obstacles beyond IT’s control make these challenges with gaining IT budget approval even harder to overcome:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This deck applies Info-Tech’s proven ITFM Cost Model to the IT budgeting process and offers five phases that cover the purpose of your IT budget and what it means to your stakeholders, key budgeting resources, forecasting, selecting and fine-tuning your budget message, and delivering your IT budget executive presentation for approval.
This Excel workbook offers a step-by-step approach for mapping your historical and forecasted IT expenditure and creating visualizations you can use to populate your IT budget executive presentation.
This sample workbook offers a completed example of the “IT Cost Forecasting and Budgeting Workbook” that accompanies the Create a Transparent & Defensible IT Budget blueprint.
This presentation template offers a recommended structure for presenting your proposed IT budget for next fiscal year to your executive stakeholders for approval.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand your IT budget in the context of your organization and key stakeholders, as well as gather your budgeting data and review previous years’ financial performance.
Understand your organization’s budget process and culture.
Understand your stakeholders’ priorities and perspectives regarding your IT budget.
Gain insight into your historical IT expenditure.
Set next fiscal year’s IT budget targets.
1.1 Review budget purpose.
1.2 Understand stakeholders and approvers.
1.3 Gather your data.
1.4 Map and review historical financial performance.
1.5 Rationalize last year’s variances and set next year's budget targets.
Budget process and culture assessment.
Stakeholder alignment assessment and pre-selling strategy.
Data prepared for next steps.
Mapped historical expenditure.
Next fiscal year’s budget targets.
Develop a forecast of next fiscal year’s proposed capital IT expenditure driven by your organization’s strategic projects.
Develop project CapEx forecast according to the four different stakeholder views of Info-Tech’s ITFM Cost Model.
Ensure that no business projects that have IT implications (and their true costs) are missed.
2.1 Review the ITFM cost model
2.2 List projects.
2.3 Review project proposals and costs.
2.4 Map and tally total project CapEx.
2.5 Develop and/or confirm project-business alignment, ROI, and cost-benefit statements.
Confirmed ITFM cost mdel.
A list of projects.
Confirmed list of project proposals and costs.
Forecasted project-based capital expenditure mapped against the four views of the ITFM Cost Model.
Projects financials in line.
Develop a forecast of next fiscal year’s proposed “business as usual” non-project capital and operating IT expenditure.
Develop non-project CapEx and non-project OpEx forecasts according to the four different stakeholder views of Info-Tech’s ITFM Cost Model.
Make “business as usual” costs fully transparent and rationalized.
3.1 Review non-project capital and costs.
3.2 Review non-project operations and costs.
3.3 Map and tally total non-project CapEx and OpEx.
3.4 Develop and/or confirm proposed expenditure rationales.
Confirmation of non-project capital and costs.
Confirmation of non-project operations and costs.
Forecasted non-project-based capital expenditure and operating expenditure against the four views of the ITFM Cost Model.
Proposed expenditure rationales.
Aggregate and sanity-check your forecasts, harden your rationales, and plan/develop the content for your IT budget executive presentation.
Create a finalized proposed IT budget for next fiscal year that offers different views on your budget for different stakeholders.
Select content for your IT budget executive presentation that will resonate with your stakeholders and streamline approval.
4.1 Aggregate forecast totals and sanity check.
4.2 Generate graphical outputs and select content to include in presentation.
4.3 Fine-tune rationales.
4.4 Develop presentation and write commentary.
Final proposed IT budget for next fiscal year.
Graphic outputs selected for presentation.
Rationales for budget.
Content for IT Budget Executive Presentation.
Finalize and polish the IT budget executive presentation.
An approval-ready presentation that showcases your business-aligned proposed IT budget backed up with rigorous rationales.
5.1 Complete in-progress deliverables from previous four days.
5.2 Set up review time for workshop deliverables and to discuss next steps.
Completed IT Budget Executive Presentation.
Review scheduled.
EXECUTIVE BRIEF
![]() |
It’s that time of year again – budgeting. Most organizations invest a lot of time and effort in a capital project selection process, tack a few percentage points onto last year’s OpEx, do a round of trimming, and call it a day. However, if you want to improve IT financial transparency and get your business stakeholders and the CFO to see the true value of IT, you need to do more than this. Yourcrea IT budget is more than a once-a-year administrative exercise. It’s an opportunity to educate, create partnerships, eliminate nasty surprises, and build trust. The key to doing these things rests in offering a range of budget perspectives that engage and make sense to your stakeholders, as well as providing iron-clad rationales that tie directly to organizational objectives. The work of setting and managing a budget never stops – it’s a series of interactions, conversations, and decisions that happen throughout the year. If you take this approach to budgeting, you’ll greatly enhance your chances of creating and presenting a defensible annual budget that gets approved the first time around. |
Jennifer Perrier |
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
---|---|---|
IT struggles to gain budget approval year after year, largely driven by a few key factors:
|
Internal and external obstacles beyond IT’s control make these challenges even harder to overcome:
|
CIOs need a straightforward way to create and present an approval-ready budget.
|
Info-Tech Insight
CIOs need a straightforward way to create and present an approval-ready IT budget that demonstrates the value IT is delivering to the business and speaks directly to different stakeholder priorities.
Capability challenges |
Administrative challenges |
Operating challenges |
Visibility challenges |
Relationship challenges |
||
---|---|---|---|---|---|---|
IT is seen as a cost center, not an enabler or driver of business strategy. |
IT leaders are not seen as business leaders. |
Economic pressures drive knee-jerk redirection of IT’s budgetary focus from strategic initiatives back to operational tactics. |
The vast majority of IT’s |
Most business leaders don’t know how many IT resources their business units are really consuming. |
Other departments in the organization see IT as a competitor for funding, not a business partner. |
Lack of transparency |
IT and the business aren’t speaking the same language. |
IT leaders don’t have sufficient access to information about, or involvement in, business decisions and objectives. |
Outmoded finance department expenditure categorizations don’t accommodate IT’s real cost categories. |
IT absorbs unplanned spend because business leaders don’t realize or consider the impact of their decisions on IT. |
The business doesn’t understand what IT is, what it does, or what it can offer. |
IT and the business don’t have meaningful conversations about IT costs, opportunities, or investments. |
|
Defining and demonstrating the value of IT and its investments isn’t straightforward. |
IT leaders may not have the financial literacy or acumen needed to translate IT activities and needs into business terms. |
CapEx and OpEx approval and tracking mechanisms are handled separately when, in reality, they’re highly interdependent. |
IT activities usually have an indirect relationship with revenue, making value calculations more complicated. |
Much of IT, especially infrastructure, is invisible to the business and is only noticed if it’s not working. |
The relationship between IT spending and how it supports achievement of business objectives is not clear. |
Principle 1: |
Principle 2: |
Principle 3: |
---|
The three principles above are all about IT’s changing relationship to the business. IT leaders need a systematic and repeatable approach to budgeting that addresses these principles by:
“The culture of the organization will drive your success with IT financial management.”
– Dave Kish, Practice Lead, IT Financial Management Practice, Info-Tech Research Group
IT budget approval cycle
The Info-Tech difference:
This blueprint provides a framework, method, and templated exemplars for building and presenting your IT budget to different stakeholders. These will speed the approval process and ensure that a higher percentage of your proposed spend is approved.
1. Lay Your Foundation |
2. Get Into Budget-Starting Position |
3. Develop Your Forecasts |
4. Build Your Proposed Budget |
5. Create and Deliver Your Budget Presentation |
|
---|---|---|---|---|---|
Phase steps |
|
|
|
|
|
Phase outcomes |
An understanding of your stakeholders and what your IT budget means to them. |
Information and goals for planning next fiscal year’s IT budget. |
Completed forecasts for project and non-project CapEx and OpEx. |
A final IT budget for proposal including scenario-based alternatives. |
An IT budget presentation. |
Overarching insight: Create a transparent and defensible IT budget
CIOs need a straightforward way to create and present an approval-ready IT budget that demonstrates the value IT is delivering to the business and speaks directly to different stakeholder priorities.
Phase 1 insight: Lay your foundation
IT needs to step back and look at it’s budget-creation process by first understanding exactly what a budget is intended to do and learning what the IT budget means to IT’s various business stakeholders.
Phase 2 Insight: Get into budget-starting position
Presenting your proposed IT budget in the context of past IT expenditure demonstrates a pattern of spend behavior that is fundamental to next year’s expenditure rationale.
Phase 3 insight: Develop your forecasts
Forecasting costs according to a range of views, including CapEx vs. OpEx and project vs. non-project, and then positioning it according to different stakeholder perspectives, is key to creating a transparent budget.
Phase 4 insight: Build your proposed budget
Fine-tuning and hardening the rationales behind every aspect of your proposed budget is one of the most important steps for facilitating the budgetary approval process and increasing the amount of your budget that is ultimately approved.
Phase 5 insight: Create and deliver your budget presentation
Selecting the right content to present to your various stakeholders at the right level of granularity ensures that they see their priorities reflected in IT’s budget, driving their interest and engagement in IT financial concerns.
IT Cost Forecasting and Budgeting Workbook This Excel tool allows you to capture and work through all elements of your IT forecasting from the perspective of multiple key stakeholders and generates compelling visuals to choose from to populate your final executive presentation. |
![]() |
Also download this completed sample:
Sample: IT Cost Forecasting and Budgeting Workbook
IT Budget Executive Presentation Template
Phase 5: Create a focused presentation for your proposed IT budget that will engage your audience and facilitate approval.
IT benefits |
Business benefits |
---|---|
|
|
Ease budgetary approval and improve its accuracy.
Near-term goals
Long-term goal
In Phases 1 and 2 of this blueprint, we will help you understand what your approvers are looking for and gather the right data and information.
In Phase 3, we will help you forecast your IT costs it terms of four stakeholder views so you can craft a more meaningful IT budget narrative.
In Phases 4 and 5, we will help you build a targeted presentation for your proposed IT budget.
Value you will receive:
“A budget isn’t like a horse and cart – you can’t get in front of it or behind it like that. It’s more like a river…
When developing an annual budget, you have a good idea of what the OpEx will be – last year’s with an annual bump. You know what that boat is like and if the river can handle it.
But sometimes you want to float bigger boats, like capital projects. But these boats don’t start at the same place at the same time. Some are full of holes. And does your river even have the capacity to handle a boat of that size?
Some organizations force project charters by a certain date and only these are included in the following year’s budget. The project doesn’t start until 8-12 months later and the charter goes stale. The river just can’t float all these boats! It’s a failed model. You have to have a great governance processes and clear prioritization so that you can dynamically approve and get boats on the river throughout the year.”
– Mark Roman, Managing Partner, Executive Services,
Info-Tech Research Group and Former Higher Education CIO
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
Phase 1: Lay Your Foundation |
Phase 2: Get Into Budget-Starting Position |
Phase 3: Develop Your Forecasts |
Phase 4: Build Your Proposed Budget |
Phase 5: Create and Deliver Your Budget Presentation |
---|---|---|---|---|
Call #1: Discuss the IT budget, processes, and stakeholders in the context of your unique organization. |
Call #2: Review data requirements for transparent budgeting. Call #3: Set budget goals and process improvement metrics. |
Call #4: Review project CapEx forecasts. Call #5: Review non-project CapEx and OpEx forecasts. |
Call #6: Review proposed budget logic and rationales. |
Call #7: Identify presentation inclusions and exclusions. Call #8: Review final budget presentation. |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 8 to 12 calls over the course of 4 to 6 months.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
---|---|---|---|---|---|
Get into budget-starting position |
Forecast project CapEx |
Forecast non-project CapEx and OpEx |
Finalize budget and develop presentation |
Next Steps and |
|
Activities |
1.1 Review budget purpose. 1.2 Understand stakeholders and approvers. 1.3 Gather your data. 1.4 Map and review historical financial performance. 1.5 Rationalize last year’s variances. 1.5 Set next year’s budget targets. |
2.1 Review the ITFM Cost Model. 2.2 List projects. 2.3 Review project proposals and costs. 2.4 Map and tally total project CapEx. 2.5 Develop and/or confirm project-business alignment, ROI, and cost-benefit statements. |
3.1 Review non-project capital and costs. 3.2 Review non-project operations and costs. 3.3 Map and tally total non-project CapEx and OpEx. 3.4 Develop and/or confirm proposed expenditure rationales. |
4.1 Aggregate forecast totals and sanity check. 4.2 Generate graphical outputs and select content to include in presentation. 4.3 Fine-tune rationales. 4.4 Develop presentation and write commentary. |
5.1 Complete in-progress deliverables from previous four days. 5.2 Set up review time for workshop deliverables and to discuss next steps. |
Deliverables |
|
|
|
|
|
Lay Your |
Get Into Budget-Starting Position |
Develop Your |
Build Your |
Create and Deliver Your Presentation |
---|---|---|---|---|
1.1 Understand what your budget is 1.2 Know your stakeholders 1.3 Continuously pre-sell your budget |
2.1 Assemble your resources 2.2 Understand the four views of the ITFM Cost Model 2.3 Review last year’s budget vs. 2.4 Set your high-level goals |
3.1 Develop assumptions and 3.2 Forecast your project CapEx 3.3 Forecast your non-project CapEx and OpEx |
4.1 Aggregate your numbers 4.2 Stress test your forecasts 4.3 Challenge and perfect your |
5.1 Plan your content 5.2 Build your presentation 5.3 Present to stakeholders 5.4 Make final adjustments and submit your IT budget |
This phase will walk you through the following activities:
This phase involves the following participants:
This phase is about understanding the what, why, and who of your IT budget.
“IT finance is more than budgeting. It’s about building trust and credibility in where we’re spending money, how we’re spending money. It’s about relationships. It’s about financial responsibility, financial accountability. I rely on my entire leadership team to all understand what their spend is. We are a steward of other people’s money.”
– Rick Hopfer, CIO, Hawaii Medical Service Association
Most people know what a budget is, but it’s important to understand its true purpose and how it’s used in your organization before you engage in any activity or dialogue about it.
In strictly objective terms:
Simply put, a budget’s fundamental purpose is to plan and communicate how an organization will avoid deficit and debt and remain financially viable while meeting its various accountabilities and responsibilities to its internal and external stakeholders.
“CFOs are not thinking that they want to shut down IT spend. Nobody wants to do that. I always looked at things in terms of revenue streams – where the cash inflow is coming from, where it’s going to, and if I can align my cash outflows to my revenue stream. Where I always got suspicious as a CFO is if somebody can’t articulate spending in terms of a revenue stream. I think that’s how most CFOs operate.”
– Carol Carr, Technical Counselor,
Info-Tech Research Group and Former CFO
It’s a competition: The various units in your organization are competing for the biggest piece they can get of the limited projected income pie. It’s a zero-sum game. The organization’s strategic and operational priorities will determine how this projected income is divvied up.
Direct-to-revenue units win: Business units that directly generate revenue often get bigger relative percentages of the organizational budget since they’re integral to bringing in the projected income part of the budget that allows the expenditure across all business units to happen in the first place.
Indirect-to-revenue units lose: Unlike sales units, for example, IT’s relationship to projected income tends to be indirect, which means that IT must connect a lot more dots to illustrate its positive impact on projected income generation.
In financial jargon, IT really is a cost center: This indirect relationship to revenue also explains why the focus of IT budget conversations is usually on the expenditure side of the equation, meaning it doesn’t have a clear positive impact on income.
Contextual metrics like IT spend as a percentage of revenue, IT OpEx as a percentage of organizational OpEx, and IT spend per organizational employee are important baseline metrics to track around your budget, internally benchmark over time, and share, in order to illustrate exactly where IT fits into the broader organizational picture.
Many organizations have an annual budgeting and planning event that takes place during the back half of the fiscal year. This is where all formal documentation around planned projects and proposed spend for the upcoming year is consolidated, culminating in final presentation, adjustment, and approval. It’s basically a consolidation and ranking of organization-wide priorities at the highest level.
If things are running well, this culmination point in the overall budget development and management process is just a formality, not the beginning, middle, and end of the real work. Ideally:
"A well developed and presented budget should be the numeric manifestation of your IT strategy that’s well communicated and understood by your peers. When done right, budgets should merely affirm what’s already been understood and should get approved with minimal pushback.“
– Patrick Gray, TechRepublic, 2020
While not a contract per se, your IT budget is an objective and transparent statement made in good faith that shows:
When it comes to your budget (and all things financial), your job is to be ethical, careful, and wise:
What’s the same everywhere… |
What’s unchangeable… |
What’s changeable… |
---|---|---|
For right or wrong, most budgeting processes follow these general steps: |
There are usually only three things about an organization’s budgeting process that are untouchable and can’t be changed: |
Budgeting processes are rarely questioned. It never occurs to most people to challenge this system, even if it doesn’t work. Who wants to challenge the CFO? No one. Review your organization’s budgeting culture to discover the negotiable and non-negotiable constraints. Specifically, look at these potentially-negotiable factors if they’re obstacles to IT budgeting success: |
|
|
|
1 hour
Input | Output | Materials | Participants |
---|---|---|---|
|
|
|
|
Budgeting area of assessment |
Rating 1 = very ineffective 10 = very effective |
Challenges |
Opportunities for change |
---|---|---|---|
Legal and regulatory mandates |
7 | Significant regulation but compliance steps not clear or supported within departments. |
Create, communicate, and train management on compliance procedures and align the financial management tools accordingly. |
Accounting rules |
6 | IT not very familiar with them. |
Learn more about them and their provisions to see if IT spend can be better represented. |
Timeframes and deadlines |
5 | Finalize capital project plans for next fiscal four months before end of current fiscal. |
Explore flexible funding models that allow changes to budget closer to project execution. |
Order of operations |
3 | Setting CapEx before OpEx leads to paring of necessary OpEx based on CapEx commitments. |
Establish OpEx first as a baseline and then top up to target budget with CapEx. |
Areas of focus |
6 | Lack of focus on OpEx means incremental budgeting – we don’t know what’s in there. |
Perform zero-based budgeting on OpEx every few years to re-rationalize this spend. |
Funding sources and ownership |
4 | IT absorbing unplanned mid-cycle spend due to impact of unknown business actions. |
Implement a show-back mechanism to change behavior or as precursor to limited charge-back. |
Review/approval mechanisms |
8 | CFO is fair and objective with information presented but could demand more evidence. |
Improve business sponsorship/fronting of new initiative business cases and IT partnership. |
Templates and tools |
2 | Finance budget template largely irrelevant and unreflective of IT: only two relevant categories. |
Adjust account buckets over a period of time, starting with SW/HW and cloud breakouts. |
The key to being heard and understood is first to hear and understand the perspective of the people with whom you’re trying to communicate – your stakeholders. This means asking some questions:
The next step of this blueprint shows the perspectives of IT’s key stakeholders and how they’re best able to absorb and accept the important information contained in your IT budget. You will:
There are certain principles, mandates, and priorities that drive your stakeholders; they’ll want to see these reflected in you, your work, and your budget.
What are the CFO’s role and responsibilities?
What’s important to the CFO?
“Often, the CFO sees IT requests as overhead rather than a need. And they hate increasing overhead.”
– Larry Clark, Executive Counselor, Info-Tech Research Group and Former CIO
The CFO carries big responsibilities focused on mitigating organizational risks. It’s not their job to be generous or flexible when so much is at stake. While the CEO appears higher on the organizational chart than the CFO, in many ways the CFO’s accountabilities and responsibilities are on par with, and in some cases greater than, those of the CEO.
Your CFO’s IT budget to-do list: |
Remember to: |
---|---|
|
|
Potential challenges |
Low trust Poor financial literacy and historical sloppiness among business unit leaders means that a CFO may come into budget conversations with skepticism. This can put them on the offensive and put you on the defensive. You have to prove yourself. |
Competition You’re not the only department the CFO is dealing with. Everyone is competing for their piece of the pie, and some business unit leaders are persistent. A good CFO will stay out of the politics and not be swayed by sweet talk, but it can be an exhausting experience for them. |
Mismatched buckets IT’s spend classes and categories probably won’t match what’s in Finance’s budget template or general ledger. Annual budgeting isn’t the best time to bring this up. Respect Finance’s categories, but plan to tackle permanent changes at a less busy time. |
---|---|---|---|
Potential opportunities |
Build confidence Engaging in the budgeting process is your best chance to demonstrate your knowledge about the business and your financial acumen. The more that the CFO sees that you get it and are taking it seriously, the more confidence and trust they’ll have in you. |
Educate The CFO will not know as much as you about the role technology could and should play in the organization. Introduce new language around technology focused on capabilities and benefits. This will start to shift the conversation away from costs and toward value. |
Initiate alignment An important governance objective is to change the way IT expenditure is categorized and tracked to better reveal and understand what’s really happening. This process should be done gradually over time, but definitely communicate what you want to do and why. |
What are the CXO’s role and responsibilities?
Like you, the CXO’s job is to help the organization realize its goals and objectives. How each CXO does this is specific to the domain they lead. Variations in roles and responsibilities typically revolve around:
What’s important to the CXO?
Disagreement is common between business-function leaders – they have different primary focus areas, and conflict and misalignment are natural by-products of that fact. It’s also hard to make someone care as much about your priorities as you do. Focus your efforts on sharing and partnering, not converting.
Your CXO’s IT budget to-do list: | Remember to: |
---|---|
|
|
Potential challenges | Different priorities Other business unit leaders will have bigger concerns than your IT budget. They have their own budget to figure out plus other in-flight issues. The head of sales, for instance, is going to be more concerned with hitting sales goals for this fiscal year than planning for next. | Perceived irrelevance Some business unit leaders may be completely unaware of how they use IT, how much they use, and how they could use it more or differently to improve their performance. They may have a learning curve to tackle before they can start to see your relationship as collaborative. | Bad track record If a business unit has had friction with IT in the past or has historically been underserved, they may be hesitant to let you in, may be married to their own solutions, or perhaps do not know how to express what they need. |
---|---|---|---|
Potential opportunities | Start collaborating You and other business unit leaders have a lot in common. You all share the objective of helping the organization succeed. Focus in on your shared concerns and how you can make progress on them together before digging into your unique challenges. | Practice perspective taking Be genuinely curious about the business unit, how it works, and how they overcome obstacles. See the organization from their point of view. For now, keep your technologies completely out of the discussion – that will come later on. | Build relationships You only need to solve one problem for a business unit to change how they think of you. Just one. Find that one thing that will make a real difference – ideally small but impactful – and work it into your budget. |
What are the CEO’s role and responsibilities?
What’s important to the CEO?
Unlike the CFO and CXOs, the CEO is responsible for seeing the big picture. That means they’re operating in the realm of big problems and big ideas – they need to stay out of the weeds. IT is just one piece of that big picture, and your problems and ideas are sometimes small in comparison. Use any time you get with them wisely.
Your CEO’s IT budget to-do list: | Remember to: |
---|---|
|
|
Potential challenges | Lack of interest Your CEO may just not be enthusiastic about technology. For them, IT is strictly a cost center operating on the margins. If they don’t have a strategic vision that includes technology, IT’s budget will always be about efficiency and cost control and not investment. | Deep hierarchy The executive-level CIO role isn’t yet pervasive in every industry. There may be one or more non-IT senior management layers between IT and the office of the CEO, as well as other bureaucratic hurdles, which prohibit your direct access. | Uncertainty What’s happening on the outside will affect what needs to be done on the inside. The CEO has to assess and respond quickly, changing priorities and plans in an instant. An indecisive CEO that’s built an inflexible organization will make it difficult to pivot as needed. |
---|---|---|---|
Potential opportunities | Grow competency Sometimes, IT just needs to wait it out. The biggest shifts in technology interest often come with an outright change in the organization’s leadership. In the meantime, fine-tune your operational excellence, brush up on business skills, and draft out your best ideas on paper. | Build partnerships Other business-function executives may need to be IT’s voice. Investment proposals may be more compelling coming from them anyway. Behind-the-scenes partnerships and high-profile champions are something you want regardless of your degree of CEO access. | Bake in resilience Regardless of who’s at the helm, systematic investment in agile and flexible solutions that can be readily scaled, decoupled, redeployed, or decommissioned is a good strategy. Use recent crises to help make the strategic case for a more resilient posture. |
The CFO expense view, CXO business view, and CEO innovation view represent IT’s stakeholders. The CIO service view, however, represents you, the IT budget creator. This means that the CIO service view plays a slightly different role in developing your IT budget communications.
An IT team effort… |
A logical starting point |
A supporting view |
---|---|---|
Most budget drafts start with internal IT management discussion. These managers are differentially responsible for apps dev and maintenance, service desk and user support, networks and data center, security, data and analytics, and so forth. |
These common organizational units and their managers tend to represent discrete IT service verticals. This means the CIO service view is a natural structural starting point for your budget-building process. Stakeholder views of your budget will be derived from this first view. |
You probably don’t want to lead your budget presentation with IT’s perspective – it won’t make sense to your stakeholders. Instead, select certain impactful pieces of your view to drop in where they provide valued information and augment the IT budget story. |
Things to bring forward… |
Things to hold back… |
---|---|
|
|
1 hour
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Stakeholder |
Relationship status |
Understanding of needs |
Budget changes/additions |
---|---|---|---|
CFO |
Positive |
Wants at least 30% of budget to be CapEx. Needs more detail concerning benefits and tracking of realization. |
Do more detailed breakouts of CapEx vs. OpEx as 30% CapEx not realistic – pre-meet. Talk to Enterprise PMO about improving project benefits statement template. |
VP of Sales |
Negative |
Only concerned with hitting sales targets. Needs to respond/act quickly based on reliable data. |
Break out sales consumption of IT resources in detail focusing on CRM and SFA tool costs. Propose business intelligence enhancement project. |
Director of Marketing |
Neutral |
Multiple manual processes – would benefit from increased automation of campaign management and social media posting. |
Break out marketing consumption of IT resources and publicly share/compare to generate awareness/support for tech investment. Work together to build ROI statements |
[Name/Title] |
[Positive/Neutral/Negative] |
[Insert text] |
[Insert text] |
[Name/Title] |
[Positive/Neutral/Negative] |
[Insert text] |
[Insert text] |
[Name/Title] |
[Positive/Neutral/Negative] |
[Insert text] |
[Insert text] |
[Name/Title] |
[Positive/Neutral/Negative] |
[Insert text] |
[Insert text] |
[Name/Title] |
[Positive/Neutral/Negative] |
[Insert text] |
[Insert text] |
[Name/Title] |
[Positive/Neutral/Negative] |
[Insert text] |
[Insert text] |
[Name/Title] |
[Positive/Neutral/Negative] |
[Insert text] |
[Insert text] |
[Name/Title] |
[Positive/Neutral/Negative] |
[Insert text] |
[Insert text] |
When IT works well, nobody notices. When it doesn’t, the persistent criticism about IT not delivering value will pop up, translating directly into less funding. Cut this off at the pass with an ongoing communications strategy based on facts, transparency, and perspective taking.
Identify all the communication channels you can leverage including meetings, committees, reporting cycles, and bulletins. Set up new channels if they don’t exist.
Nothing’s better than having a team of supporters when pitch day comes. Quietly get them on board early and be direct about the role each of you will play.
Have information and materials about proposed initiatives at-the-ready. You never know when you’ll get your chance. But if your facts are still fuzzy, do more homework first.
Talking about IT all the time will turn people off. Plan chats that don’t mention IT at all. Ask questions about their world and really listen. Empathy’s a powerful tool.
Describe what you will be doing and how it will benefit the business in language that makes sense to the beneficiaries of the initiative.
Carry the same narrative forward through to the end and tell the whole story. Include comments from stakeholders and beneficiaries about the value they’re receiving.
A partner is an influencer, advocate, or beneficiary of the expenditure or investment you’re proposing. Partners can:
When partners agree to pitch or fund an initiative, IT can lose control of it. Make sure you set specific expectations about what IT will help with or do on an ongoing basis, such as:
A collaborative approach tends to result in a higher level of commitment than a selling approach.
Put yourself in their shoes using their language. Asking “How will this affect you?” focuses on what’s in it for them.
Example:
CIO: “We’re thinking of investing in technology that marketing can use to automate posting content to social media. Is that something you could use?”
CMO: “Yes, we currently pay two employees to post on Facebook and Twitter, so if it could make that more efficient, then there would be cost savings there.”
An approver is the CFO, CEO, board, council, or committee that formally commits funding support to a program or initiative. Approvers can:
When approvers cool to an idea, it’s hard to warm them up again. Gradually socializing an idea well in advance of the formal pitch gives you the chance to isolate and address those cooling factors while they’re still minor. Things you can address if you get an early start with future approvers include:
Blindsiding approvers with a major request at a budget presentation could trigger an emotional response, not the rational and objective one you want.
Make approvers part of the solution by soliciting their advice and setting their expectations well in advance.
Example:
CIO: “The underwriting team and I think there’s a way to cut new policyholder approval turnaround from 8 to 10 days down to 3 or 4 using an online intake form. Do you see any obstacles?”
CFO: “How do the agents feel about it? They submit to underwriting differently and might not want to change. They’d all need to agree on it. Exactly how does this impact sales?”
1 hour
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Stakeholder | Current interactions | Opportunities and actions | ||
---|---|---|---|---|
Forum | Frequency | Content | ||
CFO | One-on-one meeting | Monthly | IT expenditure updates and tracking toward budgeted amount. | Increase one-on-one meeting to weekly. Alternate focus – retrospective update one week, future-looking case development the next. Invite one business unit head to future-looking sessions to discuss their IT needs. |
VP of Sales | Executive meeting | Quarterly | General business update - dominates. | Set up bi-weekly one-on-one meeting – initially focus on what sales does/needs, not tech. Later, when the relationship has stabilized, bring data that shows Sales’ consumption of IT resources. |
Director of Marketing | Executive meeting | Quarterly | General business update - quiet. | Set up monthly one-on-one meeting. Temporarily embed BA to better discover/understand staff processes and needs. |
[Name/Title] | [Insert text] | [Insert text] | [Insert text] | [Insert text] |
[Name/Title] | [Insert text] | [Insert text] | [Insert text] | [Insert text] |
[Name/Title] | [Insert text] | [Insert text] | [Insert text] | [Insert text] |
[Name/Title] | [Insert text] | [Insert text] | [Insert text] | [Insert text] |
[Name/Title] | [Insert text] | [Insert text] | [Insert text] | [Insert text] |
[Name/Title] | [Insert text] | [Insert text] | [Insert text] | [Insert text] |
[Name/Title] | [Insert text] | [Insert text] | [Insert text] | [Insert text] |
You should now have a deeper understanding of the what, why, and who of your IT budget. These elements are foundational to streamlining the budget process, getting aligned with peers and the executive, and increasing your chances of winning budgetary approval in the end.
In this phase, you have:
“Many departments have mostly labor for their costs. They’re not buying a million and a half or two million dollars’ worth of software every year or fixing things that break. They don’t share IT’s operations mindset and I think they get frustrated.”
– Matt Johnson, IT Director Governance and Business Solutions, Milwaukee County
Lay Your | Get Into Budget-Starting Position | Develop Your | Build Your | Create and Deliver Your Presentation |
---|---|---|---|---|
1.1 Understand what your budget is 1.2 Know your stakeholders 1.3 Continuously pre-sell your budget | 2.1 Assemble your resources 2.2 Understand the four views of the ITFM Cost Model 2.3 Review last year’s budget vs. 2.4 Set your high-level goals | 3.1 Develop assumptions and 3.2 Forecast your project CapEx 3.3 Forecast your non-project CapEx and OpEx | 4.1 Aggregate your numbers 4.2 Stress test your forecasts 4.3 Challenge and perfect your | 5.1 Plan your content 5.2 Build your presentation 5.3 Present to stakeholders 5.4 Make final adjustments and submit your IT budget |
This phase will walk you through the following activities:
This phase involves the following participants:
This phase is about clarifying your context and defining your boundaries.
“A lot of the preparation is education for our IT managers so that they understand what’s in their budgets and all the moving parts. They can actually help you keep it within bounds.”
– Trisha Goya, Director, IT Governance & Administration, Hawaii Medical Service Association
In addition to your CFO, CXOs, and CEO, there are other people who will provide important information, insight, and skill in identifying IT budget priorities and costs.
Role |
Skill set |
Responsibilities |
---|---|---|
IT Finance Lead |
|
IT finance personnel will guide the building of cost forecasting methodologies for operating and capital costs, help manage IT cash flows, help identify cost reduction options, and work directly with the finance department to ensure they get what they need. |
IT Domain Managers |
|
They will be active participants in budgeting for their specific domains, act as a second set of eyes, assist with and manage their domain budgets, and engage with stakeholders. |
Project Managers |
|
Project managers will assist in capital and operational forecasting and will review project budgets to ensure accuracy. They will also assist in forecasting the operational impacts of capital projects. |
As the head of IT, your role is as the budgeting team lead. You understand both the business and IT strategies, and have relationships with key business partners. Your primary responsibilities are to guide and approve all budget components and act as a liaison between finance, business units, and IT.
Your responsibilities and accountabilities.
|
Goals and requirements.
|
Budgeting fundamentals.
|
Their responsibilities and accountabilities.
|
Timeframes and deadlines.
|
Available resources.
|
2 hours
Download the IT Cost Forecasting and Budgeting Workbook
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Each of the four views breaks down IT costs into a different array of categories so you and your stakeholders can see expenditure in a way that’s meaningful for them.
You may decide not to use all four views based on your goals, audience, and available time. However, let’s start with how you can use the first two views, the CFO expense view and the CIO service view.
The CFO expense view is fairly traditional – workforce and vendor. However, Info-Tech’s approach breaks down the vendor software and hardware buckets into on-premises and cloud. Making this distinction is increasingly critical given key differences in CapEx vs. OpEx treatment. Forecasting this view is mandatory |
These two views provide information that will help you optimize IT costs. They’re designed to allow the CFO and CIO to find a common language that will allow them to collaboratively make decisions about managing IT expenditure effectively. |
The CIO service view is your view, i.e. it’s how IT tends to organize and manage itself and is often the logical starting point for expenditure planning and analysis. Sub-categories in this view, such as security and data & BI, can also resonate strongly with business stakeholders and their priorities. Forecasting this view is recommended |
Some views take a bit more work to map out, but they can be powerful tools for communicating the value of IT to the business. Let’s look at the last two views, the CXO business view and the CEO innovation view.
The CXO business view looks at IT expenditure business unit by business unit so that each can understand their true consumption of IT resources. This view relies on having a fair and reliable cost allocation formula, such as one based on relative headcount, so it runs the risk of inaccuracy. Forecasting this view is recommended | These two views provide information that will help you optimize IT support to the business. These views also have a collaborative goal in mind, enabling IT to talk about IT spend in terms that will promote transparency and engage business stakeholders. | The CEO innovation view is one of the hardest to analyze and forecast since a single spend item may apply to innovation, growth, and keeping the lights on. However, if you have an audience with the CEO and they want IT to play a more strategic or innovative role, then this view is worth mapping. Forecasting this view is optional |
30 minutes
The IT Cost Forecasting and Budgeting Workbook contains standalone sections for each view, as well as rows for each lowest-tier sub-category in a view, so each view can be analyzed and forecasted independently.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Ensure you have the following data and information available to you and your budgeting team before diving in:
Past data
Current data
Future data
If you’re just getting started building a repeatable budgeting process, treat it like any other project, complete with a formal plan/ charter and a central repository for all related data, information, and in-progress and final documents.
Once you’ve identified a repeatable approach that works for you, transition the budgeting project to a regular operational process complete with policies, procedures, and tools.
But first, some quick definitions:
For last fiscal year, pinpoint the following metrics and information:
Budgeted and actual IT expenditure overall and by major cost category. Categories will include workforce (employees/contractors) and vendors (hardware, software, contracted services) at a minimum. |
Actual IT expenditure as a percentage of organizational revenue. This is a widely-used benchmark that your CFO will expect to see. |
The known and likely drivers behind budgeted vs. actual variances. Your rationales will affect your perceived credibility. Be straightforward, avoid defending or making excuses, and just show the facts. Ask your CFO what they consider acceptable variance thresholds for different cost categories to guide your variance analysis, such as 1% for overall IT expenditure. |
Actual IT CapEx and OpEx. CapEx is often more variable than OpEx over time. Separate them so you can see the real trends for each. Consider:
|
For the previous five fiscal years, focus on the following:
Actual IT expenditure as a percentage of organizational revenue.
Again, for historical years 2-5, you can break this down into granular cost categories like workforce, software, and infrastructure like you did for last fiscal year. Avoid getting bogged down and focusing on the past – you ultimately want to redirect stakeholders to the future.
Percentage expenditure increase/decrease year to year.
You may choose to show overall IT expenditure amounts, breakdowns by CapEx and OpEx, as well as high-level cost categories.
As you go back in time, some data may not be available to you, may be unreliable or incomplete, or employ the same cost categories you’re using today. Use your judgement on the level of granularity you want to and can apply when going back two to five years in the past.
So, what’s the trend? Consider these questions:
Your CFO will look for evidence that you’re gaining efficiencies by controlling costs, which is often a prerequisite for them approving any new funding requests.
Your objective here is threefold:
This step is about establishing credibility, demonstrating IT value, building trust, and showing the CFO you’re on their team.
Do the following:
“Eliminate the things you don’t need. People will give you what you need when you need it if you’re being responsible with what you already have.”
– Angela Hintz, VP of PMO & Integrated Services,
Blue Cross and Blue Shield of Louisiana
8 hours
Input | Output | Materials | Participants |
---|---|---|---|
|
|
|
|
Knowing what happened in the past can provide good insights and give you a chance to show stakeholders your money-management track record. However, what stakeholders really care about is “now” and “next”. For them, it’s all about current business context.
Ask these questions about your current context to assess the relevance of your historical trend data:
What’s the state of |
What are the |
What has the business |
What’s the business |
---|---|---|---|
Some industries are very sensitive to economic cycles, causing wild budget fluctuations year to year. This uncertainty can reduce the volume of spend you automatically carry over one year to the next, making past spend patterns less relevant to your current budgeting effort. |
These can change year to year as well, and often manifest on the CapEx side in the form of strategic projects selected. Since this is so variable, using previous years’ CapEx to determine next fiscal’s CapEx isn’t always useful except in regard to multi-year, ongoing capital projects. |
Do your best to honor mandates. However, if cuts are suggested that could jeopardize core service delivery, tread cautiously, and pick your battles. You may be able to halt new capital spend to generate cuts, but these projects may get approved anyway, with IT expected to make cuts to OpEx. |
If the CFO and others rail against even the most necessary inflation-driven increases, you’ll need to take a conservative approach, focus on cost-saving initiatives, and plan to redirect last year’s expenditures instead of pursuing net-new spend. |
Step back and think about other budget and expenditure goals you have.
Do you want to:
Establish appropriate metrics and targets that will allow you to define success, track progress, and communicate achievement on these higher-level goals.
Check out some example metrics in the table below.
Budgeting metric |
Improvement driver |
Current value |
Future target |
---|---|---|---|
Percentage of spend directly tied to an organizational goal. |
Better alignment via increased communication and partnership with the business. |
72% |
90% |
Number of changes to budget prior to final acceptance. |
Better accuracy and transparency via use of zero-based budgeting and enhanced stakeholder views. |
8 |
2 |
Percentage variance between budgeted vs. actuals. |
Improved forecasting through better understanding of business plans and in-cycle show-back. |
+4% |
+/-2% |
Percentage of budget approved after first presentation. |
Improved business rationales and direct mapping of expenditure to org priorities. |
76% |
95% |
Percentage of IT-driven project budget approved. |
More rigor around benefits, ROI calculation, and quantifying value delivered. |
80% |
100% |
First things first: Zero-based or incremental for OpEx? |
Set your OpEx targets |
|
---|---|---|
Incremental budgeting is the addition of a few percentage onto next year’s budget, assuming the previous year’s OpEx is all re-occurring. The percentage often aligns with rates of inflation.
|
Zero-based budgeting involves rebuilding your budget from scratch, i.e. zero. It doesn’t assume that any of last year’s costs are recurring or consistent year to year.
|
Pick a range of percentage change based on your business context and past spend.
|
If cost-cutting or optimization is a priority, then a zero-based approach is the right decision. If doing this every year is too onerous, plan to do it for your OpEx at least every few years to examine what’s actually in there, clean house, and re-set.
A lot of IT CapEx is conceived in business projects, so your proposed expenditure here may not be up to you. Exercise as much influence as you can.
First things first: Is it project CapEx, or “business as usual” CapEx? |
||
---|---|---|
Project CapEx is tied to one-time strategic projects requiring investment in new assets.
|
User-driven “business as usual” CapEx manifests via changes (often increases) in organizational headcount due to growth.
|
Network/data center-driven “business-as-usual” CapEx is about core infrastructure maintenance.
|
Unanticipated hiring and the need to buy end-user hardware is cited as a top cause of budget grief by IT leaders – get ahead of this. Project CapEx, however, is usually determined via business-based capital project approval mechanisms well in advance. And don’t forget to factor in pre-established capital asset depreciation amounts generated by all the above!
8 hours
Download the IT Cost Forecasting and Budgeting Workbook
Input | Output | Materials | Participants |
---|---|---|---|
|
|
|
|
Now you’re ready to do the deep dive into forecasting your IT budget for next year.
In this phase, you clarified your business context and defined your budgetary goals, including:
“We only have one dollar but five things. Help us understand how to spend that dollar.”
– Trisha Goya, Director, IT Governance & Administration, Hawaii Medical Service Association
Lay Your | Get Into Budget-Starting Position | Develop Your | Build Your | Create and Deliver Your Presentation |
---|---|---|---|---|
1.1 Understand what your budget is 1.2 Know your stakeholders 1.3 Continuously pre-sell your budget | 2.1 Assemble your resources 2.2 Understand the four views of the ITFM Cost Model 2.3 Review last year’s budget vs. 2.4 Set your high-level goals | 3.1 Develop assumptions and 3.2 Forecast your project CapEx 3.3 Forecast your non-project CapEx and OpEx | 4.1 Aggregate your numbers 4.2 Stress test your forecasts 4.3 Challenge and perfect your | 5.1 Plan your content 5.2 Build your presentation 5.3 Present to stakeholders 5.4 Make final adjustments and submit your IT budget |
This phase will walk you through the following activities:
This phase involves the following participants:
This phase focuses on putting real numbers on paper based on the research and data you’ve collected. Here, you will:
“Our April forecast is what really sets the bar for what our increase is going to be next fiscal year. We realized that we couldn’t change it later, so we needed to do more upfront to get that forecast right.
If we know that IT projects have been delayed, if we know we pulled some things forward, if we know that a project isn’t starting until next year, let’s be really clear on those things so that we’re starting from a better forecast because that’s the basis of deciding two percent, three percent, whatever it’s going to be.”
– Kristen Thurber, IT Director, Office of the CIO, Donaldson Company
Assumptions are things you hold to be true. They may not actually be true, but they are your logical foundation and must be shared with stakeholders so they can follow your thinking.
Start with understanding your constraints. These are either negotiable (adjustable) or non-negotiable (non-adjustable). However, what is non-negotiable for IT may be negotiable for the organization as a whole, such as its strategic objectives. Consider each of the constraints below, determine how it relates to IT expenditure options, and decide if it’s ultimately negotiable or non-negotiable.
Organizational |
Legal and Regulatory |
IT/Other |
Example: |
---|---|---|---|
|
|
|
You’re in year one of a three-year vendor contract. All contracts are negotiable, but this one isn’t for two years. This contact should be considered a non-negotiable for current budget-planning purposes. |
Identifying your negotiable and non-negotiable constraints is about knowing what levers you can pull. Government entities have more non-negotiable constraints than private companies, which means IT and the organization as a whole have fewer budgetary levers to pull and a lot less flexibility.
An un-pullable lever and a pullable lever (and how much you can pull it) have one important thing in common – they are all fundamental assumptions that influence your decisions.
My current employees will still be here 18 months from now. |
My current vendors aren’t going to discontinue the products we have. |
My organization’s executive team will be the same 18 months from now. | My current key vendors will be around for years to come. |
My organization’s departments, divisions, and general structure will be the same 18 months from now. |
IT has to be an innovation leader. |
We won’t be involved in any merger/acquisition activity next fiscal year. |
IT has always played the same role here and that won’t change. |
There won’t be a major natural disaster that takes us offline for days or even weeks. |
We must move everything we can to the cloud. |
We won’t be launching any new products or services next fiscal year. |
Most of our IT expenditure has to be CapEx, as usual. |
You won’t put some of these assumptions into your final budget presentation. It’s simply worthwhile knowing what they are so you can challenge them when forecasting.
Now it’s time to outline your primary scenario.
A note on probability…
What could or will be your organization’s new current state at the end of next fiscal year?
Primary scenario approval can be helped by putting that scenario alongside alternatives that are less attractive due to their cost, priority, or feasibility. Alternative scenarios are created by manipulating or eliminating your negotiable constraints or treating specific unknowns as knowns. Here are some common alternative scenarios.
The high-cost scenario: Assumes very positive economic prospects. Characterized by more of everything – people and skills, new or more sophisticated technologies, projects, growth, and innovation. Remember to consider the long-term impact on OpEx that higher capital spend may bring in subsequent years.
Target 10-20% more expenditure than your primary scenario
The low-cost scenario: Assumes negative economic prospects or cost-control objectives. Characterized by less of everything, specifically capital project investment, other CapEx, and OpEx. Must assume that business service-level expectations will be down-graded and other sacrifices will be made.
Target 5-15% less expenditure than your primary scenario
The dark horse scenario: This is a more radical proposition that challenges the status quo. For example, what would the budget look like if all data specialists in the organization were centralized under IT? What if IT ran the corporate PMO? What if the entire IT function was 100% outsourced?
No specific target
INDUSTRY: Manufacturing
SOURCE: Anonymous
A manufacturing IT Director gets budgetary approval by showing what the business would have to sacrifice to get the cheap option.
Challenge |
Solution |
Results |
---|---|---|
A manufacturing business had been cutting costs endlessly across the organization, but specifically in IT. IT was down to the bone. The IT Director had already been doing zero-based budgeting to rationalize all expenditure, stretching asset lifecycles as long as possible, and letting maintenance work slide. There were no obvious options left to reduce costs based on what the business wanted to do. |
The IT Director got creative. He put together three complete budgets:
In the budget presentation, he led with the “super cheap” budget where IT was 100% outsourced. |
He proceeded to review the things they wouldn’t have under the extreme outsourced scenario, including the losses in service levels that would be necessary to make it happen. The executive was shocked by what the IT Director showed them. The executive immediately approved the IT Director’s preferred budget. He was able to defend the best budget for the business by showing them what they stood to lose. |
2 hours
Download the IT Cost Forecasting and Budgeting Workbook
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Traditional, binary “CapEx vs. OpEx” distinctions don’t seem adequate for showing where expenditure is really going. We’ve added a new facet to help further differentiate one-time project costs from recurring “business as usual” expenses.
Project CapEx
Includes all workforce and vendor costs associated with planning and execution of projects largely focused on the acquisition or creation of new capital assets.
Non-project CapEx
Includes “business as usual” capital asset acquisition in the interest of managing, maintaining, or supporting ongoing performance of existing infrastructure or services, such as replacement network equipment, end-user hardware (e.g. laptops), or disaster recovery/business continuity redundancies. Also includes ongoing asset depreciation amounts.
Non-project OpEx
Includes all recurring, non-CapEx “business as usual” costs such as labor compensation and training, cloud-based software fees, outsourcing costs, managed services fees, subscriptions, and other discretionary spend.
Depreciation is technically CapEx. However, for practical purposes, most organizations list it under OpEx, which can cause it to get lost in the noise. Here, depreciation is under non-project CapEx to keep its true CapEx nature visible and in the company of other “business as usual” capital purchases that will ultimately join the depreciation ranks.
This process can be simple as far as overall budget forecasting is concerned. If it isn’t simple now, plan to make it simpler next time around.
What to expect…
Key forecasting principles…
Develop rigorous business cases
Secure funding approval well in advance
Tie back costs benefitting business units
Consider the longer-term OpEx impact
For more information about putting together sound business cases for different projects and circumstances, see the following Info-Tech blueprints:
Build a Comprehensive Business Case
Tip #1: Don’t surprise your approvers. Springing a capital project on approvers at your formal presentation isn’t a good idea and stands a good chance of rejection, so do whatever you can to lock these costs down well in advance.
Tip #2: Project costs should be entirely comprised of CapEx if possible. Keep in mind that some of these costs will convert to depreciated non-project CapEx and non-project OpEx as they transition from project costs to ongoing “business as usual” costs, usually in the fiscal year following the year of expenditure. Creating projections for the longer-term impacts of these project CapEx costs on future types of expenditure is a good idea. Remember that a one-time project is not the same thing as a one-time cost.
Tip #3: Capitalize any employee labor costs on capital projects. This ensures the true costs of projects are not underestimated and that operational staff aren’t being used for free at the expense of their regular duties.
Tip #4: Capitalizing cloud costs in year one of a formal implementation project is usually acceptable. It’s possible to continue treating cloud costs as CapEx with some vendors via something called reserved instances, but organizations report that this is a lot of work to set up. In the end, most capitalized cloud will convert into non-project OpEx in years two and beyond.
Tip #5: Build in some leeway. By the time a project is initiated, circumstances may have changed dramatically from when it was first pitched and approved, including business priorities and needs, vendor pricing, and skillset availability. Your costing may become completely out of date. It’s a good practice to work within more general cost ranges than with specific numbers, to give you the flexibility to respond and adapt during actual execution.
Time: Depends on size of project portfolio
Download the IT Cost Forecasting and Budgeting Workbook
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
What to expect…
Central to the definition of OpEx is the fact that it’s ongoing. It rarely stops, and tends to steadily increase over time due to factors like inflation, rising vendor prices, growing organizational growth, increases in the salary expectations of employees, and other factors.
The only certain ways to reduce OpEx are to convert it to capitalizable expenditure, decrease staffing costs, not pursue cloud technologies, or for the organization to simply not grow. For most organizations, none of these approaches are feasible. Smaller scale efficiencies and optimizations can keep OpEx from running amok, but they won’t change its overall upward trajectory over time. Expect it to increase.
Key forecasting principles…
Focus on optimization and efficiency.
Aim for full spend transparency.
Think about appropriate chargeback options.
Give it the time it deserves.
For more information about how to make the most out of your IT OpEx, see the following Info-Tech blueprints:
Develop Your Cost Optimization Roadmap
Achieve IT Spend & Staffing Transparency
Tip #1: Consider zero-based budgeting. You don’t have to do this every year, but re-rationalizing your OpEx every few years, or a just a segment of it on a rotational basis, will not only help you readily justify the expenditure but also find waste and inefficiencies you didn’t know existed.
Tip #2: Capitalize your employee capital project work. While some organizations aren’t allowed to do this, others who can simply don’t bother. Unfortunately, this act can bloat the OpEx side of the equation substantially. Many regular employees spend a significant amount of their time working on capital projects, but this fact is invisible to the business. This is why the business keeps asking why it takes so many people to run IT.
Tip #3: Break out your cloud vs. on-premises costs. Burying cloud apps costs in a generic software bucket works against any transparency ambitions you may have. If you have anything resembling a cloud strategy, you need to track, report, and plan for these costs separately in order to measure benefits realization. This goes for cloud infrastructure costs, too.
Tip #4: Spend time on your CIO service view forecast. Completing this view counts as a first step toward service-based costing and is a good starting point for setting up an accurate service catalog. If looking for cost reductions, you’ll want to examine your forecasts in this view as there will likely be service-level reductions you’ll need to propose to hit your cost-cutting goals.
Tip #5: Budget with consideration for chargeback. chargeback mechanisms for OpEx can be challenging to manage and have political repercussions, but they do shift accountability back to the business, guarantee that the IT bills get paid, and reduce IT’s OpEx burden. Selectively charging business units for applications that only they use may be a good entry point into chargeback. It may also be as far as you want to go with it. Doing the CXO business view forecast will provide insight into your opportunities here.
These costs are often the smallest percentage of overall expenditure but one of the biggest sources of financial grief for IT.
What to expect…
Key forecasting principles…
Discuss hiring plans with the business.
Pay close attention to your asset lifecycles.
Prepare to advise about depreciation schedules.
Build in contingency for the unexpected.
For more information about ensuring IT isn’t left in the lurch when it comes to non-project CapEx, see the following Info-Tech blueprints:
Tip #1: Top up new hire estimations: Talk to every business unit leader about their concrete hiring plans, not their aspirations. Get a number, increase that number by 25% or 20 FTEs (whichever is less), and use this new number to calculate your end-user non-project CapEx.
Tip #2: Make an arrangement for who’s paying for operational technology (OT) devices and equipment. OT involves specialized devices such as in-the-field sensors, scanners, meters, and other networkable equipment. Historically, operational units have handled this themselves, but this has created security problems and they still rely on IT for support. Sort the financials out now, including whose budget device and equipment purchases appear on, as well as what accommodations IT will need to make in its own budget to support them.
Tip #3: Evaluate cloud infrastructure and managed services. These can dramatically reduce your non-project CapEx, particularly on the network and data center fronts. However, these solutions aren’t necessarily less expensive and will drive up OpEx, so tread cautiously.
Tip #4: Definitely do an inventory. If you haven’t invested in IT asset management, put it on your project and budgetary agenda. You can’t manage what you don’t know you have, so asset discovery should be your first order of business. From there, start gathering asset lifecycle information and build in alerting to aid your spend planning.
Tip #5: Think about retirement: What assets are nearing end of life or the end of their depreciation schedule? What impact is this having on non-project OpEx in terms of maintenance and support? Deciding to retire, replace, or extend an IT operational asset will change your non-project CapEx outlook and will affect costs in other areas.
Tip #6: Create a contingency fund: You need one to deal with surprises and emergencies, so why wait?
A powerful metric to share with business stakeholders is expenditure per employee or FTE. It’s powerful because:
This metric is one of the simplest to calculate. The challenge is in getting your hands on the data in the first place.
Short-term forecasting: |
Long-term forecasting: |
---|---|
“It’s a great step in the right direction. We look at – Kristen Thurber, IT Director, Office of the CIO, |
“This approach was much better. We now – Trisha Goya, Director, IT Governance & Administration, |
Time: Depends on size of vendor portfolio and workforce
Download the IT Cost Forecasting and Budgeting Workbook
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
INDUSTRY: Insurance
SOURCE: Anonymous
Challenge | Solution | Results |
---|---|---|
In his first run at the annual budgeting process, a new CIO received delivery dates from Finance and spent the next three months building the budget for the next fiscal year. He discovered that the organization had been underinvesting in IT for a long time. There were platforms without support, no accounting for currency exchange rates on purchases, components that had not be upgraded in 16 years, big cybersecurity risks, and 20 critical incidences a month. | In his budget, the CIO requested a 22-24% increase in IT expenditure to deal with the critical gaps, and provided a detailed defense of his proposal But the new CIO’s team and Finance were frustrated with him. He asked his IT finance leader why. She said she didn’t understand what his direction was and why the budgeting process was taking so long – his predecessor did the budget in only two days. He would add up the contracts, add 10% for inflation, and that’s it. | Simply put, the organization hadn’t taken budgeting seriously. By doing it right, the new CIO had inadvertently challenged the status quo. The CIO ended up under-executing his first budget by 12% but is tracking closer to plan this year. Significantly, he’s been able cut critical incidences from 20 down to only 2-3 per month. Some friction persists with the CFO, who sees him as a “big spender,” but he believes that this friction has forced him to be even better. |
The hard math is done. Now it’s time to step back and craft your final proposed budget and its key messages.
This phase focused on developing your forecasts and proposed budget for next fiscal year. It included:
“Ninety percent of your projects will get started but a good 10% will never get off the ground because of capacity or the business changes their mind or other priorities are thrown in. There are always these sorts of challenges that come up.”
– Theresa Hughes, Executive Counselor,
Info-Tech Research Group
and Former IT Executive
Lay Your | Get Into Budget-Starting Position | Develop Your | Build Your | Create and Deliver Your Presentation |
---|---|---|---|---|
1.1 Understand what your budget is 1.2 Know your stakeholders 1.3 Continuously pre-sell your budget | 2.1 Assemble your resources 2.2 Understand the four views of the ITFM Cost Model 2.3 Review last year’s budget vs. 2.4 Set your high-level goals | 3.1 Develop assumptions and 3.2 Forecast your project CapEx 3.3 Forecast your non-project CapEx and OpEx | 4.1 Aggregate your numbers 4.2 Stress test your forecasts 4.3 Challenge and perfect your | 5.1 Plan your content 5.2 Build your presentation 5.3 Present to stakeholders 5.4 Make final adjustments and submit your IT budget |
This phase will walk you through the following activities:
This phase involves the following participants:
Triple check your numbers and put the finishing touches on your approval-winning rationales.
This phase is where your analysis and decision making finally come together into a coherent budget proposal. Key steps include:
“We don’t buy servers and licenses because we want to. We buy them because we have to. IT doesn’t need those servers out at our data center provider, network connections, et cetera. Only a fraction of these costs are to support us in the IT department. IT doesn’t have control over these costs because we’re not the consumers.”
– Matt Johnson, IT Director Governance and Business Solutions, Milwaukee County
Rationales build credibility and trust in your business capabilities. They can also help stop the same conversations happening year after year.
Any item in your proposed budget can send you down a rabbit hole if not thoroughly defensible.
You probably won’t need to defend every item, but it’s best to be prepared to do so. Ask yourself:
“Budgets get out of control when one department fails to care for the implications of change within another department's budget. This wastes time, reduces accuracy and causes conflict.”
– Tara Kinney, Atomic Revenue, LLC.
Not all spending serves the same purpose. Some types require deeper or different justifications than others.
For the business, there are two main purposes for spend:
“Approval came down to ROI and the ability to show benefits realization for years one, two, and three through five.”
– Duane Cooney, Executive Counselor, Info-Tech Research Group, and Former Healthcare CIO
Regardless of its ultimate purpose, all expenditure needs statements of assumptions, obstacles, and likelihood of goals being realized behind it.
Rationales aren’t only for capital projects – they can and should be applied to all proposed OpEx and CapEx. Business project rationales tend to drive revenue and the customer experience, demanding ROI calculations. Internal IT-projects and non-project expenditure are often focused on mitigating and managing risk, requiring cost-benefit analysis.
Overall |
Non-Project OpEx |
Non-Project CapEx |
Project CapEx |
---|---|---|---|
|
|
|
|
2 hours
Download the IT Cost Forecasting and Budgeting Workbook
Input | Output | Materials | Participants |
---|---|---|---|
|
|
|
|
INDUSTRY: Healthcare
SOURCE: Anonymous
Challenge | Solution | Results |
---|---|---|
A senior nursing systems director needed the CIO’s help. She wanted to get a project off the ground, but it wasn’t getting priority or funding. Nurses were burning out. Many were staying one to two hours late per shift to catch up on patient notes. Their EHR platform had two problematic workflows, each taking up to about 15 minutes per nurse per patient to complete. These workflows were complex, of no value, and just not getting done. She needed a few million dollars to make the fix. | The CIO worked with the director to do the math. In only a few hours, they realized that the savings from rewriting the workflows would allow them to hire over 500 full-time nurses. The benefits realized would not only help reduce nurse workload and generate savings, but also increase the amount of time spent with patients and number of patients seen overall. They redid the math several times to ensure they were right. | The senior nursing systems director presented to her peers and leadership, and eventually to the Board of Directors. The Board immediately saw the benefits and promoted the project to first on the list ahead of all other projects. This collaborative approach to generating project benefits statements helped the CIO gain trust and pave the way for future budgets. |
First, recall what budgets are really about.
The completeness, accuracy, and granularity of your numbers and thorough ROI calculations for projects are essential. They will serve you well in getting the CFO’s attention. However, the numbers will only get you halfway there. Despite what some people think, the work in setting a budget is more about the what, how, and why – that is, the rationale – than about the how much.
Next, revisit Phase 1 of this blueprint and review:
Then, look at each component of your proposed budget through each of these three rationale-building lenses.
Business goals
What are the organization’s strategic priorities?
Governance culture
How constrained is the decision-making process?
Feasibility
Can we make it happen?
Business goals What are the organization’s strategic priorities? |
Context This is all about external factors, namely the broader economic, political, and industry contexts in which the organization operates. |
Lifecycle position The stage the organization is at in terms of growth, stability, or decline will drive decisions, priorities, and the ability to spend or invest. |
Opportunities Context and lifecycle position determine opportunities, which are often defined in terms of potential cost savings |
Tie every element in your proposed budget to an organizational goal. |
Non-project OpEx
|
Non-project CapEx
|
Project CapEx
|
Governance Culture How rigorous/ constrained |
Risk tolerance This is the organization’s willingness to be flexible, take chances, make change, and innovate. It is often driven by legal and regulatory mandates. |
Control Control manifests in the number and nature of rules and how authority and accountability are centralized or distributed in the organization. |
Speed to action How quickly decisions are made and executed upon is determined by the amount of consultation and number of approval steps. |
Ensure all parts of your proposed budget align with what’s tolerated and allowed. |
Non-project OpEx
| Non-project CapEx
| Project CapEx
|
Feasibility Can we do it, and what sacrifices will we have to make? |
Funding The ultimate determinant of feasibility is the availability, quantity, and reliability of funding next fiscal year and over the long term to support investment. |
Capabilities Success hinges on both the availability and accessibility of required skills and knowledge to execute on a spend plan in the required timeframe. |
Risk Risk is not just about obstacles to success and what could happen if you do something – it’s also about what could happen if you do nothing at all. |
Vet every part of your proposed budget to ensure what you’re asking for is both realistic and possible. |
Non-project OpEx
| Non-project CapEx
| Project CapEx
|
Detailed data and information checklist:
|
High-level rationale checklist:
|
For more on creating detailed business cases for projects and investments, see Info-Tech’s comprehensive blueprint, Build a Comprehensive Business Case.
2 hours
Download the IT Cost Forecasting and Budgeting Workbook
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
This phase is where everything came together into a coherent budget proposal. You were able to:
“Current OpEx is about supporting and aligning with past business strategies. That’s alignment. If the business wants to give up on those past business strategies, that’s up to them.”
– Darin Stahl, Distinguished Analyst and Research Fellow, Info-Tech Research Group
Lay Your | Get Into Budget-Starting Position | Develop Your | Build Your | Create and Deliver Your Presentation |
---|---|---|---|---|
1.1 Understand what your budget is 1.2 Know your stakeholders 1.3 Continuously pre-sell your budget | 2.1 Assemble your resources 2.2 Understand the four views of the ITFM Cost Model 2.3 Review last year’s budget vs. 2.4 Set your high-level goals | 3.1 Develop assumptions and 3.2 Forecast your project CapEx 3.3 Forecast your non-project CapEx and OpEx | 4.1 Aggregate your numbers 4.2 Stress test your forecasts 4.3 Challenge and perfect your | 5.1 Plan your content 5.2 Build your presentation 5.3 Present to stakeholders 5.4 Make final adjustments and submit your IT budget |
This phase will walk you through the following activities:
This phase involves the following participants:
This phase focuses on developing your final proposed budget presentation for delivery to your various stakeholders. Here you will:
“I could have put the numbers together in a week. The process of talking through what the divisions need and spending time with them is more time consuming than the budget itself.”
– Jay Gnuse, IT Director, Chief Industries
Mandatory: Just about every CFO or approving body will expect to see this information. Often high level in nature, it includes:
|
Recommended: This information builds on the mandatory elements, providing more depth and detail. Inclusion of recommended content depends on:
|
Optional: This is very detailed information that provides alternative views and serves as reinforcement of your key messages. Consider including it if:
|
Deciding what to include or exclude depends 100% on your target audience. What will fulfill their basic information needs as well as increase their engagement in IT financial issues?
These represent the contextual framework for your proposal and explain why you made the decisions you did.
Stating your assumptions and presenting at least two alternative scenarios helps in the following ways:
Your assumptions and alternative scenarios may not appear back-to-back in your presentation, yet they’re intimately connected in that every unique scenario is based on adjustments to your core assumptions. These tweaks – and the resulting scenarios – reflect the different degrees of probability that a variable is likely to land on a certain value (i.e. an alternative assumption).
Your primary scenario is the one you believe is most likely to happen and is represented by the complete budget you’re recommending and presenting.
Target timeframe for presentation: 2 minutes
Key objectives: Setting context, demonstrating breadth of thought.
Potential content for section:
“Things get cut when the business
doesn’t know what something is,
doesn’t recognize it, doesn’t understand it. There needs to be an education.”
– Angie Reynolds, Principal Research Director, ITFM Practice,
Info-Tech Research Group,
See Tabs “Planning Variables” and 9, “Alternative Scenarios” in your IT Cost Forecasting and Budgeting Workbook for these outputs.
Core assumptions |
Primary target scenario |
Alternative scenarios |
Full alternative scenario budgets |
---|---|---|---|
List |
Slide |
Slide |
Budget |
Mandatory: This is a listing of both internal and external factors that are most likely to affect the challenges and opportunities your organization will have and how it can and will operate. This includes negotiable and non-negotiable internal and external constraints, stated priorities, and the expression of known risk factors. |
Mandatory: Emanating from your core assumptions, this scenario is a high-level statement of goals, initial budget targets, and proposed budget based on your core assumptions. |
Recommended: Two alternatives are typical, with one higher spend and one lower spend than your target. The state of the economy and funding availability are the assumptions usually tweaked. More radical scenarios, like the cost and implications of completely outsourcing IT, can also be explored. |
Optional: This is a lot of work, but some IT leaders do it if an alternative scenario is a strong contender or is necessary to show that a proposed direction from the business is costly or not feasible. |
This retrospective on IT expenditure is important for three reasons:
You probably won’t have a lot of time for this section, so everything you select to share should pack a punch and perform double duty by introducing concepts you’ll need your stakeholders to have internalized when you present next year’s budget details.
Target timeframe for presentation: 7 minutes
Key objectives: Definitions, alignment, expectations-setting.
Potential content for section:
“If they don’t know the consequences of their actions, how are they ever going to change their actions?”
– Angela Hintz, VP of PMO & Integrated Services,
Blue Cross and Blue Shield of Louisiana
See Tabs 1 “Historical Events & Projects,” 3 “Historical Analysis,” and 6 “Vendor Worksheet” in your IT Cost Forecasting and Budgeting Workbook for these outputs.
Total budgeted vs. total actuals | Graph | Mandatory: Demonstrates the variance between what you budgeted for last year and what was actually spent. Explaining causes of variance is key. |
---|---|---|
l actuals by expenditure type | Graph | Mandatory: Provides a comparative breakdown of last year’s expenditure by non-project OpEx, non-project CapEx, and project CapEx. This offers an opportunity to explain different types of IT expenditure and why they’re the relative size they are. |
Major capital projects completed | List | Mandatory: Illustrates progress made toward strategically important objectives. |
Top vendors | List | Recommended: A list of vendors that incurred the highest costs, including their relative portion of overall expenditure. These are usually business software vendors, i.e. tools your stakeholders use every day. The number of vendors shown is up to you. |
See Tab 1, “Historical Events & Projects” in your IT Cost Forecasting and Budgeting Workbook for these outputs.
Cost drivers | List | Mandatory: A list of major events, circumstances, business decisions, or non-negotiable factors that necessitated expenditure. Be sure to focus on the unplanned or unexpected situations that caused upward variance. |
---|---|---|
Savings drivers | List | Mandatory: A list of key initiatives pursued, or circumstances that resulted in efficiencies or savings. Include any deferred or canceled projects. |
Also calculate and list the magnitude of costs incurred or savings realized in hard financial terms so that the full impact of these events is truly understood by your stakeholders.
“What is that ongoing cost?
If we brought in a new platform, what
does that do to our operating costs?”
– Kristen Thurber, IT Director, Office of the CIO, Donaldson Company
See Tab 3 “Historical Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.
IT actual expenditure |
Graph |
Mandatory: This is crucial for showing overall IT expenditure patterns, particularly percentage changes up or down year to year, and what the drivers of those changes were. |
---|---|---|
IT actuals as a % of organizational revenue |
Graph |
Mandatory: You need to set the stage for the proposed percentage of organizational revenue to come. The CFO will be looking for consistency and an overall decreasing pattern over time. |
IT expenditure per FTE year over year |
Graph |
Optional: This can be a powerful metric as it’s simple and easily to understand. |
The historical analysis you can do is endless. You can generate many more cuts of the data or go back even further – it’s up to you.
Keep in mind that you won’t have a lot of time during your presentation, so stick to the high-level, high-impact graphs that demonstrate overarching trends or themes.
See Tab 3 “Historical Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.
Budgeted vs. actuals CFO expense view | Graph | Mandatory: Showing different types of workforce expenditure compared to different types of vendor expenditure will be important to the CFO. |
---|---|---|
Budgeted vs. actuals CIO services view | Graph | Optional: Showing the expenditure of some IT services will clarify the true total costs of delivering and supporting these services if misunderstandings exist. |
Budgeted vs. actuals CXO business view | Graph | Optional: A good way to show true consumption levels and the relative IT haves and have-nots. Potentially political, so consider sharing one-on-one with relevant business unit leaders instead of doing a big public reveal. |
Budgeted vs. actual CEO innovation view | Graph | Optional: Clarifies how much the organization is investing in innovation or growth versus keeping the lights on. Of most interest to the CEO and possibly the CFO, and good for starting conversations about how well funding is aligned with strategic directions. |
30 minutes
Download the IT Cost Forecasting and Budgeting Workbook
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Build a logical bridge between what happened in the past to what’s coming up next year using a comparative approach and feature major highlights.
This transitional phase between the past and the future is important for the following reasons:
Consider this the essential core of your presentation – this is the key message and what your audience came to hear.
Target timeframe for presentation: 10 minutes
Key objectives: Transition, reveal proposed budget.
Potential content for section:
“The companies...that invest the most in IT aren’t necessarily the best performers.
On average, the most successful small and medium companies are more frugal when it comes to
company spend on IT (as long as they do it judiciously).”
– Source: Techvera, 2023
See Tab 8, “Proposed Budget Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.
Last year’s total actuals vs. next year’s total forecast | Proposed budget in context: Year-over-year expenditure | Last year’s actuals vs. next year’s proposed by expenditure type | Last year’s expenditure per FTE vs. next year’s proposed |
---|---|---|---|
Graph | Graph | Graph | Graph |
Mandatory: This is the most important graph for connecting the past with the future and is also the first meaningful view your audience will have of your proposed budget for next year. | Mandatory: Here, you will continue the long-term view introduced in your historical data by adding on next year’s projections to your existing five-year historical trend. The percentage change from last year to next year will be the focus. | Recommended: A double-comparative breakdown of last year vs. next year by non-project OpEx, non-project CapEx, and project CapEx illustrates where major events, decisions, and changes are having their impact. | Optional: This graph is particularly useful in demonstrating the success of cost-control if the actual proposed budget is higher that the previous year but the IT cost per employee has gone down. |
![]() |
See Tab 5, “Project CapEx Forecast” in your IT Cost Forecasting and Budgeting Workbook for the data and information to create these outputs.
Major project profile | Slide | Mandatory: Focus on projects for which funding is already committed and lean toward those that are strategic or clearly support business goal attainment. How many you profile is up to you, but three to five is suggested. |
---|---|---|
Minor project overview | List | Optional: List other projects on IT’s agenda to communicate the scope of IT’s project-related responsibilities and required expenditure to be successful. Include in-progress projects that will be completed next year and net-new projects on the roster. |
You can’t profile every project on the list, but it’s important that your stakeholders see their priorities clearly reflected in your budget; projects are the best way to do this.
If you’ve successfully pre-sold your budget and partnered with business-unit leaders to define IT initiatives, your stakeholders should already be very familiar with the project summaries you put in front of them in your presentation.
30 minutes
Download the IT Cost Forecasting and Budgeting Workbook
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
The graphs you select here will be specific to your audience and any particular message you need to send.
This detailed phase of your presentation is important because it allows you to:
Target timeframe for presentation: 7 minutes, but this phase of the presentation may naturally segue into the final Q&A.
Key objectives: Transparency, dialogue, buy-in.
Potential content for section:
“A budget is a quantified version of
your service-level agreements.”
– Darin Stahl, Distinguished Analysis & Research Fellow,
Info-Tech Research Group,
See Tab 8, “Proposed Budget Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.
Proposed budget: Workforce and vendors by expenditure type | Graph | Mandatory: This is the traditional CFO’s view, so definitely show it. The compelling twist here is showing it by expenditure type, i.e. non-project OpEx, non-project CapEx, and project CapEx. |
---|---|---|
Proposed budget: Cloud vs. on-premises vendor expenditure | Graph | Optional: If this is a point of contention or if an active transition to cloud solutions is underway, then show it. |
Top vendors | Graph | Recommended: As with last year’s actuals, showing who the top vendors are slated to be next year speaks volumes to stakeholders about exactly where much of their money is going. |
If you have a diverse audience with diverse interests, be very selective – you don’t want to bore them with things they don’t care about.
See Tab 8, “Proposed Budget Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.
Proposed budget: IT services by expenditure type | Graph | Optional: Business unit leaders will be most interested in the application services. Proposed expenditure on security and data and BI services may be of particular interest given business priorities. Don’t linger on infrastructure spend unless chargeback is in play. |
---|---|---|
Proposed budget: Business units by expenditure type | Graph | Optional: The purpose of this data is to show varying business units where they stand in terms of consumption. It may be more appropriate to show this graph in a one-on-one meeting or other context. |
Proposed budget: Business focus by expenditure type | Graph | Optional: The CEO will care most about this data. If they’re not in the room, then consider bypassing it and discuss it separately with the CFO. |
Inclusion of these graphs really depends on the makeup of your audience. It’s a good decision to show all of them to your CFO at some point before the formal presentation. Consider getting their advice on what to include and exclude.
30 minutes
Download the IT Cost Forecasting and Budgeting Workbook
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Download Info-Tech’s IT Budget Executive Presentation Template
If you prefer, use your own internal presentation standard template instead and Info-Tech’s template as a structural guide.
Regardless of the template you use, Info-Tech recommends the following structure:
Leave the details for the speaker’s notes.
Remember that this is an executive presentation. Use tags, pointers, and very brief sentences in the body of the presentation itself. Avoid walls of text. You want your audience to be listening to your words, not reading a slide.
Speak to everything that represents an increase or decrease of more than 5% or that simply looks odd.
Being transparent is essential. Don’t hide anything. Acknowledge the elephant in the room before your audience does to quickly stop suspicious or doubtful thoughts
Identify causes and rationales.
This is why your numbers are as they are. However, if you’re not 100% sure what all driving factors are, don’t make them up. Also, if the line between cause and effect isn’t straight, craft in advance a very simple way of explaining it that you can offer whenever needed.
Be neutral and objective in your language.
You need to park strong feelings at the door. You’re presenting rational facts and thoroughly vetted recommendations. The best defense is not to be defensive, or even offensive for that matter. You don’t need to argue, plead, or apologize – let your information speak for itself and allow the audience to arrive at their own logical conclusions.
Re-emphasize your core themes to create connections.
If a single strategic project is driving cost increases across multiple cost categories, point it out multiple times if needed to reinforce its importance. If an increase in one area is made possible by a significant offset in another, say so to demonstrate your ongoing commitment to efficiencies. If a single event from last year will continue having cost impacts on several IT services next year, spell this out.
Duration: 2 hours
Note: Refer to your organization’s standards and norms for executive-level presentations and either adapt the Info-Tech template accordingly or use your own.
Download the IT Budget Executive Presentation template
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Some final advice on presenting your proposed budget…
Partner up If something big in your budget is an initiative that’s for a specific business unit, let that business unit’s leader be the face of it and have IT play the role of supporting partner. |
Use your champions Let your advocates know in advance that you’d appreciate hearing their voice during the presentation if you encounter any pushback, or just to reinforce your main messages. |
Focus on the CFO The CFO is the most important stakeholder in the room at the end of the day, even more than the CEO in some cases. Their interests should take priority if you’re pressed for time. |
Avoid judgment Let the numbers speak for themselves. Do point out highlights and areas of interest but hold off on offering emotion-driven opinions. Let your audience draw their own conclusions. |
Solicit questions You do want dialogue. However, keep your answers short and to the point. What does come up in discussion is a good indication of where you’ll need to spend more time in the future. |
The only other thing that can boost your chances is if you’re lucky enough to be scheduled to present between 10:00 and 11:00 on a Thursday morning when people are most agreeable. Beyond that, apply the standard rules of good presentations to optimize your success.
You’ve reached the end of the budget creation and approval process. Now you can refocus on using your budget as a living governance tool.
This phase focused on developing your final proposed budget presentation for delivery to your various stakeholders. Here, you:
“Everyone understands that there’s never enough money. The challenge is prioritizing the right work and funding it.”
– Trisha Goya, Director, IT Governance & Administration, Hawaii Medical Service Association
“Keep that conversation going throughout the year so that at budgeting time no one is surprised…Make sure that you’re telling your story all year long and keep track of that story.”
– Angela Hintz, VP of PMO & Integrated Services,
Blue Cross and Blue Shield of Louisiana
This final section will provide you with:
By following the phases and steps in this blueprint, you have:
What’s next?
Use your approved budget as an ongoing IT financial management governance tool and track your budget process improvement metrics.
If you would like additional support, have our analysts guide you through an Info-Tech full-service engagement or Guided Implementation.
Contact your account representative for more information.
1-888-670-8889
Monica Braun Research Director, ITFM Practice Info-Tech Research Group |
Carol Carr Technical Counselor (Finance) Info-Tech Research Group |
Larry Clark Executive Counselor Info-Tech Research Group |
Duane Cooney Executive Counselor Info-Tech Research Group |
Lynn Fyhrlund Former Chief Information Officer Milwaukee County |
Jay Gnuse Information Technology Director Chief Industries |
Trisha Goya Director, IS Client Services Hawaii Medical Service Association |
Angela Hintz VP of PMO & Integrated Services Blue Cross and Blue Shield of Louisiana |
Rick Hopfer Chief Information Officer Hawaii Medical Service Association |
Theresa Hughes Executive Counselor Info-Tech Research Group |
Dave Kish Practice Lead, IT Financial Management Practice Info-Tech Research Group | Matt Johnson IT Director Governance and Business Solutions Milwaukee County |
Titus Moore Executive Counselor Info-Tech Research Group | Angie Reynolds Principal Research Director, IT Financial Management Practice Info-Tech Research Group |
Mark Roman Managing Partner, Executive Services Info-Tech Research Group | Darin Stahl Distinguished Analyst & Research Fellow Info-Tech Research Group |
Miguel Suarez Head of Technology Seguros Monterrey New York Life | Kristen Thurber IT Director, Office of the CIO Donaldson Company |
Achieve IT Spend & Staffing Transparency
IT Spend & Staffing Benchmarking Service
Build Your IT Cost Optimization Roadmap
“How Much Should a Company Spend on IT?” Techvera, no date. Accessed 3 Mar. 2023.
“State of the CIO Study 2023.” Foundry, 25 Jan. 2023. Accessed 3 Mar. 2023.
Aberdeen Strategy & Research. “The State of IT 2023.” Spiceworks. Ziff Davis, 2022. Accessed 28 Feb. 2023.
Ainsworth, Paul. “Responsibilities of the Modern CFO - A Function in Transition.” TopTal, LLC., no date. Accessed 15 Feb. 2023.
Balasaygun, Kaitlin. “For the first time in a long time, CFOs can say no to tech spending.” CNBC CFO Council, 19 Jan. 2023. Accessed 17 Feb. 2023.
Bashir, Ahmad. “Objectives of Capital Budgeting and factors affecting Capital Budget Decisions.” LinkedIn, 27 May 2017. Accessed 14 Apr. 2023.
Blackmon, Kris. “Building a Data-Driven Budget Pitch the C-Suite Can't Refuse.” NetSuite Brainyard, 21 Sep. 2021. Accessed 17 Feb. 2023
Butcher, Daniel. “CFO to CFO: Budgeting to Fund Strategic Plans.” Strategic Finance Magazine/Institute of Management Accountants, 1 Dec. 2021. Accessed 17 Feb. 2023
Gray, Patrick. “IT Budgeting: A Cheat Sheet.” TechRepublic, 29 Jul. 2020. Accessed 28 Feb. 2023.
Greenbaum, David. “Budget vs. Actuals: Budget Variance Analysis & Guide.” OnPlan, 15 Mar. 2022. Accessed 22 Mar. 2023.
Huber, Michael and Joan Rundle. “How to Budget for IT Like a CFO.” Huber & Associates, no date. Accessed 15 Feb. 2023.
Kinney, Tara. “Executing Your Department Budget Like a CFO.” Atomic Revenue, LLC., no date. Accessed 15 Feb. 2023.
Lafley, A.G. “What Only the CFO Can Do.” Harvard Business Review, May 2009. Accessed 15 Mar. 2009.
Moore, Peter D. “IN THE DIGITAL WORLD, IT should be run as a profit center, not a cost center.” Wild Oak Enterprise, 26 Feb. 2020. Accessed 3 Mar. 2023.
Nordmeyer, Bille. “What Factors Are Going to Influence Your Budgeting Decisions?” bizfluent, 8 May 2019. Accessed 14 Apr. 2023
Ryan, Vincent. “IT Spending and 2023 Budgets Under Close Scrutiny.” CFO, 5 Dec. 2022. Accessed 3 Mar. 2023.
Stackpole, Beth. “State of the CIO, 2022: Focus turns to IT fundamentals.” CIO Magazine, 21 Mar. 2022. Accessed 3 Mar. 2023.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
As a CIO, there is a need to move beyond day-to-day technology management with an ever-increasing need to forecast technology impacts. Not just from a technical perspective but to map out the technical understandings aligned to potential business impacts and improvements. Technology transformation and innovation is moving more quickly than ever before and as an innovation champion, the CIO or CTO should have foresight in specific technologies with the understanding of how the company could be disrupted in the near future.
The Disruptive Technology Exploitation Plan Template acts as an implementation plan for developing a long-term strategy for monitoring and implementing disruptive technologies.
The Disruptive Technology Look to the Past Tool will assist you to collect reasonability test notes when evaluating potential disruptive technologies.
The Disruptive Technology Research Database Tool will help you to keep track of the independent research that is conducted by members of the disruptive technology exploitation working group.
The Disruptive Technology Shortlisting Tool will help you to codify the results of the disruptive technology working group's longlist winnowing process.
The Disruptive Technology Value Readiness & SWOT Analysis Tool will assist you to systematize notional evaluations of the value and readiness of potential disruptive technologies.
The Proof of Concept Template will guide you through the creation of a minimum-viable proof-of-concept project.
The Disruptive Technology Executive Presentation Template will assist you to present an overview of the disruptive technology process, outlining the value to your company.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Discuss the general overview of the disruptive technology exploitation process.
Develop an initial disruptive technology exploitation plan.
Stakeholders are on board, the project’s goals are outlined, and the working group is selected.
1.1 Get execs and stakeholders on board.
1.2 Review the process of analyzing disruptive tech.
1.3 Select members for the working group.
1.4 Choose a schedule and time commitment.
1.5 Select a group of visionaries.
Initialized disruptive tech exploitation plan
Meeting agenda, schedule, and participants
Understand how disruption will affect the organization, and develop an initial list of technologies to explore.
Knowledge of how to think like a futurist.
Understanding of organizational processes vulnerable to disruption.
Outline of potentially disruptive technologies.
2.1 Start the meeting with introductions.
2.2 Train the group to think like futurists.
2.3 Brainstorm about disruptive processes.
2.4 Brainstorm a longlist.
2.5 Research and brainstorm separate longlists.
List of disruptive organizational processes
Initial longlist of disruptive tech
Evaluate the specific value of longlisted technologies to the organization.
Defined list of the disruptive technologies worth escalating to the proof of concept stage.
3.1 Converge the longlists developed by the team.
3.2 Narrow the longlist to a shortlist.
3.3 Assess readiness and value.
3.4 Perform a SWOT analysis.
Finalized longlist of disruptive tech
Shortlist of disruptive tech
Value-readiness analysis
SWOT analysis
Candidate(s) for proof of concept charter
Understand how the technologies in question will impact the organization.
Understanding of the specific effects of the new technology on the business processes it is intended to disrupt.
Business case for the proof-of-concept project.
4.1 Build a problem canvas.
4.2 Identify affected business units.
4.3 Outline and map the business processes likely to be disrupted.
4.4 Map disrupted business processes.
4.5 Recognize how the new technology will impact business processes.
4.6 Make the case.
Problem canvas
Map of business processes: current state
Map of disrupted business processes
Business case for each technology
“We all encounter unexpected changes and our responses are often determined by how we perceive and understand those changes. We react according to the unexpected occurrence. Business organizations are no different.
When a company faces a major technology disruption in its markets – one that could fundamentally change the business or impact its processes and technology – the way its management perceive and understand the disruption influences how they describe and plan for it. In other words, the way management sets the context of a disruption – the way they frame it – shapes the strategy they adopt. Technology leaders can vastly influence business strategy by adopting a proactive approach to understanding disruptive and innovative technologies by simply adopting a process to review and evaluate technology impacts to the company’s lines of business.”
Troy Cheeseman
Practice Lead, Infrastructure & Operations Research
Info-Tech Research Group
Proactively monitoring, evaluating, and exploiting disruptive tech isn’t optional.
This will protect your role, IT’s role, and the future of the organization.
A diverse working group maximizes the insight brought to bear.
An IT background is not a prerequisite.
The best technology is only the best when it brings immediate value.
Good technology might not be ready; ready technology might not be good.
Target Audience: CIO, CTO, Head of Infrastructure
As a CIO, there is a need to move beyond day-to-day technology management with an ever-increasing need to forecast technology impacts. Not just from a technical perspective but to map out the technical understandings aligned to potential business impacts and improvements. Technology transformation and innovation is moving more quickly than ever before and as an innovation champion, the CIO or CTO should have foresight in specific technologies with the understanding of how the company could be disrupted in the near future. Foresight + Current Technology + Business Understanding = Understanding the Business Disruption. This should be a repeatable process, not an exception or reactionary response.
The right team matters. A core working group will keep focus through the process and a leader will keep everyone accountable. Visionaries are out-of-the-box thinkers and once they understand how to think like a "futurists," they will drive the longlist and shortlist actions.
To keep up with exponential technology growth you need to take a multi-threaded approach.
Establish the longlist. The longlist helps create a holistic view of most technologies that could impact the business. Assigning values and quadrant scoring will shortlist the options and focus your PoC option.
Long to short...that's the short of it. Using SWOT, value readiness, and quadrant mapping review sessions will focus the longlist, creating a shortlist of potential POC candidates to review and consider.
There is no such thing as a risk-free endeavor. Use a systematic process to ensure that the risks your organization takes have the potential to produce significant rewards.
Don’t be afraid to fail! Inevitably, some proof-of-concept projects will not benefit the organization. The projects that are successful will more than cover the costs of the failed projects. Roll out small scale and minimize losses.
Don't forget the C-suite. Effectively communicate and present the working group’s finding with a well-defined and succinct presentation. Start the process again!
Phase 1: Identify | Phase 2: Resolve | Phase 3: Evaluate | |
Phase Steps |
|
|
|
Phase Outcomes |
|
|
|
“Look, you have never had this amount of opportunity for innovation. Don’t forget to capitalize on it. If you do not capitalize on it, you will go the way of the dinosaur.”
– Dave Evans, Co-Founder and CTO, Stringify
“ By 2025:
– Nick Gabov
Technology disrupts IT by:
Technology disrupts the business by:
Be prepared when disruptions start coming down, even though it isn’t easy. Use this research to reduce the effort to a simple process that can be performed alongside everyday firefighting.
“You rarely see a real-world correlation of .86!”
– Mike Battista, Staff Scientist, Cambridge Brain Sciences, PhD in Measurement
“The last thing the CIO needs is an executive saying ‘I don’t what it is or what it does…but I want two of them!”
– Tim Lalonde
“I don’t know”
“Here in IT, we have already considered that technology and decided it was overhyped. Let me show you our analysis and invite you to join our working group.”
OR
“We have already considered that technology and have started testing it. Let me show you our testing lab and invite you to join our working group.”
Airline magazine syndrome is a symptom of a wider problem: poor CEO-CIO alignment. Solve this problem with improved communication and documentation. Info-Tech’s disruptive tech iterative process will make airline magazine syndrome a thing of the past!
“Today’s CIO dominion is in a decaying orbit with CIOs in existential threat mode.”
– Ken Magee
“The IT department plays a critical role in [innovation]. What they can do is identify a technology that potentially might introduce improvements to the organization, whether it be through efficiency, or through additional services to constituents.”
– Michael Maguire, Management Consultant
The contemporary CIO is a conductor, ensuring that IT works in harmony with the rest of the business.
The new CIO is a conductor, not a musician. The CIO is taking on the role of a business engineer, working with other executives to enable business innovation.
The new CIO is an expert and an aggregator. Conductor CIOs increasingly need to keep up on the latest technologies. They will rely on experts in each area and provide strategic synthesis to decide if, and how, developments are relevant in order to tune their IT infrastructure.
“An analysis of the history of technology shows that technological change is exponential, contrary to the common-sense ‘intuitive linear’ view. So we won’t experience 100 years of progress in the 21st century – it will be more like 20,000 years of progress (at today’s rate).”
– Ray Kurzweil
Technology advances exponentially. Rather than improving by the same amount of capability each year, it multiplies in capability each year.
Think like a futurist to anticipate technology before it goes mainstream.
Exponential growth happens much faster than linear growth, especially when it hits the knee of the curve. Even those who acknowledge exponential growth underestimate how capabilities can improve.
“We spend 70 percent of our time on core search and ads. We spend 20 percent on adjacent businesses, ones related to the core businesses in some interesting way. Examples of that would be Google News, Google Earth, and Google Local. And then 10 percent of our time should be on things that are truly new.”
– Eric Schmidt, Google
You and your team need to analyze technology every year to predict where it’s going.
![]() |
|
“One of the most consistent patterns in business is the failure of leading companies to stay at the top of their industries when technologies or markets change […] Managers must beware of ignoring new technologies that can’t initially meet the needs of their mainstream customers.”
– Joseph L. Bower and Clayton M. Christensen
Challenge |
Solution |
---|---|
New technology can hit like a meteor, but it doesn’t have to leave a crater: |
Use the annual process described in this blueprint to create a formal evaluation of new technology that turns analysis into action. |
Predicting the future isn’t easy, but it can be done: |
Lead the analysis from the office of the CIO. Establish a team to carry out the annual process as a cure for airline magazine syndrome. |
Your role is endangered, but you can survive: |
Train your team on the patterns of progress, track technology over time in a central database, and read Info-Tech’s analysis of upcoming technology. |
Communication is difficult when the sky is falling, so have a simple way to get the message across: |
Track metrics that communicate your progress, and summarize the results in a single, easy-to-read exploitation plan. |
Use Info-Tech’s tools and templates, along with this storyboard, to walk you through creating and executing an exploitation process in six steps.
![]() |
No business process is perfect.
|
Inevitably, some proof of concept projects will not benefit the organization. The projects that are successful will more than cover the costs of the failed projects. Roll out small scale and minimize losses.
Key Performance Indicator | Description | Target | Result |
---|---|---|---|
Number of Longlist technologies |
Establish a range of Longlist technologies to evaluate | 10-15 | |
Number of Shortlist technologies | Establish a range of Shortlist technologies to evaluate | 5-10 | |
number of "look to the past" likes/dislikes | Minimum number of testing characteristics | 6 | |
Number of POCs | Total number of POCs Approved | 3-5 |
Use the Disruptive Technology Exploitation Plan Template to summarize everything that the group does. Update the report continuously and use it to show others what is happening in the world of disruptive technology.
Section | Title | Description |
---|---|---|
1 | Rationale and Summary of Exploitation Plan | A summary of the current efforts that exist for exploring disruptive technology. A summary of the process for exploiting disruptive technology, the resources required, the team members, meeting schedules, and executive approval. |
2 | Longlist of Potentially Disruptive Technologies | A summary of the longlist of identified disruptive technologies that could affect the organization, shortened to six or less that have the largest potential impact based on Info-Tech’s Disruptive Technology Shortlisting Tool. |
3 | Analysis of Shortlist | Individually analyze each technology placed on the shortlist using Info-Tech’s Disruptive Technology Value-Readiness and SWOT Analysis Tool. |
4 | Proof of Concept Plan | Use the results from Section 3 to establish a plan for moving forward with the technologies on the shortlist. Determine the tasks required to implement the technologies and decide who will complete them and when. |
5 | Hand-off | Pass the project along to identified stakeholders with significant interest in its success. Continue to track metrics and prepare to repeat the disruptive technology exploitation process annually. |
This storyboard, and the associated tools and templates, will walk you through creating a disruptive technology working group of your own.
The Disruptive Technology Exploitation Plan Template acts as an implementation plan for developing a long-term strategy for monitoring and implementing disruptive technologies.
The Proof of Concept Template will guide you through the creation of a minimum-viable proof-of-concept project.
The Disruptive Technology Executive Presentation Template will assist you to present an overview of the disruptive technology process, outlining the value to your company.
The Disruptive Technology Value Readiness & SWOT Analysis Tool will assist you to systematize notional evaluations of the value and readiness of potential disruptive technologies.
The Disruptive Technology Research Database Tool will help you to keep track of the independent research that is conducted by members of the disruptive technology exploitation working group.
The Disruptive Technology Shortlisting Tool will help you to codify the results of the disruptive technology working group's longlist winnowing process.
The Disruptive Technology Look to the Past Tool will assist you to collect reasonability test notes when evaluating potential disruptive technologies.
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
Phase 1 | Phase 2 | Phase 3 | ||
---|---|---|---|---|
Call #1: Explore the need for a disruptive technology working group. |
Call #3: Review the agenda for the initial meeting. |
Call #5: Review how you’re brainstorming and your sources of information. |
Call #7: Review the final shortlist and assessment. |
Call #9: Review the progress of your team. |
Call #2: Review the team name, participants, and timeline. |
Call #4: Assess the results of the initial meeting. |
Call #6: Review the final longlist and begin narrowing it down. |
Call #8: Review the next steps. |
Call #10: Review the communication plan. |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 8 to 12 calls over the course of 4 to 6 months.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Pre-Work | Day 1 | Day 2 | Day 3 | Day 4 | |
---|---|---|---|---|---|
Establish the Disruptive Tech Process | Hold Your Initial Meeting | Create a Longlist and Assess Shortlist | Create Process Maps | Develop a Proof of Concept Charter | |
Activities |
1.1.a Get executives and stakeholders on board. 1.1.b Review the process of analyzing disruptive tech. 1.1.c Select members for the working group. 1.1.d Choose a schedule and time commitment. 1.1.e Select a group of visionaries. |
1.2.a Start the meeting with introductions. 1.2.b Train the group to think like futurists. 1.2.c Brainstorm about disruptable processes. 1.2.d Brainstorm a longlist. 1.2.e Research and brainstorm separate longlists. |
2.1.a Converge the longlists developed by the team. 2.2.b Narrow the longlist to a shortlist. 2.2.c Assess readiness and value. 2.2.d Perform a SWOT analysis. |
3.1.a Build a problem canvas. 3.1.b Identify affected business units. 3.1.c Outline and map the business processes likely to be disrupted. 3.1.d Map disrupted business processes. 3.1.e Recognize how the new technology will impact business processes. 3.1.f Make the case. |
3.2.a Develop key performance indicators (KPIs). 3.2.b Identify key success factors. 3.2.c Outline project scope. 3.2.d Identify responsible team. 3.2.e Complete resource estimation. |
Deliverables |
|
|
|
|
|
The Key Is in Anticipation!
Step 1.1: Establish the core working group and select a leader; select a group of visionaries
Step 1.2: Train the group to think like futurists
Step 1.3: Hold the initial meeting
IT Infrastructure Manager
CIO or CTO
Potential members and visionaries of the working group
Disruptive Technology Affects the Organization |
||
---|---|---|
Benefits | Costs | |
Short Term |
|
|
Long Term |
|
|
Disruptive Technology Affects IT | ||
---|---|---|
Benefits | Costs | |
Short Term |
|
|
Long Term |
|
|
Insert the resources required by the disruptive tech exploitation team into Section 1.5 of the Disruptive Technology Exploitation Plan Template. Have executives sign-off on the project in Section 1.6.
“The IT department plays a critical role in [innovation]. What they can do is identify a technology that potentially might introduce improvements to the organization, whether it be through efficiency or through additional services to constituents.”
- Michael Maguire, Management Consultant
Disruptive technology:
Voice over Internet Protocol (VoIP) is a modern means of making phone calls through the internet by sending voice packets using data, as opposed to the traditional circuit transmissions of the PSTN.
Who won:
Organizations that realized the cost savings that VoIP provided for businesses with a steady internet connection saved as much as 60% on telephony expenses. Even in the early stages, with a few more limitations, organizations were able to save a significant amount of money and the technology has continued to improve.
Who lost?
Telecom-related companies that failed to realize VoIP was a potential threat to their market, and organizations that lacked the ability to explore and implement the disruptive technology early.
Disruptive technology:
Digital photography refers to the storing of photographs in a digital format, as opposed to traditional photography, which exposes light to sensitive photographic film.
Who won:
Photography companies and new players that exploited the evolution of data storage and applied it to photography succeeded. Those that were able to balance providing traditional photography and exploiting and introducing digital photography, such as Nikon, left competitors behind. Smartphone manufacturers also benefited by integrating digital cameras.
Who lost?
Photography companies, such as Kodak, that failed to respond to the digital revolution found themselves outcompeted and insolvent.
There are five steps to formally exploiting disruptive technology, each with its own individual outputs and tools to take analysis to the next level.
Step 1.2: |
Output:
|
---|---|
Step 2.1: Brainstorm Longlist |
Output:
|
Step 2.2: Assess Shortlist |
Output:
|
Step 3.1: |
Output:
|
Step 3.2: |
Output:
|
Before going to stakeholders, complete the entire blueprint to better understand the tools and outputs of the process.
Organization Size | Working Group Size |
---|---|
Small | 02-Jan |
Medium | 05-Mar |
Large | 10-May |
The working group needs a name. Be sure to select one with a positive connotation within your organization.
Section 1.3 of the Disruptive Technology Exploitation Plan Template
Time the disruptive technology working group’s meetings to coincide and integrate with your organization’s strategic planning — at least annually.
Size | Meeting Frequency | Time per Meeting | Example Meeting Activities |
---|---|---|---|
Small | Annually | One day | A one-day meeting to run through phase 2 of the project (SWOT analysis and shortlist analysis). |
Medium | Two days | A two-day meeting to run through the project. The additional meeting involves phase 3 of this deck, developing a proof-of-concept plan. | |
Large | Two+ days | Two meetings, each two days. Two days to create and winnow the longlist (phase 2), and two further days to develop a proof of concept plan. |
“Regardless of size, it’s incumbent upon every organization to have some familiarity of what’s happening over the next few years, [and to try] to anticipate what some of those trends may be. […] These trends are going to accelerate IT’s importance in terms of driving business strategy.”
– Vern Brownell, CEO, D-Wave
Section 1.4 of the Disruptive Technology Exploitation Plan Template
Selecting advisors for your group is an ongoing step, and the roster can change.
Ensure that you satisfy the following criteria:
This group does not have to meet as regularly as the core working group. Input from external advisors can occur between meetings. You can also include them on every second or third iteration of the entire process.
However, the more input you can get into the group, the more innovative it can become.
“It is … important to develop design fictions based on engagement with directly or indirectly implicated publics and not to be designed by experts alone.”
– Emmanuel Tsekleves, Senior Lecturer in Design Interactions, University of Lancaster
Section 1.3 of the Disruptive Technology Exploitation Plan Template
INDUSTRY - Chip Manufacturing
SOURCE - Clayton Christensen, Intel
To achieve insight, you need to collaborate with people from outside of your department.
“[The models presented in the workshops] gave us a common language and a common way to frame the problem so that we could reach a consensus around a counterintuitive course of action.” – Andy Grove, then-CEO, Intel Corporation
Step 1.1: Establish the core working group and select a leader; select a group of visionaries
Step 1.2: Train the group to think like futurists
Step 1.3: Hold the initial meeting
Business buy-in is essential. Manage your business partners by providing a summary of the EDIT methodology and process. Validate the process value, which will allow you create a team of IT and business representatives.
Step 1 |
Step 2 | Step 3 | Step 4 |
---|---|---|---|
Review what you missed. |
What did you like? |
What did you dislike? |
Test the reasonability. |
Think about a time you missed a technical disruptive opportunity. Start with a list of technologies that changed your business and processes. Consider those specifically you could have identified with a repeatable process. |
What were the most impactful points about the technology? Define a list of “characteristics” you liked. Create a shortlist of items. Itemize the impact to process, people, and technology. |
Why did you pass on the tech? Define a list of “characteristics” you did not like. Create a shortlist of items. Itemize the impact to process, people, and technology. |
Avoid the “arm chair quarterback” view. Refer to the six positive and negative points. Check against your data points at the end of each phase. |
Record the list of missed opportunities |
Record 6 characteristics |
Record 6 characteristics |
Completed “Think like a Futurists” tool |
Use the Disruptive Technology Research Look to the Past Tool to record your output.
“The last ten years have seen exponential growth in research on disruptive technologies and their impact on industries, supply chains, resources, training, education and employment markets … The debate is still open on who will be the winners and losers of future industries, but what is certain is that change has picked up pace and we are now in a new technology revolution whose impact is potentially greater than the industrial revolution.”
– Gary L. Evans
Exponential growth happens much faster than linear growth, especially when it hits the knee of the curve. Technology grows exponentially, and we are approaching the knee of the curve.
This graph is adapted from research by Ray Kurzweil.
“An analysis of the history of technology shows that technological change is exponential, contrary to the common-sense ‘intuitive linear’ view. So we won’t experience 100 years of progress in the 21st century — it will be more like 20,000 years of progress (at today’s rate).”
- Ray Kurzweil
Review the differences between exponential and linear growth
Technology advances exponentially. Rather than improving by the same amount of capability each year, it multiplies in capability each year.
Think like a futurist to anticipate technology before it goes mainstream.
Exponential growth happens much faster than linear growth, especially when it hits the knee of the curve. Even those who acknowledge exponential growth underestimate how capabilities can improve.
“There are 7.7 billion people in the world, with at least 3.5 billion of us online. This means social media platforms are used by one in three people in the world and more than two-thirds of all internet users.”
– Esteban Ortiz-Ospina
“Ray Kurzweil has been described as ‘the restless genius’ by The Wall Street Journal, and ‘the ultimate thinking machine’ by Forbes. He was ranked #8 among entrepreneurs in the United States by Inc Magazine, calling him the ‘rightful heir to Thomas Edison,’ and PBS included Ray as one of 16 ‘revolutionaries who made America,’ along with other inventors of the past two centuries.”
Source: KurzweilAI.net
“Information technology is growing exponentially. That’s really my main thesis, and our intuition about the future is not exponential, it’s really linear. People think things will go at the current pace …1, 2, 3, 4, 5, and 30 steps later, you’re at 30.”
Better IT strategy enables future business innovation
“The reality of information technology like computers, like biological technologies now, is it goes exponentially … 2, 4, 8, 16. At step 30, you’re at a billion, and this is not an idle speculation about the future.” [emphasis added]
“When I was a student at MIT, we all shared a computer that cost tens of millions of dollars. This computer [pulling his smartphone out of his pocket] is a million times cheaper, a thousand times more powerful — that’s a billion-fold increase in MIPS per dollar, bits per dollar… and we’ll do it again in 25 years.”
Source: “IT growth and global change: A conversation with Ray Kurzweil,” McKinsey & Company
Leverage industry roundtables and trend reports to understand the art of the possible
Visit Info-Tech’s Trends & Priorities Research Center
Visit Info-Tech’s Industry Coverage Research to get started.
Step 1.1: Establish the core working group and select a leader; select a group of visionaries
Step 1.2: Train the group to think like futurists
Step 1.3: Hold the initial meeting
Establish the longlist. The longlist help create a holistic view of most technologies that could impact the business. Assigning values and quadrant scoring will shortlist the options and focus your PoC option.
The purpose of the initial meeting is to brainstorm where new technology will be the most disruptive within the organization. You’ll develop two longlists: one of business processes and one of disruptive technology. These longlists are in addition to the independent research your core working group will perform before Phase 2.
The disruptive tech team is prestigious. If your organization is large enough or has the resources, consider having this meeting in an offsite location. This will drive excitement to join the working group if the opportunity arises and incentivize good work.
Meeting Agenda (Sample) |
|
---|---|
Time |
Activity |
8:00am-8:30am | Introductions and previous meeting recap |
8:30am-9:30am | Training deck |
9:30 AM-10:00am | Brainstorming |
10:00am-10:15am | Break |
10:15am-10:45am | Develop good research techniques |
10:45am-12:00pm | Begin compiling your longlist |
The disruptive tech team is prestigious. If your organization is large enough or has the resources, consider having this meeting in an offsite location. This will drive excitement to join the working group if the opportunity arises and incentivize good work.
These generated ideas are organizational processes that can be improved or disrupted with emerging technologies. This list will be referenced throughout Phases 2 and 3.
Download the Disruptive Technology Database Tool
Science fiction is a valid source of learning. It drives and is influenced by disruptive technology.
“…the inventor of the first liquid-fuelled rocket … was inspired by H.G. Wells’ science fiction novel War of the Worlds (1898). More recent examples include the 3D gesture-based user interface used by Tom Cruise’s character in Minority Report (2002), which is found today in most touch screens and the motion sensing capability of Microsoft’s Kinect. Similarly, the tablet computer actually first appeared in Stanley Kubrick’s 2001: A Space Odyssey (1968) and the communicator – which we’ve come to refer today as the mobile phone – was first used by Captain Kirk in Star Trek (1966).”
– Emmanuel Tsekleves, senior lecturer, University of Lancaster
Right sources: blogs, tech news sites, tech magazines, the tech section of business sites, popular science books about technology, conferences, trade publications, and vendor announcements
Quantity over quality: early research is not the time to dismiss ideas.
Discuss with your peers: spark new and innovative ideas
Insert a brief summary of how independent research is conducted in Section 2.1 of the Disruptive Technology Exploitation Plan Template.
Connect with practitioners that are worth their weight in Reddit gold. Check out topic-based LinkedIn groups and subreddits such as r/sysadmin and r/tech. People experienced with technology frequent these groups.
YouTube is for more than cat videos. Many vendors use YouTube for distributing their previous webinars. There are also videos showcasing various technologies that are uploaded by lecturers, geeks, researchers, and other technology enthusiasts.
Test your reasonability. Check your “Think Like a Futurist” Tool
Step 2.1: Create and Winnow a Longlist
Step 2.2: Assess Shortlist
Long to short … that’s the short of it. Using SWOT, value readiness, and quadrant mapping review sessions will focus the longlist, creating a shortlist of potential PoC candidates to review and consider.
Meeting Agenda (Sample) | |
---|---|
Time | Activity |
8:00am-9:30am | Converge longlists |
9:30am-10:00am | Break |
10:00am-10:45am | Discuss tech in organizational context |
10:45am-11:15am | Begin compiling the shortlist |
Insert the final longlist into Section 2.2 of your Disruptive Technology Exploitation Plan Template.
Improved business processes |
80% |
---|---|
Core product and service improvement |
48% |
Reduced costs |
48% |
Increased revenues |
23% |
Penetration into new markets |
21% |
N=364 CXOs & CIOs from the CEO-CIO Alignment Diagnostic Questions were asked on a 7-point scale of 1 = Not at all to 7 = Very strongly. Results are displayed as percentage of respondents selecting 6 or 7.
The disruptive tech team is prestigious. If your organization is large enough or has the resources, consider having this meeting in an offsite location. This will drive excitement to join the working group if the opportunity arises and incentivize good work.
To decide which technology has potential for your organization, have the working group or workshop participants evaluate each technology:
Technology | Innovation | Transformation |
---|---|---|
Conversational Commerce | High | High |
Insert the final shortlist into Section 2.2 of your Disruptive Technology Exploitation Plan Template.
Innovation |
Transformation |
---|---|
|
|
Technology can be transformational but not innovative. Not every new technology is disruptive. Even where technology has improved the efficiency of the business, if it does this in an incremental way, it might not be worth exploring using this storyboard.
Use the Disruptive Technology Shortlisting Tool, tabs 2 and 3.
This is an assessment meant to serve as a guide. Use discretion when moving forward with a proof-of-concept project for any potentially disruptive technology.
Participant Evaluation | Quadrant |
---|---|
High Innovation, High Transformation | 1 |
High Innovation, Low Transformation | 2 |
Low Innovation, Low Transformation | 3 |
Low Innovation, High Transformation | 4 |
Use the Disruptive Technology Shortlisting Tool, tabs 3 and 4.
Input the results of the vote into tab 3 of the Disruptive Technology Shortlisting Tool.
View the results on tab 4.
Step 2.1: Create and Winnow a Longlist
Step 2.2:- Assess Shortlist
Use the Disruptive Technology Value-Readiness and SWOT Analysis Tool
The technology monitor diagram appears in tab 9 of the Disruptive Technology Value-Readiness and SWOT Analysis Tool
Update the Disruptive Technology Value-Readiness and SWOT Analysis Tool, tab 4.
Overall Value |
|
---|---|
Quality | Cost |
Each technology, if it has a product associated with it, can be evaluated along eight dimensions of quality. Consider how well the product performs, its features, its reliability, its conformance, its durability, its serviceability, its aesthetics, and its perceived quality. |
IT budgets are broken down into capital and operating expenditures. A technology that requires a significant investment along either of these lines is unlikely to produce a positive return. Also consider how much time it will take to implement and operate each technology. |
The value assessment is part of the Disruptive Technology Value-Readiness and SWOT Analysis Tool
Watch your costs: Technology that seems cheap at first can actually be expensive over time. Be sure to account for operational and opportunity costs as well.
Update the Disruptive Technology Value-Readiness and SWOT Analysis Tool, tab 4.
How much time has the technology had to mature? Older technology is more likely to be ready for adoption.
The amount of venture capital gathered by important firms in the space is an indicator of market faith.
How big is the market for the technology? It is more difficult to break into a giant market than a niche market.
Have any established vendors (Microsoft, Facebook, Google, etc.) thrown their weight behind the technology?
A large number of small companies in the space indicates that the market has yet to reach equilibrium.
Google is your friend: search each shortlisted technology to find details about its development and important vendors.
Websites like Crunchbase, VentureBeat, and Mashable are useful sources for information on the companies involved in a space and the amount of money they have each raised.
Green represents a technology that scores extremely high on one axis or the other, or quite high on both. These technologies are the best candidates for proof-of-concept projects from a value perspective.
Red represents a technology that has scored very low on both axes. These technologies will be expensive, time consuming, and of poor quality.
Yellow represents the fuzzy middle ground. These technologies score moderately on both axes. Be especially careful when considering the SWOT analysis of these technologies.
Use tab 6 of the Disruptive Technology Value-Readiness and SWOT Analysis Tool.
Write each technology as a heading on a whiteboard. Spend 10-15 minutes on each technology conducting a SWOT analysis together.
The list of processes generated at the cycle’s initial meeting is a great source for opportunities and threats.
Disruptive Technology Value-Readiness and SWOT Analysis Tool
Disruptive Technology Value-Readiness and SWOT Analysis Tool, tab 9
The tool’s final tab displays the results of the value-readiness analysis and the SWOT analysis in a single location.
A technology’s exceptional value and immediate usability make it the best. A technology can be promising and compelling, but it is unsuitable unless it can bring immediate and exceptional value to your organization. Don’t get caught up in the hype.
Step 3.1: Create Process Maps
Step 3.2: Develop Proof of Concept Charter
Clarify the problem in order to make the case. Fill in section 1.1 of Info-Tech’s Proof of Concept Template to clearly outline the problem each proof of concept is designed to solve.
Establish roles and responsibilities. Use section 1.2 of the template to outline the roles and responsibilities that fall to each member of the team. Ensure that clear lines of authority are delineated and that the list of stakeholders is exhaustive: include the executives whose input will be required for project approval, all the way to the technicians on the frontline responsible for implementing it.
Outline the solution to the problem. Demonstrate how each proof-of-concept project provides a solution to the problem outlined in section 1.1. Be sure to clarify what makes the particular technology under investigation a potential solution and record the results in section 1.3.
Use the Proof of Concept Project Template to track the information you gather throughout Phase 3.
1. More revenue
2. Job security
3. ……
1. Moving product
2. Per sale value
3. ……
1. Clunky website
2. Bad site navigation
3. ……
List of pains addressed by conversational commerce:
“If I were given one hour to solve a problem, I would spend 59 minutes defining the problem and one minute resolving it.”
– Albert Einstein
Input the results of this exercise into Section 1.1 of the Proof of Concept Template.
Job: Anything that the “customer” (the target of the solution) needs to get done but that is complicated by a pain.
Examples:
The job of the conversational commerce interface is to make selling products easier for the company.
From the customer perspective, the job of the conversational interface is to make the act of purchasing a product simpler and easier.
Stakeholder: Anyone who is impacted by the new technology and who will end up using, approving, or implementing it.
Examples:
The executive is responsible for changing the company’s direction and approving investment in a new sales platform.
The IT team is responsible for implementing the new technology.
Marketing will be responsible for selling the change to customers.
Customers, the end users, will be the ones using the conversational commerce user interface.
Input the results of this exercise into Section 1.2 of the Proof of Concept Template.
Process deconstruction reveals strengths and weaknesses. Promising technology should improve stakeholders’ abilities to do jobs.
Note: The goal of this exercise is to make the case for a particular technology. Sell it!
Expected Gain: Increase in sales.
Conversational Commerce’s Contribution: Customers are more likely to purchase products using interfaces they are comfortable with.
Expected Gain: Decrease in costs.
Conversational Commerce’s Contribution: Customers who are satisfied with the conversational interface are less likely to interact with live agents, saving labor costs.
Input the results of this exercise into Section 1.3 of the Proof of Concept Template.
Use the Proof of Concept Project Template to track the information you gather throughout Phase 3.
“The disruption is not just in the technology. Sometimes a good business model can be the disruptor.”
– Jason Hong, Associate Professor, Carnegie Mellon
Input the results of this exercise into Section 2.1 of the Proof of Concept Template.
“To truly understand a business process, we need information from both the top-down and bottom-up points of view. Informants higher in the organizational hierarchy with a strategic focus are less likely to know process details or problems. But they might advocate and clearly articulate an end-to-end, customer-oriented philosophy that describes the process in an idealized form. Conversely, the salespeople, customer service representatives, order processors, shipping clerks, and others who actually carry out the processes will be experts about the processes, their associated documents, and problems or exception cases they encounter.”
– Robert J. Glushko, Professor at UC Berkeley and Tim McGrath, Business Consultant
Opinions gathered from a group that reflect the process in question are far more likely to align with your organization’s reality. If you have any questions about a particular process, do not be afraid to go outside of the working group to ask someone who might know.
Source: Edraw Visualization Solutions
Using the information gleaned from the previous activities, develop a new process map that takes the new technology into account.
Identify the new actions or decisions that the new technology will affect.
User: selects and purchases product from a menu; Company: ships product to customer; Company: ships product to customer">
It’s ok to fail! The only way to know you’re getting close to the “knee of curve" is from multiple failed PoC tests. The more PoC options you have, the more likely it will be that you will have two to three successful results.
If you cannot articulate how a new technology will benefit a business process, reconsider moving forward with the proof-of-concept project.
Step 3.1: Create Process Maps
Step 3.2: Develop Proof of Concept Charter
Develop Proof of Concept Charter
Input the results of this exercise into Section 3.0 of the Proof of Concept Template.
Specific |
Measurable |
Actionable |
Realistic |
Time Bound |
---|---|---|---|---|
Make sure the objective is clear and detailed. |
Objectives are measurable if there are specific metrics assigned to measure success. Metrics should be objective. |
Objectives become actionable when specific initiatives designed to achieve the objective are identified. |
Objectives must be achievable given your current resources or known available resources. |
An objective without a timeline can be put off indefinitely. Furthermore, measuring success is challenging without a timeline. |
Who, what, where, why? |
How will you measure the extent to which the goal is met? |
What is the action-oriented verb? |
Is this within my capabilities? |
By when: deadline, frequency? |
Input the results of this exercise into Section 3.0 of the Proof of Concept Template.
“An estimated 70% of performance measurement systems fail after implementation. Carefully select your KPIs and avoid this trap!”
Source: Collins et al. 2016
Key Performance Indicator | Description | Target |
Result |
---|---|---|---|
Conversion rate | What percentage of customers who visit the site/open the conversational interface continue on to make a purchase? | 40% | |
Average order value |
How much does each customer spend per visit to the website? |
$212 | |
Repeat customer rate | What percentage of customers have made more than one purchase over time? | 65% | |
Lifetime customer value | Over the course of their interaction with the company, what is the typical value each customer brings? | $1566 |
Input the results of this exercise into Section 3.1 of the Proof of Concept Template.
Effective project management involves optimizing four key success factors (Clarke, 1999)
Input the results of this exercise into Section 3.0 of the Proof of Concept Template.
“Although scope creep is not the only nemesis a project can have, it does tend to have the farthest reach. Without a properly defined project and/or allowing numerous changes along the way, a project can easily go over budget, miss the deadline, and wreak havoc on project success.”
– University Alliance, Villanova University
Input the results of this exercise into Section 3.0 of the Proof of Concept Template.
Name/Title | Role |
---|---|
IT Manager | Negotiate the contract for the software with vendor |
CMO | Promote the conversational interface to customers |
Input the results of this exercise into Section 3.0 of the Proof of Concept Template.
*This number is a sample taken from the vendor Rhombus
Input the results of this exercise into Section 3.0 of the Proof of Concept Template.
Info-Tech’s CIO-CEO Alignment Survey, N=225
Organization size was determined by the number of IT employees within the organization
Small = 10 or fewer IT staff, medium = 11 to 25 IT staff, and large/enterprise = 26 or greater IT staff
Advertise the group’s successes and help prevent airline magazine syndrome from occurring.
“Some CIOs will have to battle the bias that they belong in the back office and shouldn’t be included in product architecture planning. CIOs must ‘sell’ IT’s strength in information architecture.”
– Chris Curran, Chief Technologist, PwC (Curran, 2014)
Cast a wide net. By sharing your results with as many people as possible within your organization, you’ll not only attract more attention to your working group, but you will also get more feedback and ideas.
Use section 3.2.b to identify the decision-making stakeholder who has the most to gain from a successful proof-of-concept project. Self-interest is a powerful motivator – the project is more likely to succeed in the hands of a passionate champion.
Set a date for the first meeting of the new iteration of the disruptive technology working group before the last meeting is done. Don’t risk pushing it back indefinitely.
The key is in anticipation. This is not a one-and-done exercise. Technology innovation operates at a faster pace than ever before, well below the Moores Law "18 month" timeline as an example. Success is in making EDIT a repeatable process.
Define Your Digital Business Strategy
After a major crisis, find your place in the digital economy.
Develop a Project Portfolio Management Strategy
Drive project throughput by throttling resource capacity.
Adopt Design Thinking in Your Organization
Innovation needs design thinking.
Digital Maturity Improvement Service
Prepare your organization for digital transformation – or risk falling behind.
Nitin Babel, Co-Founder, niki.ai
Nitin Babel, MSc, co-created conversational commerce platform niki.ai in early 2015. Since then, the technology has been featured on the front page of the Economic Times, and has secured the backing of Ratan Tata, former chairman of the Tata Group, one of the largest companies in the world.
Mark Hubbard, Senior Vice President, FirstOnSite
Mark is the SVP for Information Technology in Canada with FirstOnSite, a full service disaster recovery and property restoration company. Mark has over 25 years of technology leadership guiding global organizations through the development of strategic and tactical plans to strengthen their technology platforms and implement business aligned technology strategies.
Chris Green, Enterprise Architect, Boston Private
Chris is an IT architect with over 15 years’ experience designing, building, and implementing solutions. He is a results-driven leader and contributor, skilled in a broad set of methods, tools, and platforms. He is experienced with mobile, web, enterprise application integration, business process, and data design.
Andrew Kope, Head of Data Analytics
Big Blue Bubble
Andrew Kope, MSc, oversees a team that develops and maintains a user acquisition tracking solution and a real-time metrics dashboard. He also provides actionable recommendations to the executive leadership of Big Blue Bubble – one of Canada’s largest independent mobile game development studios.
Jason Hong, Associate Professor, School of Computer Science, Human-Computer Interaction Institute, Carnegie Mellon University
Jason Hong is a member of the faculty at Carnegie Mellon’s School of Computer Science. His research focus lies at the intersection of human-computer interaction, privacy and security, and systems. He is a New America National Cyber Security Fellow (2015-2017) and is widely published in academic and industry journals.
Tim Lalonde, Vice President, Mid-Range
Tim Lalonde is the VP of Technical Operations at Mid-Range. He works with leading-edge companies to be more competitive and effective in their industries. He specializes in developing business roadmaps leveraging technology that create and support change from within — with a focus on business process re-engineering, architecture and design, business case development and problem-solving. With over 30 years of experience in IT, Tim’s guiding principle remains simple: See a problem, fix a problem.
Jon Mavor, Co-Founder and CTO, Envelop VR
Jon Mavor is a programmer and entrepreneur, whose past work includes writing the graphics engine for the PC game Total Annihilation. As Chief Technology Officer of Envelop VR, a virtual reality start-up focused on software for the enterprise, Jon has overseen the launch of Envelop for Windows’s first public beta.
Dan Pitt, President, Palo Alto Innovation Advisors
Dan Pitt is a network architect who has extensive experience in both the academy and industry. Over the course of his career, Dan has served as Executive Director of the Open Networking Foundation, Dean of Engineering at Santa Clara University, Vice President of Technology and Academic Partnerships at Nortel, Vice President of the Architecture Lab at Bay Networks, and, currently, as President of Palo Alto Innovation Advisors, where he advises and serves as an executive for technology start-ups in the Palo Alto area and around the world.
Courtney Smith, Co-Founder, Executive Creative Director
PureMatter
Courtney Smith is an accomplished creative strategist, storyteller, writer, and designer. Under her leadership, PureMatter has earned hundreds of creative awards and been featured in the PRINT International Design Annual. Courtney has juried over 30 creative competitions, including Creativity International. She is an invited member of the Academy of Interactive and Visual Arts.
Emmanuel Tsekleves, Senior Lecturer in Design Interactions, University of Lancaster
Dr. Emmanuel Tsekleves is a senior lecturer and writer based out of the United Kingdom. Emmanuel designs interactions between people, places, and products by forging creative design methods along with digital technology. His design-led research in the areas of health, ageing, well-being, and defence has generated public interest and attracted media attention by the national press, such as the Daily Mail, Daily Mirror, The Times, the Daily Mail, Discovery News, and several other international online media outlets.
Airini Ab Rahman. “Emerging Technologies with Emerging Effects; A Review”. Universiti Teknologi Malaysia. PERINTIS eJournal, June 2017. Web.
Anthony, Scott. “Kodak’s Downfall Wasn’t About Technology.” Harvard Business Review, 15 July 2016. Web.
ARM. The Intelligent Flexible Cloud. 26 Feb. 2015. Web.
Association of Computing Machinery. Communications of the ACM, n.d. Web.
Barnett, Thomas. “Three Mobile Trends to Watch.” Cisco Blogs, 3 Feb. 2015. Web.
Batelle, John. “The 70 Percent Solution.” CNN, 1 Dec 2005. Web.
Booz Allen Hamilton. Managing Technological Change: 7 Ways to Talk Tech with Management, n.d. Web.
Brynjolfsson, Erik, and Andrew McAfee. The Second Machine Age: Work, Progress, and Prosperity in a Time of Brilliant Technologies. W. W. Norton, 2014. Print.
Christensen, Clayton M. “What is Disruptive Innovation?” Harvard Business Review, Dec 2015. Web.
Christensen, Clayton M. and James Euchner. “Managing Disruption: An Interview With Clayton Christensen.” Research-Technology Management, 22 Dec 2015. vol. 54, no. 1. Web.
Christensen, Clayton M., Rory McDonald, and Elizabeth J. Altman. “Disruptive Innovation: An Intellectual History and Directions for Future Research”. Wiley Online Library. Web.
Christensen, Clayton M., Taddy Hall, Karen Dillon, and David S. Duncan. “Know Your Customers’ Jobs to be Done.” Harvard Business Review, Sept. 2016. Web.
Cisco. “Cisco Annual Internet Report.” n.d. Web.
Cisco. Cisco Visual Networking Index: Forecast and Methodology, 2014-2019, 27 May 2015. Web.
Clark, Steven. “Elon Musk hopes SpaceX will send humans to Mars in 2024.” Spaceflight Now, 2 June 2016. Web.
Clarke, Angela. “A practical use of key success factors to improve the effectiveness of project management,” International Journal of Project Management, June 1999 (17): 139-145.
Collins, Andrew L., Patrick Hester, Barry Ezell, and John Horst. “An improvement selection methodology for key performance indicators.” Environmental Systems and Decisions, June 2016, 36 (2): 196-208.
Computer Sciences Corporation. CSC Global CIO Survey: 2014-2015: CIOs Emerge as Disruptive Innovators: An Annual Barometer of Global CIOs’ Plans, Priorities, Threats, and Opportunities, 2014. Web.
Constine, John. “Voice is Chat’s Next Battleground.” TechCrunch, 19 Sept. 2016. Web.
Cressman, Daryl. “Disruptive Innovation and the Idea of Technology”. Maastricht University, June 2019. Web.
Crown Prosecution Service. A Guide to Process Mapping and Improvement. n.d. Web.
Curran, Chris. “The CIO’s Role in the Internet of Things.” PwC, 13 Mar. 2014. Web.
Darbha, Sheta, Mike Shevenell, and Jason Normandin. “Impact of Software-Defined Networking on Infrastructure Management.” CA Technology Exchange, 4.3, Nov. 2013, pp. 33-43. Web.
Denecken, Sven. Conquering Disruption Through Digital Transformation: Technologies, Leadership Strategies, and Best Practices to Create Opportunities for Innovation. SAP, 2014. Web.
DHL Trend Research and Cisco Consulting Services. Internet of Things in Logistics: A Collaborative Report by DHL and Cisco on Implications and Use Cases for the Logistics Industry, 2015. Web.
Dirican, Cüneyt. “The Impacts of Robotics, Artificial Intelligence on Business and Economics.” Procedia: Social and Behavioral Sciences, vol. 195, 2015, pp. 564-573. Web.
Edraw Visualization Solutions. Examples of Flowcharts, Org Charts and More. “Cross-Function Flowchart Examples – Service Flowchart.”
Emerson. Data Center 2025: Exploring the Possibilities, 2014. Web.
Ericsson. Next-Generation Data Center Infrastructure, Feb. 2015. Web.
Eurotech. Connecting M2M Applications to the Cloud to Bolster Hardware Sales, 2014. Web.
Evans Gary, Llewellyn. “Disruptive Technology and the Board: The Tip of the Iceberg”. Economics and Business Review, n.d. Web.
Evans Gary, Llewellyn. “Disruptive Technology and the Board: The Tip of the Iceberg”. Economics and Business Review, n.d. Web.
Gage, Deborah. “The Venture Capital Secret: 3 Out of 4 Start-Ups Fail.” Wall Street Journal, 20 Sept. 2012. Web.
Garvin, David A. “Competing on the Eight Dimensions of Quality.” Harvard Business Review, November 1987. Web.
Gibbs, Colin. Augmented Reality in the Enterprise: Opportunities and Challenges. Gigaom Research, 26 Jan. 2015. Web.
Glushko, Robert J. and Tim McGrath. Document Engineering: Analyzing and Designing Documents for Business Informatics and Web Services. MIT Press, 2005.
Hadfield, Tom. “Facebook’s Messenger Bot Store could be the most important launch since the App Store.” TechCrunch, 17 March 2016. Web.
Healey, Nic. “Microsoft's mixed reality vision: 80 million devices by 2020.” CNET, 1 June 2016. Web.
Hewlett-Packard. Go Beyond Cost Reduction: Use Robotic Process Automation, Oct. 2015. Web.
Hewlett-Packard. HP Composable Infrastructure: Bridging Traditional IT with the New Style of Business, June 2015. Web.
Hewlett-Packard. HP Labs, n.d. Web.
Hong, Jason. “Inside the Great Wall.” Communications of the ACM, 25 May 2016. Web.
IBM Institute for Value. Your Cognitive Future: How Next-Gen Computing Changes the Way We Live and Work, 2015. Web.
IBM. A New Way to Work: Futurist Insights to 2025 and Beyond, Jan. 2015. Web.
Infinity. The Evolution of the Data Centre [sic], 2015. Web.
Intel Corporation. Intel Annual Report, 1997. Web.
Isaac, Mike. “Facebook Bets on Bots for its Messenger App.” New York Times, 12 April 2016. Web.
ISACA. COBIT 5: Enabling Processes. ISACA, 2012. Print.
K-12 Blueprint. “Planning a Proof of Concept.” 2014. Web.
Kaushik Rukmini, Meenakshi. “The Impact of Pandemic COVID -19 in Workplace.” European Journal of Business Management and Research, May 2020. Web.
Knight, Will. “Conversational Interfaces Powerful speech technology from China’s leading Internet company makes it much easier to use a smartphone.” MIT Technology Review, n.d. Web.
Kostoff, Ronald N., Robert Boylan, and Gene R. Simons. “Disruptive Technology Roadmaps.” Technological Forecasting and Social Change, 2004. Vol. 71. Web.
Kurzweil, Ray. “The Accelerating Power of Technology.” TED, Feb. 2005. Web.
Kurzweil, Ray. Kurzweil: Accelerating Intelligence, 2015. Web.
MacFarquhar, Larissa. “When Giants Fall: What Business Has Learned From Clayton Christensen,” New Yorker, 14 May 2012. Web.
McClintock, Cat. “2016: The Year for Augmented Reality in the Enterprise.” PTC, n.d. Web.
McKinsey & Company. IT Growth and Global Change: A Conversation with Ray Kurzweil. 29 Feb. 2012, YouTube. Web.
Messina, Chris. “2016 Will be the Year of Conversational Commerce.” Medium, 19 Jan 2016. Web.
Microsoft. Microsoft Research, n.d. Web.
Miller, Ron. “Forget the Apple Watch, Think Drones in the Enterprise.” TechCrunch, 10 Sep. 2015. Web.
Nokia Networks. FutureWorks [sic]: Teaching Networks to be Self-Aware: Technology Vision 2020. 2014. Web.
Nokia Networks. Internet of Things. n.d. Web.
O’Reilly, Charles, and Andrew J. M. Binns, “The Three Stages of Disruptive Innovation: Idea Generation, Incubation, and Scaling”. Sage Journals, n.d. Web.
Pew Research Center. AI, Robotics, and the Future of Jobs: Experts Envision Automation and Intelligent Digital Agents Permeating Vast Areas of Our Work and Personal Lives by 2025, but they are Divided on Whether these Advances will Displace More Jobs than they Create. Aug. 2014. Web.
Ramiller, Neil. “Airline Magazine Syndrome: Reading a Myth of Mismanagement.” Information Technology & People, Sept 2001. Print.
Raymond James & Associates. The Internet of Things: A Study in Hype, Reality, Disruption, and Growth. 2014. Web.
Richter, Felix. “No Growth in Sight for Global PC Market.” Statista, 14 March 2016. Web.
Roy, Mekhala. “4 Examples of Digital Transformation Success in Business”. TechTarget, n.d. Web.
Simon Weinreich, “How to Manage Disruptive Innovation - a conceptional methodology for value-oriented portfolio planning,” Sciencedirect. 31st CIRP Design Conference 2021.
Spice Works. The Devices are Coming! How the “Internet of Things” will affect IT… and why resistance is futile. May 2014. Web.
Spradlin, Dwayne. “Are You Solving the Right Problem?” Harvard Business Review, Sept. 2012. Web.
Statista. “Number of smartphones sold to end users worldwide from 2007 to 2015 (in million units).” N.d. Web.
Statista. “Worldwide tablet shipments from 2nd quarter 2010 to 2nd quarter 2016 (in million units).” N.d. Web.
Sven Schimpf, “Disruptive Field Study; How Companies Identify, Evaluate, Develop and Implement Disruptive Technologies.” Fraunhofer Group for Innovation Research, 2020. Web.
Tsekleves, Emmanuel. “Science fiction as fact: how desires drive discoveries.” The Guardian. 13 Aug. 2015. Web.
Tsekleves, Emmanuel. “Science fiction as fact: how desires drive discoveries.” The Guardian, 13 Aug. 2015. Web.
United States Department of Transportation. “National Motor Vehicle Crash Causation Survey: Report to Congress.” National Highway Traffic Safety Administration, July 2008. Web.
United States Department of Transportation. “National Motor Vehicle Crash Causation Survey: Report to Congress.” National Highway Traffic Safety Administration, July 2008. Web.
University Alliance (Villanova U). Managing Scope Creep in Project Management. N.d. Web.
Vavoula, Giasemi N., and Mike Sharples. “Future Technology Workshop: A Collaborative Method for the Design of New Learning Technologies and Activities.” International Journal of Computer Supported Collaborative Learning, Dec 2007. Vol. 2 no. 4. Web.
Walraven Pieter. “It’s Operating Systems Vs. Messaging Apps In The Battle For Tech’s Next Frontier.” TechCrunch, 11 Aug 2015. Web.
Webb, Amy. “The Tech Trends You Can’t Ignore in 2015.” Harvard Business Review, 5 Jan. 2015. Web.
Wenger, Albert. “The Great Bot Rush of 2015-16.” Continuations, 16 Dec 2015. Web.
White, Chris. “IoT Tipping Point Propels Digital Experience Era.” Cisco Blogs, 12 Nov. 2014. Web.
World Economic Forum and Accenture. Industrial Internet of Things: Unleashing the Potential of Connected Products and Services. 2015. Web.
Yu Dan and Hang Chang Chieh, "A reflective review of disruptive innovation theory," PICMET '08 - 2008 Portland International Conference on Management of Engineering & Technology, 2008, pp. 402-414, doi: 10.1109/PICMET.2008.4599648.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
![]() Valence Howden Principal Research Director, CIO Practice |
![]() Petar Hristov Research Director, Security, Privacy, Risk & Compliance |
![]() Ian Mulholland Research Director, Security, Risk & Compliance |
![]() Brittany Lutes Senior Research Analyst, CIO Practice |
![]() Ibrahim Abdel-Kader Research Analyst, CIO Practice |
Every organization has a threshold for risk that should not be exceeded, whether that threshold is defined or not.
In the age of digital, information and technology will undoubtedly continue to expand beyond the confines of the IT department. As such, different areas of the organization cannot address these risks in silos. A siloed approach will produce different ways of identifying, assessing, responding to, and reporting on risk events. Integrated risk management is about embedding IT uncertainty to inform good decision making across the organization.
When risk is integrated into the organization's enterprise risk management program, it enables a single view of all risks and the potential impact of each risk event. More importantly, it provides a consistent view of the risk event in relation to uncertainty that might have once been seemingly unrelated to IT.
And all this can be achieved while remaining within the enterprise’s clearly defined risk appetite.
Most organizations fail to integrate IT risks into enterprise risks:
IT leaders have to overcome these obstacles when it comes to integrating risk:
By leveraging the Info-Tech Integrated Risk approach, your business can better address and embed risk by:
Stop avoiding risk – integrate it. This provides a holistic view of uncertainty for the organization to drive innovative new approaches to optimize its ability to respond to risk.
Enterprise risk management is the practice of identifying and addressing risks to your organization and using risk information to drive better decisions and better opportunities.
![]() |
IT risks have a direct and often aggregated impact on enterprise risks and opportunities in the same way other business risks can. This relationship must be understood and addressed through integrated risk management to ensure a consistent approach to risk. |
Risk-mature organizations have a unique benefit in that they often have established an overarching governance framework and embedded risk awareness into the culture.
35% — Only 35% of organizations had embraced ERM in 2020. (Source: AICPA and NC State Poole College of Management)
12% — Only 12% of organizations are leveraging risk as a tool to their strategic advantage. (Source: AICPA and NC State Poole College of Management)
62% — Accessing and disseminating information is the main challenge for 62% of organizations maturing their organizational risk management. (Source: OECD)
20-28% — Organizations with access to machine learning and analytics to address future risk events have 20 to 28% more satisfaction. (Source: Accenture)
Accelerate and optimize your organization by leveraging meaningful risk data to make intelligent enterprise risk decisions.
Risk Drivers
|
![]() |
Only 7% of organizations are in a “leading” or “aspirational” level of risk maturity. (OECD, 2021) | 63% of organizations struggle when it comes to defining their appetite toward strategy related risks. (“Global Risk Management Survey,” Deloitte, 2021) | Late adopters of risk management were 70% more likely to use instinct over data or facts to inform an efficient process. (Clear Risk, 2020) | 55% of organizations have little to no training on ERM to properly implement such practices. (AICPA, NC State Poole College of Management, 2021) |
1. Assess Enterprise Risk Maturity | 3. Build a Risk Management Program Plan | 4. Establish Risk Management Processes | 5. Implement a Risk Management Program | ||
2. Determine Authority with Governance
Unfortunately, less than 50% of those in risk focused roles are also in a governance role where they have the authority to provide risk oversight. (Governance Institute of Australia, 2020) |
|||||
IT can improve the maturity of the organization’s risk governance and help identify risk owners who have authority and accountability.
Governance and related decision making is optimized with integrated and aligned risk data. |
![]() |
![]() ERM incorporates the different types of risk, including IT, security, digital, vendor, and other risk types. The program plan is meant to consider all the major risk types in a unified approach. |
![]() |
Implementation of an integrated risk management program requires ongoing access to risk data by those with decision making authority who can take action. |
Stop fearing risk – integrate it. Integration leads to opportunities for organizations to embrace innovation and new digital technologies as well as reducing operational costs and simplifying reporting.
Governance of risk management for information- and technology-related events is often misplaced. Just because it's classified as an IT risk does not mean it shouldn’t be owned by the board or business executive.
Integrating risk requires a baseline of risk maturity at the enterprise level. IT can push integrating risks, but only if the enterprise is willing to adopt the attitudes and behaviors that will drive the integrated risk approach.
It is not a strategic decision to have different areas of the organization manage the risks perceived to be in their department. It’s the easy choice, but not the strategic one.
Different areas of an enterprise apply risk management processes differently. Determining a single method for identification, assessment, response, and monitoring can ensure successful implementation of enterprise risk management.
Good risk management will consider both the positives and negatives associated with a risk management program by recognizing both the upside and downside of risk event impact and likelihood.
IT Benefits
|
Business Benefits
|
“31% of CIO’s expected their role to expand and include risk management responsibilities.” (IDG “2021 State of the CIO,” 2021)
58%Focus not just on the preventive risk management but also the value-creating opportunities. With 58% of organizations concerned about disruptive technology, it’s an opportunity to take the concern and transform it into innovation. (Accenture) |
70%Invest in tools that have data and analytics features. Currently, “gut feelings” or “experience” inform the risk management decisions for 70% of late adopters. (Clear Risk) |
54%Align to the strategic vision of the board and CEO, given that these two roles account for 54% of the accountability associated with extended enterprise risk management. (Extended Enterprise Risk Management Survey, 2020,” Deloitte) |
63%Include IT leaders in the risk committee to help informed decision making. Currently 63% of chief technology officers are included in the C‑suite risk committee. (AICPA & NC State Poole College of Management) |
Successful adoption of integrated risk management is often associated with these key elements. |
Mature or not, integrated risk management should be a consideration for all organizationsThe first step to integrating risk management within the enterprise is to understand the organization’s readiness to adopt practices that will enable it to successfully integrate information. In 2021, we saw enterprise risk management assessments become one of the most common trends, particularly as a method by which the organization can consolidate the potential impacts of uncertainties or threats (Lawton, 2021). A major driver for this initiative was the recognition that information and technology not only have enterprise-wide impacts on the organization’s risk management but that IT has a critical role in supporting processes that enable effective access to data/information. A maturity assessment has several benefits for an organization: It ensures there is alignment throughout the organization on why integrated risk is the right approach to take, it recognizes the organization’s current risk maturity, and it supports the organization in defining where it would like to go. |
![]() |
Integrated Risk Maturity Categories |
![]() |
1 |
Context & Strategic Direction | Understand the organization’s main objectives and how risk can support or enhance those objectives. |
2 |
Risk Culture and Authority | Examine if risk-based decisions are being made by those with the right level of authority and if the organization’s risk appetite is embedded in the culture. | ||
3 |
Risk Management Process | Determine if the current process to identify, assess, respond to, monitor, and report on risks is benefitting the organization. | ||
4 |
Risk Program Optimization | Consider opportunities where risk-related data is being gathered, reported, and used to make informed decisions across the enterprise. |
For organizations with a low maturity, remaining superficial with risk will offer more benefits and align to the enterprise’s risk tolerance and appetite. This might mean no integrated risk is taking place.
However, organizations that have higher risk maturity should begin to integrate risk information. These organizations can identify the nuances that would affect the severity and impact of risk events.
The purpose of the Integrated Risk Maturity Assessment is to assess the organization's current maturity and readiness for integrated risk management (IRM).
Frequently and continually assessing your organization’s maturity toward integrated risk ensures the right risk management program can be adopted by your organization.
Integrated Risk Maturity Assessment
A simple tool to understand if your organization is ready to embrace integrated risk management by measuring maturity across four key categories: Context & Strategic Direction, Risk Culture & Authority, Risk Management Process, and Risk Program Optimization |
![]() |
Use the results from this integrated risk maturity assessment to determine the type of risk management program that can and should be adopted by your organization.
Some organizations will need to remain siloed and focused on IT risk management only, while others will be able to integrate risk-related information to start enabling automatic controls that respond to this data.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Assess current prevention, detection, analysis, and response capabilities.
Design your optimized state of operations.
Identify opportunities for collaboration within your security program.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Determine current prevention, detection, analysis, and response capabilities, operational inefficiencies, and opportunities for improvement.
Determine why you need a sound security operations program.
Understand Info-Tech’s threat collaboration environment.
Evaluate your current security operation’s functions and capabilities.
1.1 Understand the benefits of refining your security operations program.
1.2 Gauge your current prevention, detection, analysis, and response capabilities.
Security Operations Preliminary Maturity Assessment Tool
Begin developing and prioritizing gap initiatives in order to achieve the optimal state of operations.
Establish your goals, obligations, scope, and boundaries.
Assess your current state and define a target state.
Develop and prioritize gap initiatives.
Define the cost, effort, alignment, and security benefits of each initiative.
Develop a security strategy operational roadmap.
2.1 Assess your current security goals, obligations, and scope.
2.2 Design your ideal target state.
2.3 Prioritize gap initiatives.
Information Security Strategy Requirements Gathering Tool
Security Operations Maturity Assessment Tool
Identify opportunities for collaboration.
Formalize your operational process flows.
Develop a comprehensive and actionable measurement program.
Understand the current security operations process flow.
Define the security operations stakeholders and their respective deliverables.
Formalize an internal information-sharing and collaboration plan.
3.1 Identify opportunities for collaboration.
3.2 Formalize a security operations collaboration plan.
3.3 Define operational roles and responsibilities.
3.4 Develop a comprehensive measurement program.
Security Operations RACI & Program Plan Tool
Security Operations Collaboration Plan
Security Operations Cadence Schedule Template
Security Operations Metrics Summary
“A reactive security operations program is no longer an option. The increasing sophistication of threats demands a streamlined yet adaptable mitigation and remediation process. Protect your assets by preparing for the inevitable; unify your prevention, detection, analysis, and response efforts and provide assurance to your stakeholders that you are making information security a top priority.”
Edward Gray,
Consulting Analyst, Security, Risk & Compliance
Info-Tech Research Group
This Research Is Designed For:
|
This Research Will Help You:
|
This Research Will Also Assist:
|
This Research Will Help Them
|
![]() Average data breach costs per compromised record hit an all-time high of $217 (in 2015); $74 is direct cost (e.g. legal fees, technology investment) and $143 is indirect cost (e.g. abnormal customer churn). (Source: Ponemon Institute, “2015 Cost of Data Breach Study: United States”) |
![]() ![]() ![]() ![]() ![]() (Source: The Network, “ Cisco 2017 Security Capabilities Benchmark Study”) |
60% Of organizations say security operation teams have little understanding of each other’s requirements.
40% Of executives report that poor coordination leads to excessive labor and IT operational costs.
38-100% Increase in efficiency after closing operational gaps with collaboration.
(Source: Forbes, “The Game Plan for Closing the SecOps Gap”)
![]() |
“Empower a few administrators with the best information to enable fast, automated responses.” Insufficient security personnel resourcing has been identified as the most prevalent challenge in security operations… When an emergency security incident strikes, weak collaboration and poor coordination among critical business functions will magnify inefficiencies in the incident response (IR) process, impacting the organization’s ability to minimize damage and downtime. The solution: optimize your SOC. Info-Tech has seen SOCs with five analysts outperform SOCs with 25 analysts through tools and process optimization. Sources: |
Legacy security operations centers (SOCs) fail to address gaps between data sources, network controls, and human capital. There is limited visibility and collaboration between departments, resulting in siloed decisions that do not support the best interests of the organization. | ||
![]() Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operations, and technology infrastructure on a daily basis. |
Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential. | Detect: There are two types of companies – those who have been breached and know it and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs |
Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape. | Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook in order to reduce incident remediation time and effort. |
![]() |
Vulnerability Management
Vulnerability management revolves around the identification, prioritization, and remediation of vulnerabilities. Vulnerability management teams hunt to identify which vulnerabilities need patching and remediating. |
Deliverables
|
![]() |
Threat Intelligence
Threat intelligence addresses the collection, analysis, and dissemination of external threat data. Analysts act as liaisons to their peers, publishing actionable threat alerts, reports, and briefings. Threat intelligence proactively monitors and identifies whether threat indicators are impacting your organization. |
|
![]() |
Operations
Security operations include the real-time monitoring and analysis of events based on the correlation of internal and external data sources. This also includes incident escalation based on impact. Analysts are constantly tuning and tweaking rules and reporting thresholds to further help identify which indicators are most impactful during the analysis phase of operations. |
|
![]() Develop and Implement a Security Incident Management Program |
Incident Response
Effective and efficient management of incidents involves a formal process of analysis, containment, eradication, recovery, and post-incident activities. IR teams coordinate root-cause analysis and incident gathering while facilitating post-incident lessons learned. Incident response can provide valuable threat data that ties specific indicators to threat actors or campaigns. |
|
…better protect your organization with an interdependent and collaborative security operations program.
Phase 01Assess your operational requirements. |
Phase 02Optimize and further mature your security operations processes |
Phase 3aDevelop the process flow and specific interaction points between functions |
Phase 3bTest your current capabilities with a table top exercise |
Briefly assess your current prevention, detection, analysis, and response capabilities.
Highlight operational weak spots that should be addressed before progressing. |
Develop a prioritized list of security-focused operational initiatives.
Conduct a holistic analysis of your operational capabilities. |
Define the operational interaction points between security-focused operational departments.
Document the results in comprehensive operational interaction agreement. |
Test your operational processes with Info-Tech’s security operations table-top exercise. |
![]() |
![]() |
Effective security operations management will help you do the following:
|
ImpactShort term:
Long term:
|
A practical approach, justifying the value of security operations, is to identify the assets at risk and calculate the cost to the company should the information assets be compromised (i.e. assess the damage an attacker could do to the business).
Cost Structure | Cost Estimation ($) for SMB (Small and medium-sized business) |
Cost Estimation ($) for LE (Large enterprise) |
|
Security controls | Technology investment: software, hardware, facility, maintenance, etc.
Cost of process implementation: incident response, CMBD, problem management, etc. Cost of resource: salary, training, recruiting, etc. |
$0-300K/year | $200K-2M/year |
Security incidents (if no security control is in place) |
Explicit cost:
|
$15K-650K/year | $270K-11M/year |
Contact your account representative or email Workshops@InfoTech.com for more information.
Workshop Day 1 | Workshop Day 2 | Workshop Day 3 | Workshop Day 4 | Workshop Day 5 | |
Activities |
|
|
|
|
|
Deliverables |
|
|
|
All Final Deliverables |
1Assess Operational Requirements |
2Develop Maturity Initiatives |
3Define Interdependencies |
Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
Estimated time to completion: 30 minutes
Discussion: Why are we pursuing this project?What are the objectives for optimizing and developing sound security operations? Stakeholders Required:
Resources Required
|
|
Don’t develop a security operations program with the objective of zero incidents. This reliance on prevention results in over-engineered security solutions that cost more than the assets being protected.
Security operations must provide several fundamental functions:
|
![]() At its core, a security operations program is responsible for the prevention, detection, analysis, and response of security events. |
Optimized security operations can seamlessly integrate threat and incident management processes with monitoring and compliance workflows and resources. This integration unlocks efficiency.
Foundational | ![]() |
Operational | ![]() |
Strategic |
|
|
|
||
——Security Operations Capabilities—–› |
![]() | Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address threats impacting the organization’s brand, operations, and technology infrastructure.
Info-Tech Best PracticeEnsure that information flows freely throughout the threat collaboration environment – each function should serve to feed and enhance the next. | |||||
![]() | ||||||
![]() | ||||||
![]() Develop and Implement a Security Incident Management Program |
The value of a SOC can be achieved with fewer prerequisites than you think. While it is difficult to cut back on process and technology requirements, human capital is transferrable between roles and functions and can be cross-trained to satisfy operational gaps.
![]() |
People. Effective human capital is fundamental to establishing an efficient security operations program, and if enabled correctly, can be the driving factor behind successful process optimization. Ensure you address several critical human capital components:
|
Processes. Formal and informal mechanisms that bridge security throughout the collaboration environment and organization at large. Ask yourself:
|
|
Technology. The composition of all infrastructure, systems, controls, and tools that enable processes and people to operate and collaborate more efficiently. Determine:
|
![]() | ![]() At a high level, assess your organization’s operational maturity in each of the threat collaboration environment functions. Determine whether the foundational processes exist in order to mature and streamline your security operations. |
![]() | |
![]() | |
![]() Develop and Implement a Security Incident Management Program |
Prioritize the component most important to the development of your security operations program. |
![]() |
|
![]() |
||
Each “security capability” covers a component of the overarching “security function.” | Assign a current and target maturity score to each respective security capability. (Note: The CMMI maturity scores are further explained on the following slide.) | Document any/all comments for future Info-Tech analyst discussions. |
![]() |
Ad Hoc | ||
1 | ![]() |
Initial/Ad Hoc: Activity is not well defined and is ad hoc, e.g. no formal roles or responsibilities exist, de facto standards are followed on an individual-by-individual basis. | |
2 | ![]() |
Developing: Activity is established and there is moderate adherence to its execution, e.g. while no formal policies have been documented, content management is occurring implicitly or on an individual-by-individual basis. | |
3 | ![]() |
Defined: Activity is formally established, documented, repeatable, and integrated with other phases of the process, e.g. roles and responsibilities have been defined and documented in an accessible policy, however, metrics are not actively monitored and managed. | |
4 | ![]() |
Managed and Measurable: Activity execution is tracked by gathering qualitative and quantitative feedback, e.g. metrics have been established to monitor the effectiveness of tier-1 SOC analysts. | |
5 | ![]() |
Optimized: Qualitative and quantitative feedback is used to continually improve the execution of the activity, e.g. the organization is an industry leader in the respective field; research and development efforts are allocated in order to continuously explore more efficient methods of accomplishing the task at hand. | |
Optimized |
Notes: Info-Tech seldom sees a client achieve a CMMI score of 4 or 5. To achieve a state of optimization there must be a subsequent trade-off elsewhere. As such, we recommend that organizations strive for a CMMI score of 3 or 4.
![]() |
Review the report cards for each of the respective threat collaboration environment functions.
|
Self-Assessment Questions
1Assess Operational Requirements | 2Develop Maturity Initiatives | 3Define Interdependencies |
Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives
A common challenge for security leaders is learning to express their initiatives in terms that are meaningful to business executives.
Frame the importance of your security operations program to Oftentimes resourcing and funding is dependent on the |
Corporate goals and objectives can be categorized into three major buckets:
|
Developing a security operations strategy is a proactive activity that enables you to get in front of any upcoming business projects or industry trends rather than having to respond reactively later on. Consider as many foreseeable variables as possible!
It is important to define all security-related areas of responsibility. Upon completion you should clearly understand what you are trying to secure.
Ask yourself:
|
The organizational scope and boundaries and can be categorized into four major buckets:
|
This also includes what is not within scope. For some outsourced services or locations you may not be responsible for security. For some business departments you may not have control of security processes. Ensure that it is made explicit at the outset, what will be included and what will be excluded from security considerations.
Explicitly understanding how security aligns with the core business mission is critical for having a strategic plan and fulfilling the role of business enabler.
Download and complete the information security goals, obligations and scope activities (Section 1.3) within the Info-Tech security strategy research publication. If previously completed, take the time to review your results. GOALS and OBLIGATIONS
|
Goals & Obligations
![]() |
PROGRAM SCOPE & BOUNDARIES
If a well-defined corporate strategy does not exist, these questions can help pinpoint objectives:
|
Program Scope & Boundaries
![]() |
For more information on how to complete the goals & obligations activity please reference Section 1.3 of Info-Tech’s Build an Information Security Strategy blueprint.
On tab 1. Goals and Obligations:
|
![]() |
On tab 2. Scope and Boundaries:
|
![]() |
For the purpose of this security operations initiative please IGNORE the risk tolerance activities on tab 3. |
A common challenge for security leaders is expressing their initiatives in terms that are meaningful to business executives. This exercise helps make explicit the link between what the business cares about and what security is trying to do.
Define your current and target state
Self-assess your current security operations capabilities and determine your intended state. |
Create your gap initiatives
Determine the operational processes that must be completed in order to achieve the target state. |
Prioritize your initiatives
Define your prioritization criteria (cost, effort, alignment, security benefit) based on your organization |
Build a Gantt chart for your upcoming initiatives
The final output will be a Gantt to action your prioritized initiatives |
Progressive improvements provide the most value to IT and your organization. Leaping from pre-foundation to complete optimization is an ineffective goal. Systematic improvements to your security performance delivers value to your organization, each step along the way.
Dashboards: Centralized visibility, threat analytics, and orchestration enable faster threat detection with fewer resources. |
Adding more controls to a network never increases resiliency. Identify technological overlaps and eliminate unnecessary costs. |
Automation: There is shortfall in human capital in contrast to the required tools and processes. Automate the more trivial processes. |
SOCs with 900 employees are just as efficient as those with 35-40. There is an evident tipping point in marginal value. |
There are no plug-and-play technological solutions – each is accompanied by a growing pain and an affiliated human capital cost. |
Planning: Narrow the scope of operations to focus on protecting assets of value. |
Cross-train employees throughout different silos. Enable them to wear multiple hats. |
Practice: None of the processes happen in a vacuum. Make the most of tabletop exercises and other training exercises. |
Define appropriate use cases and explicitly state threat escalation protocol. Focus on automating the tier-1 analyst role. |
1. Review:
The heading in blue is the security domain, light blue is the subdomain and white is the specific control. |
2. Determine and Record:
Ask participants to identify your organization’s current maturity level for each control. Next, determine a target maturity level that meets the requirements of the area (requirements should reflect the goals and obligations defined earlier). |
3.
In small groups, have participants answer “what is required to achieve the target state?” Not all current/target state gaps will require additional description, explanation, or an associated imitative. You can generate one initiative that may apply to multiple line items. |
When customizing your gap initiatives consider your organizational requirements and scope while remaining realistic. Below is an example of lofty vs. realistic initiatives:
Lofty: Perform thorough, manual security analysis. Realistic: Leverage our SIEM platform to perform more automated security analysis through the use of log information.
Initiatives | Consolidated Initiatives | ||
Document data classification and handling in AUP | —› | Document data classification and handling in AUP | Keep urgent or exceptional initiatives separate so they can be addressed appropriately. |
Document removable media in AUP | —› | Define and document an Acceptable Use Policy | Other similar or related initiatives can be consolidated into one item. |
Document BYOD and mobile devices in AUP | —› | ||
Document company assets in Acceptable Use Policy (AUP) | —› |
After inputting your current and target scores and defining your gap initiatives in tab 2, review tab 3. Current Maturity and tab 4. Maturity Gap in Info-Tech’s Security Operations Maturity Assessment Tool. Automatically built charts and tables provide a clear visualization of your current maturity. Presenting these figures to stakeholders and management can help visually draw attention to high-priority areas and contextualize the gap initiatives for which you will be seeking support. |
![]() |
Communicate the value of future security projects to stakeholders by copying relevant charts and tables into an executive stakeholder communication presentation (ask an Info-Tech representative for further information).
Define low, medium, and high resource allocation, and other variables for your gap initiatives in the Concept of Operations Maturity Assessment Tool. These variables include:
| ![]() Info-Tech Best PracticeWhen considering these parameters, aim to use already existing resource allocations. For example, if there is a dollar value that would require you to seek approval for an expense, this might be the difference between a medium and a high cost category. |
| ![]() Info-Tech Best PracticeMake sure you consider the value of AND/OR. For either alignment with business or security benefit, the use of AND/OR can become useful thresholds to rank similar importance but different value initiatives. Example: with alignment with business, an initiative can indirectly support a key compliance requirement OR meet a key corporate goal. |
You cannot do everything – and you probably wouldn’t want to. Make educated decisions about which projects are most important and why.
Identify easy-win tasks and high-value projects worth fighting for. | ||
Categorize the InitiativeSelect the gap initiative type from the down list. Each category (Must, Should, Could, and Won’t) is considered to be an “execution wave.” There is also a specific order of operations within each wave. Based on dependencies and order of importance, you will execute on some “must-do” items before others. |
Assign CriteriaFor each gap initiative, evaluate it based on your previously defined parameters for each variable.
|
Overall Cost/Effort RatingAn automatically generated score between 0 and 12. The higher the score attached to the initiative, the more effort required. The must-do, low-scoring items are quick wins and must be prioritized first. |
CASE STUDY |
Industry: Financial Services | Source: Info-Tech Research Group |
Framework Components | |||||||||||||||||||||||||||||
Security Domains & Accompanied Initiatives
(A portion of completed domains and initiatives) |
CSC began by creating over 100 gap initiatives across Info-Tech’s seven security domains. | ||||||||||||||||||||||||||||
Current-State Assessment | Context & Leadership | Compliance, Audit & Review | Security Prevention | ||||||||||||||||||||||||||
Gap Initiatives Created | 12
Initiatives |
14
Initiatives |
45
Initiatives |
||||||||||||||||||||||||||
Gap Initiative Prioritization |
|
CSC’s defined low, medium, and high for cost and staffing are specific to the organization.
CSC then consolidated its initiatives to create less than 60 concise tasks. *Initiatives and variables have been changed or modified to maintain anonymity |
In the Gantt chart, go through each wave in sequence and determine the planned start date and planned duration for each gap initiative. As you populate the planned start dates, take into consideration the resource constraints or dependencies for each project. Go back and revise the granular execution wave to resolve any conflicts you find.
![]() |
|
Review considerations
|
This is a living management document
|
To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. | |||||||
Onsite workshops offer an easy way to accelerate your project. If a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to successfully complete your project. |
|
||||||
If you are not communicating, then you are not secure. |
Call 1-888-670-8889 or email workshops@infotech.com for more information.
Self-Assessment Questions
1Assess Operational Requirements | 2Develop Maturity Initiatives | 3Define Interdependencies |
If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.
If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.
Define Strategic Needs and Requirements | Participate in Information Sharing | Communicate Clearly |
|
|
|
Simple collaborative activities, such as a biweekly meeting, can unite prevention, detection, analysis, and response teams to help prevent siloed decision making.
![]() |
|||
Document your security operations’ functional capabilities and operational tasks to satisfy each capability. | What resources will you leverage to complete the specific task/capability? Identify your internal and external collection sources to satisfy the individual requirement. | Identify the affiliated product, service, or output generated from the task/capability. | Determine your escalation protocol. Who are the stakeholders you will be sharing this information with? |
Capabilities
The major responsibilities of a specific function. These are the high-level processes that are expected to be completed by the affiliated employees and/or stakeholders. |
Tasks
The specific and granular tasks that need to be completed in order to satisfy a portion of or the entire capability. |
Download Info-Tech’s Security Operations RACI Chart & Program Plan.
|
![]() |
Title: Output #1
Download Info-Tech’s Security Operations RACI Chart & Program Plan.
Security Operations Collaboration Plan
Security operations provides a single pane of glass through which the threat collaboration environment can manage its operations.
How to customize
The security operations interaction agreement identifies opportunities for optimization through collaboration and cross-training. The document is composed of several components:
|
![]() |
Understand the operational cut-off points. While collaboration is encouraged, understand when the onus shifts to the rest of the threat collaboration environment.
Security Operations RACI Chart & Program Plan
Formally documenting roles and responsibilities helps to hold those accountable and creates awareness as to everyone’s involvement in various tasks.
How to customize
|
![]() Download Info-Tech’s Security Operations RACI Chart & Program Plan. |
Internal Consumers | External Consumers |
|
Note: Your organization might not be the final target, but it could be a primary path for attackers. If you exist as a third-party partner to another organization, your responsibility in your technology ecosystem extends beyond your own product or service offerings.
|
“In order to support a healthy constituency, network operations and security operations should be viewed as equal partners, rather than one subordinate to the other.” (Mitre world-class CISO)
Security Operations Program Service & Product Catalog
Create an informal security operations program service and product catalog. Work your way backwards – map each deliverable to the respective stakeholders and functions.
Action/Output | ![]() |
Frequency | ![]() |
Stakeholders/Function | |
Document the key services and outputs produced by the security operations program. For example:
|
Define the frequency for which each deliverable or service is produced or conducted. Leverage this activity to establish a state of accountability within your threat collaboration environment. | Identify the stakeholders or groups affiliated with each output. Remember to include potential MSSPs.
|
|||
Remember to include any target-state outputs or services identified in the maturity assessment. | Use this exercise as an opportunity to organize your security operations outputs and services. |
Develop a central web/knowledge portal that is easily accessible throughout the threat collaboration environment.
Ensure information is shared in a format that relates to the particular end user. Internal consumers fall into two categories:
Collaboration includes the exchange of:
|
Collaboration can be achieved through:
|
Isolation prevents businesses from learning from each others’ mistakes and/or successes. |
Security Operations Program Cadence Schedule Template
Design your meetings around your security operations program’s outputs and capabilities
How to customize
Don’t operate in a silo. Formalize a cadence schedule to develop a state of accountability, share information across the organization, and discuss relevant trends. A detailed cadence schedule should include the following:
|
![]() |
Schedule regular meetings composed of key members from different working groups to discuss concerns, share goals, and communicate operational processes pertaining to their specific roles.
(Source: iSIGHT, “ Definitive Guide to Threat Intelligence”)
Refrain from using scare tactics such as fear, uncertainty, and doubt (FUD). While this may be a short-term solution, it limits the longevity of your operations as senior management is not truly invested in the initiative.
Example: Align your strategic needs with that of management.
Identify assets of value, current weak security measures, and potential adversaries. Demonstrate how an optimized security operations program can mitigate those threats.
There are three types of metrics pertaining to security operations: | ||
1) Operations-focusedOperations-focused metrics are typically communicated through a centralized visualization such as a dashboard. These metrics guide operational efforts, identifying operational and control weak points while ensuring the appropriate actions are taken to fix them. Examples include, but are not limited to:
|
2) Business-focusedThe evaluation of operational success from a business perspective. Example metrics include:
|
3) Initiative-focusedThe measurement of security operations project progress. These are frequently represented as time, resource, or cost-based metrics. Note: Remember to measure end-user feedback. Asking stakeholders about their current expectations via a formal survey is the most effective way to kick-start the continuous improvement process. |
Info-Tech Best PracticeOperational metrics have limited value beyond security operations – when communicating to management, focus on metrics that are actionable from a business perspective. | Download Info-Tech’s Security Operations Metrics Summary Document. | ![]() |
Leverage Info-Tech’s Security Operations Tabletop Exercise to guide simulations to validate your operational procedures. How to customize
|
![]() This tabletop exercise is available through an onsite workshop as we can help establish and design a tabletop capability for your organization. |
Self-Assessment Questions
Insights
|
![]() |
Best Practices
|
Protect your organization with an interdependent and collaborative security operations program. |
“2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB).” Ponemon Institute, June 2016. Web. 10 Nov. 2016.
Ahmad, Shakeel et al. “10 Tips to Improve Your Security Incident Readiness and Response.” RSA, n.d. Web. 12 Nov. 2016.
Anderson, Brandie. “ Building, Maturing & Rocking a Security Operations Center.” Hewlett Packard, n.d. Web. 4 Nov. 2016.
Barnum, Sean. “Standardizing cyber threat intelligence information with the structured threat information expression.” STIX, n.d. Web. 03 Oct. 2016.
Bidou, Renaud. “Security Operation Center Concepts & Implementation.” IV2-Technologies, n.d. Web. 20 Nov. 2016.
Bradley, Susan. “Cyber threat intelligence summit.” SANS Institute InfoSec Reading Room, n.d. Web. 03 Oct. 2016.
“Building a Security Operations Center.” DEF CON Communications, Inc., 2015. Web. 14 Nov. 2016.
“Building a Successful Security Operations Center.” ArcSight, 2015. Web. 21 Nov. 2016.
“Building an Intelligence-Driven Security Operations Center.” RSA, June 2014. Web. 25 Nov. 2016.
Caltagirone, Sergio, Andrew Pendergast, and Christopher Betz. “Diamond Model of Intrusion Analysis,” Center for Cyber Threat Intelligence and Threat Research, 5 July 2013. Web. 25 Aug. 2016.
“Cisco 2017 Annual Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches and the Actions Organizations Are Taking.” The Network. Cisco, 31 Jan. 2017. Web. 11 Nov. 2017.
“CITP Training and Education.” Carnegie Mellon University, 2015. Web. 03 Oct. 2016.
“Creating and Maintaining a SOC.” Intel Security, n.d. Web. 14 Nov. 2016.
“Cyber Defense.” Mandiant, 2015. Web. 10 Nov. 2016.
“Cyber Security Operations Center (CSOC).” Northrop Grumman, 2014. Web. 14 Nov. 2016.
Danyliw, Roman. “Observations of Successful Cyber Security Operations.” Carnegie Mellon, 12 Dec. 2016. Web. 14 Dec. 2016.
“Designing and Building Security Operations Center.” SearchSecurity. TechTarget, Mar. 2016. Web. 14 Dec. 2016.
EY. “Managed SOC.” EY, 2015. Web. 14 Nov. 2016.
Fishbach, Nicholas. “How to Build and Run a Security Operations Center.” Securite.org, n.d. Web. 20 Nov. 2016.
“Framework for improving critical infrastructure cybersecurity.” National Institute of Standards and Technology, 12 Feb. 2014. Web.
Friedman, John, and Mark Bouchard. “Definitive Guide to Cyber Threat Intelligence.” iSIGHT, 2015. Web. 1 June 2015.
Goldfarb, Joshua. “The Security Operations Hierarchy of Needs.” Securityweek.com, 10 Sept. 2015. Web. 14 Dec. 2016.
“How Collaboration Can Optimize Security Operations.” Intel, n.d. Web. 2 Nov. 2016.
Hslatman. “Awesome threat intelligence.” GitHub, 16 Aug. 2016. Web. 03 Oct. 2016.
“Implementation Framework – Collection Management.” Carnegie Mellon University, 2015. Web.
“Implementation Framework – Cyber Threat Prioritization.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.
“Intelligent Security Operations Center.” IBM, 25 Feb. 2015. Web. 15 Nov. 2016.
Joshi Follow , Abhishek. “Best Practices for Security Operations Center.” LinkedIn, 01 Nov. 2015. Web. 14 Nov. 2016.
Joshi. “Best Practices for a Security Operations Center.” Cybrary, 18 Sept. 2015. Web. 14 Dec. 2016.
Kelley, Diana and Ron Moritz. “Best Practices for Building a Security Operations Center.” Information Security Today, 2006. Web. 10 Nov. 2016.
Killcrece, Georgia, Klaus-Peter Kossakowski, Robin Ruefle, and Mark Zajicek. ”Organizational Models for Computer Security Incident Response Teams (CSIRTs).” Carnegie Mellon Software Engineering Institute, Dec. 2003. Carnegie Mellon. Web. 10 Nov. 2016.
Kindervag , John. “SOC 2.0: Three Key Steps toward the Next-generation Security Operations Center.” SearchSecurity. TechTarget, Dec. 2010. Web. 14 Dec. 2016.
Kvochko, Elena. “Designing the Next Generation Cyber Security Operations Center.” Forbes Magazine, 14 Mar. 2016. Web. 14 Dec. 2016.
Lambert, P. “ Security Operations Center: Not Just for Huge Enterprises.” TechRepublic, 31 Jan. 2013. Web. 10 Nov. 2016.
Lecky, M. and D. Millier. “Re-Thinking Security Operations.” SecTor Security Education Conference. Toronto, 2014.
Lee, Michael. “Three Elements That Every Advanced Security Operations Center Needs.” CSO | The Resource for Data Security Executives, n.d. Web. 16 Nov. 2016.
Linch, David and Jason Bergstrom. “Building a Culture of Continuous Improvement in an Age of Disruption.” Deloitte LLP, 2014.
Lynch, Steve. “Security Operations Center.” InfoSec Institute, 14 May 2015. Web. 14 Dec. 2016.
Macgregor, Rob. “Diamonds or chains – cyber security updates.” PwC, n.d. Web. 03 Oct. 2016.
“Make Your Security Operations Center (SOC) More Efficient.” Making Your Data Center Energy Efficient (2011): 213-48. Intel Security. Web. 20 Nov. 2016.
Makryllos, Gordon. “The Six Pillars of Security Operations.” CSO | The Resource for Data Security Executives, n.d. Web. 14 Nov. 2016.
Marchany, R. “ Building a Security Operations Center.” Virginia Tech, 2015. Web. 8 Nov. 2016.
Marty, Raffael. “Dashboards in the Security Operations Center (SOC).” Security Bloggers Network, 15 Jan. 2016. Web. 14 Nov. 2016.
Minu, Adolphus. “Discovering the Value of Knowledge Portal.” IBM, n.d. Web. 1 Nov. 2016.
Muniz, J., G. McIntyre, and N. AlFardan. “Introduction to Security Operations and the SOC.” Security Operations Center: Building, Operating, and Maintaining your SOC. Cisco Press, 29 Oct. 2015. Web. 14 Nov. 2016.
Muniz, Joseph and Gary McIntyre. “ Security Operations Center.” Cisco, Nov. 2015. Web. 14 Nov. 2016.
Muniz, Joseph. “5 Steps to Building and Operating an Effective Security Operations Center (SOC).” Cisco, 15 Dec. 2015. Web. 14 Dec. 2016.
Nathans, David. Designing and Building a Security Operations Center. Syngress, 2015. Print.
National Institute of Standards and Technology. “SP 800-61 Revision 2: Computer Security Incident Handling Guide.” 2012. Web.
National Institute of Standards and Technology. “SP 800-83 Revision 1.” 2013. Web.
National Institute of Standards and Technology. “SP 800-86: Guide to Integrating Forensic Techniques into Incident Response.” 2006. Web.
F5 Networks. “F5 Security Operations Center.” F5 Networks, 2014. Web. 10 Nov. 2016.
“Next Generation Security Operations Center.” DTS Solution, n.d. Web. 20 Nov. 2016.
“Optimizing Security Operations.” Intel, 2015. Web. 4 Nov. 2016.
Paganini, Pierluigi. “What Is a SOC ( Security Operations Center)?” Security Affairs, 24 May 2016. Web. 14 Dec. 2016.
Ponemon Institute LLC. “Cyber Security Incident Response: Are we as prepared as we think?” Ponemon, 2014. Web.
Ponemon Institute LLC. “The Importance of Cyber Threat Intelligence to a Strong Security Posture.” Ponemon, Mar. 2015. Web. 17 Aug. 2016.
Poputa-Clean, Paul. “Automated defense – using threat intelligence to augment.” SANS Institute InfoSec Reading Room, 15 Jan. 2015. Web.
Quintagroup. “Knowledge Management Portal Solution.” Quintagroup, n.d. Web.
Rasche, G. “Guidelines for Planning an Integrated Security Operations Center.” EPRI, Dec. 2013. Web. 25 Nov. 2016.
Rehman, R. “What It Really Takes to Stand up a SOC.” Rafeeq Rehman – Personal Blog, 27 Aug. 2015. Web. 14 Dec. 2016.
Rothke, Ben. “Designing and Building Security Operations Center.” RSA Conference, 2015. Web. 14 Nov. 2016.
Ruks, Martyn and David Chismon. “Threat Intelligence: Collecting, Analysing, Evaluating.” MWR Infosecurity, 2015. Web. 24 Aug. 2016.
Sadamatsu, Takayoshi. “Practice within Fujitsu of Security Operations Center.” Fujitsu, July 2016. Web. 15 Nov. 2016.
Sanders, Chris. “Three Useful SOC Dashboards.” Chris Sanders, 24 Oct. 2016. Web. 14 Nov. 2016.
SANS Institute. “Incident Handler's Handbook.” 2011. Web.
Schilling, Jeff. “5 Pitfalls to Avoid When Running Your SOC.” Dark Reading, 18 Dec. 2014. Web. 14 Nov. 2016.
Schinagl, Stef, Keith Schoon, and Ronald Paans. “A Framework for Designing a Security Operations Centre (SOC).” 2015 48th Hawaii International Conference on System Sciences. Computer.org, 2015. Web. 20 Nov. 2016.
“Security – Next Gen SOC or SOF.” InfoSecAlways.com, 31 Dec. 2013. Web. 14 Nov. 2016.
“Security Operations Center Dashboard.” Enterprise Dashboard Digest, n.d. Web. 14 Dec. 2016.
“Security Operations Center Optimization Services.” AT&T, 2015. Web. 5 Nov. 2016.
“Security Operations Centers — Helping You Get Ahead of Cybercrime Contents.” EY, 2014. Web. 6 Nov. 2016.
Sheikh, Shah. “DTS Solution - Building a SOC (Security Operations Center).” LinkedIn, 4 May 2013. Web. 20 Nov. 2016.
Soto, Carlos. “ Security Operations Center (SOC) 101.” Tom's IT Pro, 28 Oct. 2015. Web. 14 Dec. 2016.
“Standardizing and Automating Security Operations.” National Institute of Standards and Technology, 3 Sept. 2006. Web.
“Strategy Considerations for Building a Security Operations Center.” IBM, Dec. 2013. Web. 5 Nov. 2016.
“Summary of Key Findings.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.
“Sustainable Security Operations.” Intel, 2016. Web. 20 Nov. 2016.
“The Cost of Malware Containment.” Ponemon Institute, Jan. 2015. Web.
“The Game Plan for Closing the SecOps Gap.” BMC. Forbes Magazine, Jan. 2016. Web. 10 Jan. 2017.
Veerappa Srinivas, Babu. “Security Operations Centre (SOC) in a Utility Organization.” GIAC, 17 Sept. 2014. Web. 5 Nov. 2016.
Wang, John. “Anatomy of a Security Operations Center.” NASA, 2015. Web. 2 Nov. 2016.
Weiss, Errol. “Statement for the Record.” House Financial Services Committee, 1 June 2012. Web. 12 Nov. 2016.
Wilson, Tim. “SOC 2.0: A Crystal-Ball Glimpse of the Next-Generation Security Operations Center.” Dark Reading, 22 Nov. 2010. Web. 10 Nov. 2016.
Zimmerman, Carson. “Ten Strategies of a World-Class Cybersecurity Operations Center.” Mitre, 2014. Web. 24 Aug. 2016.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Get up-to-speed quickly on key PMO considerations by engaging PMO sponsors, assessing stakeholders, and taking stock of your PMO inventory.
Make your first major initiative as PMO director be engaging the wider pool of PMO stakeholders throughout the organization to determine their expectations for your office.
Review the organization’s current PPM capabilities in order to identify your ability to meet stakeholder expectations and define a sustainable mandate.
Communicate your strategic vision for the PMO and garner stakeholder buy-in.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Quickly develop an on-the-ground view of the organization’s project ecosystem and the PMO’s abilities to effectively serve.
A comprehensive and actionable understanding of the PMO’s tactical environment
1.1 Perform a PMO SWOT analysis.
1.2 Assess the organization’s portfolio management, project management, and organizational change management capability levels.
1.3 Take inventory of the PMO’s resourcing levels, project demand levels, and tools and artifacts.
Overview of current strengths, weaknesses, opportunities, and threats
Documentation of your current process maturity to execute key portfolio management, project management, and organizational change management functions
Stock of the PMO’s current access to PPM personnel relative to total project demand
Determine stakeholder expectations for the PMO.
An accurate understanding of others’ expectations to help ensure the PMO’s course of action is responsive to organizational culture and strategy
2.1 Conduct a PMO Mission Identification Survey with key stakeholders.
2.2 Map the PMO’s stakeholder network.
2.3 Analyze key stakeholders for influence, interest, and support.
An understanding of expected PMO outcomes
A stakeholder map and list of key stakeholders
A prioritized PMO requirements gathering elicitation plan
Develop a process and method to turn stakeholder requirements into a strategic vision for the PMO.
A strategic course of action for the PMO that is responsive to stakeholders’ expectations.
3.1 Assess the PMO’s ability to support stakeholder expectations.
3.2 Use Info-Tech’s PMO Strategic Expectations glossary to turn raw process and service requirements into specific strategic expectations.
3.3 Define an actionable tactical plan for each of the strategic expectations in your mandate.
An understanding of PMO capacity and limits
A preliminary PMO mandate
High-level statements of strategy to help support your mandate
Establish a final PMO mandate and a process to help garner stakeholder buy-in to the PMO’s long-term vision.
A viable PMO course of action complete with stakeholder buy-i
4.1 Finalize the PMO implementation timeline.
4.2 Finalize Info-Tech’s PMO Mandate and Strategy Roadmap Template.
4.3 Present the PMO’s strategy to key stakeholders.
A 3-to-5-year implementation timeline for key PMO process and staffing initiatives
A ready-to-present strategy document
Stakeholder buy-in to the PMO’s mandate
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Define products in your organization’s context and explore product families as a way to organize products at scale.
Identify an approach to group the inventory of products into one or more product families.
Confirm alignment between your products and product families via the product family roadmap and a shared definition of delivered value.
Agree on a delivery approach that best aligns with your product families.
Define your communication plan and transformation roadmap for transitioning to delivering products at the scale of your organization.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Define products in your organization’s context and explore product families as a way to organize products at scale.
An understanding of the case for product practices
A concise definition of products and product families
1.1 Understand your organizational factors driving product-centric delivery.
1.2 Establish your organization’s product inventory.
1.3 Determine your approach to scale product families.
Organizational drivers and goals for a product-centric delivery
Definition of product
Product scaling principles
Scaling approach and direction
Pilot list of products to scale
Identify a suitable approach to group the inventory of products into one or more product families.
A scaling approach for products that fits your organization
2.1 Define your product families.
Product family mapping
Enabling applications
Dependent applications
Product family canvas
Confirm alignment between your products and product families via the product family roadmap and a shared definition of delivered value.
Recognition of the product family roadmap and a shared definition of value as key concepts to maintain alignment between your products and product families
3.1 Leverage product family roadmaps.
3.2 Use stakeholder management to improve roadmap communication.
3.3 Configure your product family roadmaps.
3.4 Confirm product family to product alignment.
Current approach for communication of product family strategy
List of product family stakeholders and a prioritization plan for communication
Defined key pieces of a product family roadmap
An approach to confirming alignment between products and product families through a shared definition of business value
Agree on the delivery approach that best aligns with your product families.
An understanding of the team configuration and operating model required to deliver value through your product families
4.1 Assess your organization’s delivery readiness.
4.2 Understand your delivery options.
4.3 Determine your operating model.
4.4 Identify how to fund product delivery.
4.5 Learn how to introduce your digital product family strategy.
4.6 Communicate changes on updates to your strategy.
4.7 Determine your next steps.
Assessment results on your organization’s delivery maturity
A preferred approach to structuring product delivery
Your preferred operating model for delivering product families
Understanding of your preferred approach for product family funding
Product family transformation roadmap
Your plan for communicating your roadmap
List of actionable next steps to start on your journey
Implement your communication plan and transformation roadmap for transitioning to delivering products at the scale of your organization.
New product family organization and supporting product delivery approach
5.1 Execute communication plan and product family changes.
5.2 Review the pilot family implementation and update the transformation roadmap.
5.3 Begin advisory calls for related blueprints.
Organizational communication of product families and product family roadmaps
Product family implementation and updated transformation roadmap
Support for product owners, backlog and roadmap management, and other topics
Our world is changing faster than ever, and the need for business agility continues to grow. Organizations are shifting from long-term project delivery to smaller, iterative product delivery models to be able to embrace change and respond to challenges and opportunities faster.
Unfortunately, many organizations focus on product delivery at the tactical level. Product teams may be individually successful, but how well are their changes aligned to division and enterprise goals and priorities?
Grouping products into operationally aligned families is key to delivering the right value to the right stakeholders at the right time.
Product families translate enterprise goals, constraints, and priorities down to the individual product level so product owners can make better decisions and more effectively manage their roadmaps and backlogs. By scaling products into families and using product family roadmaps to align product roadmaps, product owners can deliver the capabilities that allow organizations to reach their goals.
In this blueprint, we’ll provide the tools and guidance to help you define what “product” means to your organization, use scaling patterns to build product families, align product and product family roadmaps, and identify impacts to your delivery and organizational design models.
Banu Raghuraman, Ari Glaizel, and Hans Eckman
Applications Practice
Info-Tech Research Group
Info-Tech’s approach will guide you through:
Changes can only be made at the individual product or service level. To achieve enterprise goals and priorities, organizations needed to organize and scale products into operational families. This structure allows product managers to translate goals and constraints to the product level and allows product owners to deliver changes that support enabling capabilities. In this blueprint, we’ll help you define your products, scale them using the best patterns, and align your roadmaps and delivery models to improve throughput and value delivery.
Do not expect a universal definition of products.
Every organization and industry has a different definition of what a product is. Organizations structure their people, processes, and technologies according to their definition of the products they manage. Conflicting product definitions between teams increase confusion and misalignment of product roadmaps.
“A product [is] something (physical or not) that is created through a process and that provides benefits to a market.”
- Mike Cohn, Founding Member of Agile Alliance and Scrum Alliance
“A product is something ... that is created and then made available to customers, usually with a distinct name or order number.”
“A product is the physical object ... , software or service from which customer gets direct utility plus a number of other factors, services, and perceptions that make the product useful, desirable [and] convenient.”
Organizations need a common understanding of what a product is and how it pertains to the business. This understanding needs to be accepted across the organization.
“There is not a lot of guidance in the industry on how to define [products]. This is dangerous because what will happen is that product backlogs will be formed in too many areas. All that does is create dependencies and coordination across teams … and backlogs.”
– Chad Beier, "How Do You Define a Product?” Scrum.org
“A tangible solution, tool, or service (physical or digital) that enables the long-term and evolving delivery of value to customers and stakeholders based on business and user requirements.”
A proper definition of product recognizes three key facts:
Product = Service
“Product” and “service” are terms that each organization needs to define to fit its culture and customers (internal and external). The most important aspect is consistent use and understanding of:
Business:
Technical:
Operations:
Product owners must translate needs and constraints from their perspective into the language of their audience. Kathy Borneman, Digital Product Owner at SunTrust Bank, noted the challenges of finding a common language between lines of business and IT (e.g. what is a unit?).
Recognize that product owners represent one of three primary perspectives. Although all share the same capabilities, how they approach their responsibilities is influenced by their perspective.
“A Product Owner in its most beneficial form acts like an Entrepreneur, like a 'mini-CEO'. The Product Owner is someone who really 'owns' the product.”
– Robbin Schuurman, “Tips for Starting Product Owners”
Project |
Product |
|
---|---|---|
Fund projects |
Funding |
Fund products or teams |
Line of business sponsor |
Prioritization |
Product owner |
Makes specific changes to a product |
Product management |
Improve product maturity and support |
Assign people to work |
Work allocation |
Assign work to product teams |
Project manager manages |
Capacity management |
Team manages capacity |
Product delivery requires significant shifts in the way you complete development work and deliver value to your users. Make the changes that support improving end-user value and enterprise alignment.
Projects within products
Regardless of whether you recognize yourself as a product-based or project-based shop, the same basic principles should apply. The purpose of projects is to deliver the scope of a product release. The shift to product delivery leverages a product roadmap and backlog as the mechanism for defining and managing the scope of the release. Eventually, teams progress to continuous integration/continuous delivery (CI/CD) where they can release on demand or as scheduled, requiring org change management.
In Deliver on Your Digital Product Vision, we demonstrate how the product roadmap is core to value realization. The product roadmap is your communicated path, and as a product owner, you use it to align teams and changes to your defined goals while aligning your product to enterprise goals and strategy.
The quality of your product backlog – and your ability to realize business value from your delivery pipeline – is directly related to the input, content, and prioritization of items in your product roadmap.
Organizations start with Waterfall to improve the predictable delivery of product features.
Iterative development shifts the focus from delivery of features to delivery of user value.
Agile further shifts delivery to consider ROI. Often, the highest-value backlog items aren’t the ones with the highest ROI.
Lean and DevOps improve your delivery pipeline by providing full integration between product owners, development teams, and operations.
CI/CD reduces time in process by allowing release on demand and simplifying release and support activities.
Although teams will adopt parts of all these stages during their journey, it isn’t until you’ve adopted a fully integrated delivery chain that you’ve become product centric.
“As with basic product management, scaling an organization is all about articulating the vision and communicating it effectively. Using a well-defined framework helps you align the growth of your organization with that of the company. In fact, how the product organization is structured is very helpful in driving the vision of what you as a product company are going to do.”
– Rich Mironov, Mironov Consulting
Your organizational goals and strategy are achieved through capabilities that deliver value. Your product hierarchy is the mechanism to translate enterprise goals, priorities, and constraints down to the product level where changes can be made.
1. To align product changes with enterprise goals and priorities, you need to organize your products into operational groups based on the capabilities or business functions the product and family support.
2. Product managers translate these goals, priorities, and constraints into their product families, so they are actionable at the next level, whether that level is another product family or products implementing enhancements to meet these goals.
3. The product family manager ensures that the product changes enhance the capabilities that allow you to realize your product family, division, and enterprise goals.
4. Enabling capabilities realize value and help reach your goals, which then drives your next set of enterprise goals and strategy.
Defining your product families is not a one-way street. Often, we start from either the top or the bottom depending on our scaling principles. We use multiple patterns to find the best arrangement and grouping of our products and families.
It may be helpful to work partway, then approach your scaling from the opposite direction, meeting in the middle. This way you are taking advantage of the strengths in both approaches.
Once you have your proposed structure, validate the grouping by applying the principles from the opposite direction to ensure each product and family is in the best starting group.
As the needs of your organization change, you may need to realign your product families into your new business architecture and operational structure.
When to use: You have a business architecture defined or clear market/functional grouping of value streams.
When to use: You are starting from an Application Portfolio Management application inventory to build or validate application families.
Value Stream Alignment |
Enterprise Applications |
Shared Services |
Technical |
Organizational Alignment |
---|---|---|---|---|
|
|
|
|
|
Your product family roadmap
✓ Lays out a strategy for your product family.
✓ Is a statement of intent for your family of products.
✓ Communicates direction for the entire product family and product teams.
✓ Directly connects to the organization’s goals.
However, it is not:
x Representative of a hard commitment.
x A simple combination of your current product roadmaps.
Your product family roadmap and product roadmap tell different stories. The product family roadmap represents the overall connection of products to the enterprise strategy, while the product roadmap focuses on the fulfillment of the product’s vision.
Product
TACTICAL
A roadmap that is technical, committed, and detailed.
Product Family
STRATEGIC
A roadmap that is strategic, goal based, high level, and flexible.
Roadmaps for your product family are, by design, less detailed. This does not mean they aren’t actionable! Your product family roadmap should be able to communicate clear intentions around the future delivery of value in both the near and long term.
There is no such thing as a roadmap that never changes.
Your product family roadmap represents a broad statement of intent and high-level tactics to get closer to the organization’s goals.
All good product family roadmaps embrace change!
Your strategic intentions are subject to volatility, especially those planned further in the future. The more costs you incur in planning, the more you leave yourself exposed to inefficiency and waste if those plans change.
A good product family roadmap is intended to manage and communicate the inevitable changes as a result of market volatility and changes in strategy.
PRODUCT STRATEGY |
What are the artifacts? |
What are you saying? |
Defined at the family level? |
Defined at the product level? |
|
---|---|---|---|---|---|
Vision |
I want to... |
✓ | ✓ | Strategic focus Delivery focus |
|
Goals |
To get there we need to... |
✓ | ✓ | ||
Roadmap |
To achieve our goals, we’ll deliver... |
✓ | ✓ | ||
Backlog |
The work will be done in this order... |
✓ | |||
Release Plan |
We will deliver in the following ways... |
✓ |
GROUP/CATEGORY: Groups are collections of artifacts. In a product family context, these are usually product family goals, value streams, or products.
ARTIFACT: An artifact is one of many kinds of tangible by-products produced during the delivery of products. For a product family, the artifacts represented are capabilities or value streams.
MILESTONE: Points in the timeline when established sets of artifacts are complete. This is a critical tool in the alignment of products in a given family.
TIME HORIZON: Separated periods within the projected timeline covered by the roadmap.
Audience |
Business/ IT Leaders |
Users/Customers |
Delivery Teams |
---|---|---|---|
Roadmap View |
Portfolio |
Product Family |
Technology |
Objectives |
To provide a snapshot of the portfolio and priority products |
To visualize and validate product strategy |
To coordinate broad technology and architecture decisions |
Artifacts |
Line items or sections of the roadmap are made up of individual products, and an artifact represents a disposition at its highest level. |
Artifacts are generally grouped by product teams and consist of strategic goals and the features that realize those goals. |
Artifacts are grouped by the teams who deliver that work and consist of technical capabilities that support the broader delivery of value for the product family. |
I want to... | I need to talk to... | Because they are focused on... | |||
ALIGN PRODUCT TEAMS | Get my delivery teams on the same page. | Architects | Products Owners | PRODUCTS | A product that delivers value against a common set of goals and objectives. |
SHOWCASE CHANGES | Inform users and customers of product strategy. | Bus. Process Owners | End Users | FUNCTIONALITY | A group of functionality that business customers see as a single unit. |
ARTICULATE RESOURCE REQUIREMENTS | Inform the business of product development requirements. | IT Management | Business Stakeholders | FUNDING | An initiative that those with the money see as a single budget. |
A decentralized IT operating model that embeds specific functions within LoBs/product teams and provides cross-organizational support for their initiatives.
A best-of-both-worlds model that balances the benefits of centralized and decentralized approaches to achieve both customer responsiveness and economies of scale.
A model that supports what is commonly referred to as a matrix organization, organizing by highly related service categories and introducing the role of the service owner.
A highly typical IT operating model that focuses on centralized strategic control and oversight in delivering cost-optimized and effective solutions.
A centralized IT operating model that lends well to more mature operating environments. Aimed at leveraging economies of scale in an end-to-end services delivery model.
Autonomy |
Flexibility |
Accountability |
---|---|---|
Fund what delivers value |
Allocate iteratively |
Measure and adjust |
Fund long-lived delivery of value through products (not projects). Give autonomy to the team to decide exactly what to build. |
Allocate to a pool based on higher-level business case. Provide funds in smaller amounts to different product teams and initiatives based on need. |
Product teams define metrics that contribute to given outcomes. Track progress and allocate more (or less) funds as appropriate. |
Changes to funding require changes to product and Agile practices to ensure product ownership and accountability.
CIO-CEO Alignment Diagnostic
Over 700 Info-Tech members have implemented the Balanced Value Measurement Framework.
“The cynic knows the price of everything and the value of nothing.”
– Oscar Wilde
“Price is what you pay. Value is what you get.”
– Warren Buffett
Understanding where you derive value is critical to building solid roadmaps.
Metrics and measurements are powerful tools to drive behavior change and decision making in your organization. However, metrics are highly prone to creating unexpected outcomes, so use them with great care. Use metrics judiciously to uncover insights but avoid gaming or ambivalent behavior, productivity loss, and unintended consequences.
INDUSTRY: Public Sector & Financial Services
SOURCE: Info-Tech Interviews
Two of the organizations we interviewed shared the challenges they experienced defining product families and the impact these challenges had on their digital transformations.
A major financial services organization (2,000+ people in IT) had employed a top-down line of business–focused approach and found itself caught in a vicious circle of moving applications between families to resolve cross-LoB dependencies.
A similarly sized public sector organization suffered from a similar challenge as grouping from the bottom up based on technology areas led to teams fragmented across multiple business units employing different applications built on similar technology foundations.
Results
Both organizations struggled for over a year to structure their product families. This materially delayed key aspects of their product-centric transformation, resulting in additional effort and expenditure delivering solutions piecemeal as opposed to as a part of a holistic product family. It took embracing a hybrid top-down and bottom-up approach and beginning with pilot product families to make progress on their transformation.
Cole Cioran
Practice Lead,
Applications Practice
Info-Tech Research Group
There is no such thing as a perfect product-family structure. There will always be trade-offs when you need to manage shifting demand from stakeholder groups spanning customers, business units, process owners, and technology owners.
Focusing on a single approach to structure your product families inevitably leads to decisions that are readily challenged or are brittle in the face of changing demand.
The key to accelerating a product-centric transformation is to build a hybrid model that embraces top-down and bottom-up perspectives to structure and evolve product families over time. Add a robust pilot to evaluate the structure and you have the key to unlocking the potential of product delivery in your organization.
1. Become a Product-Centric Organization |
2. Organize Products Into Product Families |
3. Ensure Alignment Between Products and Families |
4. Bridge the Gap Between Product Families and Delivery |
5. Build Your Transformation Roadmap and Communication Plan |
|
---|---|---|---|---|---|
Phase Steps |
1.1 Understand the organizational factors driving product-centric delivery 1.2 Establish your organization’s product inventory |
2.1 Determine your approach to scale product families 2.2 Define your product families |
3.1 Leverage product family roadmaps 3.2 Use stakeholder management to improve roadmap communication 3.3 Configure your product family roadmaps 3.4 Confirm goal and value alignment of products and their product families |
4.1 Assess your organization’s delivery readiness 4.2 Understand your delivery options 4.3 Determine your operating model 4.4 Identify how to fund product family delivery |
5.1 Introduce your digital product family strategy 5.2 Communicate changes on updates to your strategy 5.3 Determine your next steps |
Phase Outcomes |
|
|
|
|
|
Deliver Digital Products at Scale Workbook
Use this supporting workbook to document interim results from a number of exercises that will contribute to your overall strategy.
Deliver Digital Products at Scale Readiness Assessment
Your strategy needs to encompass your approaches to delivery. Understand where you need to focus using this simple assessment.
Digital Product Family Strategy Playbook
Record the results from the exercises to help you define, detail, and deliver digital products at scale.
IT Benefits
|
Business Benefits
|
Member Outcome | Suggested Metric | Estimated Impact |
---|---|---|
Increase business application satisfaction |
Satisfaction with business applications (CIO Business Vision diagnostic) |
20% increase within one year after implementation |
Increase effectiveness of application portfolio management |
Effectiveness of application portfolio management (Management & Governance diagnostic) |
20% increase within one year after implementation |
Increase importance and effectiveness of application portfolio |
Importance and effectiveness to business ( Application Portfolio Assessment diagnostic) |
20% increase within one year after implementation |
Increase satisfaction of support of business operations |
Support to business (CIO Business Vision diagnostic. |
20% increase within one year after implementation |
Successfully deliver committed work (productivity) |
Number of successful deliveries; burndown |
20% increase within one year after implementation |
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keeps us on track."
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
Phase 1: Become a Product-Centric Organization |
Phase 2: Organize Products Into Product Families |
Phase 3: Ensure Alignment Between Products and Families |
Phase 4: Bridge the Gap Between Product Families and Delivery |
---|---|---|---|
Call #1: Scope requirements, objectives, and your specific challenges. Call #2: Define products and product families in your context. Call #3: Understand the list of products in your context. |
Call #4: Define your scaling principles and goals. Call #5: Select a pilot and define your product families. |
Call #6: Understand the product family roadmap as a method to align products to families. Call #7: Define components of your product family roadmap and confirm alignment. |
Call #8: Assess your delivery readiness. Call #9: Discuss delivery, operating, and funding models relevant to delivering product families. Call #10: Wrap up. |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is between 8 to 12 calls over the course of 4 to 6 months.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1
Become a Product-Centric Organization |
Day 2
Organize Products Into Product Families |
Day 3
Ensure Alignment Between Products and Families |
Day 4
Bridge the Gap Between Product Families and Delivery |
Advisory
Next Steps and Wrap-Up (offsite) |
|
---|---|---|---|---|---|
Activities |
1.1 Understand your organizational factors driving product-centric delivery. 1.2 Establish your organization’s product inventory. 2.1 Determine your approach to scale product families. |
2.2 Define your product families. |
3.1 Leverage product family roadmaps. 3.2 Use stakeholder management to improve roadmap communication. 3.3 Configure your product family roadmaps. 3.4 Confirm product family to product alignment. |
4.1 Assess your organization’s delivery readiness. 4.2 Understand your delivery options. 4.3 Determine your operating model. 4.4 Identify how to fund product family delivery. 5.1 Learn how to introduce your digital product family strategy. 5.2 Communicate changes on updates to your strategy. 5.3 Determine your next steps. |
|
Key Deliverables |
|
|
|
|
|
Phase 1 | Phase 2 | Phase 3 | Phase 4 | Phase 5 |
---|---|---|---|---|
1.1 Understand the organizational factors driving product-centric delivery 1.2 Establish your organization’s product inventory | 2.1 Determine your approach to scale product families 2.2 Define your product families | 3.1 Leverage product family roadmaps 3.2 Use stakeholder management to improve roadmap communication 3.3 Configure your product family roadmaps 3.4 Confirm product family to product alignment | 4.1 Assess your organization’s delivery readiness 4.2 Understand your delivery options 4.3 Determine your operating model 4.4 Identify how to fund product family delivery | 5.1 Learn how to introduce your digital product family strategy 5.2 Communicate changes on updates to your strategy 5.3 Determine your next steps |
1.1.1 Understand your drivers for product-centric delivery
1.1.2 Identify the differences between project and product delivery
1.1.3 Define the goals for your product-centric organization
1.2.1 Define “product” in your context
1.2.2 Identify and establish a pilot list of products
Activities
1.1.1 Understand your drivers for product-centric delivery
1.1.2 Identify the differences between project and product delivery
1.1.3 Define the goals for your product-centric organization
Pain Points | Root Causes | Drivers |
---|---|---|
|
|
|
Output
Participants
Record the results in the Deliver Digital Products at Scale Workbook.
Note: This exercise is not about identifying the advantages and disadvantages of each style of delivery. This is to identify the variation between the two.
Project Delivery | Product Delivery |
---|---|
Point in time | What is changed |
Method of funding changes | Needs an owner |
Output
Participants
Record the results in the Deliver Digital Products at Scale Workbook.
Project | Product | |
---|---|---|
Fund projects | Funding | Fund products or teams |
Line of business sponsor | Prioritization | Product owner |
Makes specific changes to a product | Product management | Improves product maturity and support |
Assignment of people to work | Work allocation | Assignment of work to product teams |
Project manager manages | Capacity management | Team manages capacity |
Product delivery requires significant shifts in the way you complete development work and deliver value to your users. Make the changes that support improving end-user value and enterprise alignment.
Projects within products
Regardless of whether you recognize yourself as a product-based or project-based shop, the same basic principles should apply.
The purpose of projects is to deliver the scope of a product release. The shift to product delivery leverages a product roadmap and backlog as the mechanism for defining and managing the scope of the release.
Eventually, teams progress to continuous integration/continuous delivery (CI/CD) where they can release on demand or as scheduled, requiring org change management.
Organizations start with Waterfall to improve the predictable delivery of product features.
Iterative development shifts the focus from delivery of features to delivery of user value.
Agile further shifts delivery to consider ROI. Often, the highest-value backlog items aren’t the ones with the highest ROI.
Lean and DevOps improve your delivery pipeline by providing full integration between product owners, development teams, and operations.
CI/CD reduces time in process by allowing release on demand and simplifying release and support activities.
Although teams will adopt parts of all these stages during their journey, it isn’t until you’ve adopted a fully integrated delivery chain that you’ve become product centric.
Note: Your drivers may have already covered the goals. If so, review if you would like to change the drivers based on your renewed understanding of the differences between project and product delivery.
Pain Points | Root Causes | Drivers | Goals |
---|---|---|---|
|
|
|
|
Output
Participants
Record the results in the Deliver Digital Products at Scale Workbook.
Activities
1.2.1 Define “product” in your context
1.2.2 Identify and establish a pilot list of products
This step involves the following participants:
Outcomes of this step
Do not expect a universal definition of products.
Every organization and industry has a different definition of what a product is. Organizations structure their people, processes, and technologies according to their definition of the products they manage. Conflicting product definitions between teams increase confusion and misalignment of product roadmaps.
“A product [is] something (physical or not) that is created through a process and that provides benefits to a market.”
- Mike Cohn, Founding Member of Agile Alliance and Scrum Alliance
“A product is something ... that is created and then made available to customers, usually with a distinct name or order number.”
“A product is the physical object ... , software or service from which customer gets direct utility plus a number of other factors, services, and perceptions that make the product useful, desirable [and] convenient.”
Organizations need a common understanding of what a product is and how it pertains to the business. This understanding needs to be accepted across the organization.
“There is not a lot of guidance in the industry on how to define [products]. This is dangerous because what will happen is that product backlogs will be formed in too many areas. All that does is create dependencies and coordination across teams … and backlogs.”
– Chad Beier, "How Do You Define a Product?” Scrum.org
Product = Service
“Product” and “service” are terms that each organization needs to define to fit its culture and customers (internal and external). The most important aspect is consistent use and understanding of:
Business:
Technical:
Operations
Product owners must translate needs and constraints from their perspective into the language of their audience. Kathy Borneman, Digital Product Owner at SunTrust Bank, noted the challenges of finding a common language between lines of business and IT (e.g. what is a unit?).
Recognize that product owners represent one of three primary perspectives. Although all share the same capabilities, how they approach their responsibilities is influenced by their perspective.
“A Product Owner in its most beneficial form acts like an Entrepreneur, like a 'mini-CEO'. The Product Owner is someone who really 'owns' the product.”
– Robbin Schuurman, “Tips for Starting Product Owners”
It is easy to lose sight of what matters when we look at a product from a single point of view. Despite what The Agile Manifesto says, working software is not valuable without the knowledge and support that people need in order to adopt, use, and maintain it. If you build it, they will not come. Product leaders must consider the needs of all stakeholders when designing and building products.
In Deliver on Your Digital Product Vision, we demonstrate how the product roadmap is core to value realization. The product roadmap is your communicated path, and as a product owner, you use it to align teams and changes to your defined goals while aligning your product to enterprise goals and strategy.
The quality of your product backlog – and your ability to realize business value from your delivery pipeline – is directly related to the input, content, and prioritization of items in your product roadmap.
“A tangible solution, tool, or service (physical or digital) that enables the long-term and evolving delivery of value to customers and stakeholders based on business and user requirements.”
Info-Tech Insight
A proper definition of product recognizes three key facts:
There is more than one stakeholder group that derives value from the product or service.
For example:
Output
Participants
Record the results in the Deliver Digital Products at Scale Workbook.
Output
Participants
Record the results in the Deliver Digital Products at Scale Workbook.
Phase 1 | Phase 2 | Phase 3 | Phase 4 | Phase 5 |
---|---|---|---|---|
1.1 Understand the organizational factors driving product-centric delivery 1.2 Establish your organization’s product inventory | 2.1 Determine your approach to scale product families 2.2 Define your product families | 3.1 Leverage product family roadmaps 3.2 Use stakeholder management to improve roadmap communication 3.3 Configure your product family roadmaps 3.4 Confirm product family to product alignment | 4.1 Assess your organization’s delivery readiness 4.2 Understand your delivery options 4.3 Determine your operating model 4.4 Identify how to fund product family delivery | 5.1 Learn how to introduce your digital product family strategy 5.2 Communicate changes on updates to your strategy 5.3 Determine your next steps |
This phase will walk you through the following activities:
2.1.1 Define your scaling principles and goals
2.1.2 Define your pilot product family areas and direction
2.2.1 Arrange your applications and services into product families
2.2.2 Define enabling and supporting applications
2.2.3 Build your product family canvas
This phase involves the following participants:
Activities
2.1.1 Define your scaling principles and goals
2.1.2 Define your pilot product family areas and direction
This step involves the following participants:
Outcomes of this step
A product family is a logical and operational grouping of related products or services. The grouping provides a scaled hierarchy to translate goals, priorities, strategy, and constraints down the grouping while aligning value realization upwards.
A product family contains...
A product family can be grouped by...
“As with basic product management, scaling an organization is all about articulating the vision and communicating it effectively. Using a well-defined framework helps you align the growth of your organization with that of the company. In fact, how the product organization is structured is very helpful in driving the vision of what you as a product company are going to do.”
– Rich Mironov, Mironov Consulting
Your organizational goals and strategy are achieved through capabilities that deliver value. Your product hierarchy is the mechanism to translate enterprise goals, priorities, and constraints down to the product level where changes can be made.
1. To align product changes with enterprise goals and priorities, you need to organize your products into operational groups based on the capabilities or business functions the product and family support.
2. Product managers translate these goals, priorities, and constraints into their product families, so they are actionable at the next level, whether that level is another product family or products implementing enhancements to meet these goals.
3. The product family manager ensures that the product changes enhance the capabilities that allow you to realize your product family, division, and enterprise goals.
4. Enabling capabilities realize value and help reach your goals, which then drives your next set of enterprise goals and strategy.
(More tactical product delivery focus)
(More strategic product family focus)
“Product owner” and “product manager” are terms that should be adapted to fit your culture and product hierarchy. These are not management relationships but rather a way to structure related products and services that touch the same end users. Use the terms that work best in your culture.
Download Build a Better Product Owner for role support.
Output
Participants
Record the results in the Deliver Digital Products at Scale Workbook.
Learn more about each pattern.
Discuss the pros and cons of each.
Select a pilot product area.
Select a pattern.
Defining your product families is not a one-way street. Often, we start from either the top or the bottom depending on our scaling principles. We use multiple patterns to find the best arrangement and grouping of our products and families.
It may be helpful to work partway, then approach your scaling from the opposite direction, meeting in the middle. This way you are taking advantage of the strengths in both approaches.
Once you have your proposed structure, validate the grouping by applying the principles from the opposite direction to ensure each product and family is in the best starting group.
As the needs of your organization change, you may need to realign your product families into your new business architecture and operational structure.
When to use: You have a business architecture defined or clear market/functional grouping of value streams.
When to use: You are starting from an Application Portfolio Management application inventory to build or validate application families.
Examples:
Market Alignment |
|
Enterprise Applications |
|
Shared Service |
|
Business Architecture |
|
Examples:
Technical Grouping |
|
Functional/Capability Grouping |
|
Shared Services Grouping |
|
Output
Participants
Record the results in the Deliver Digital Products at Scale Workbook.
Activities
2.2.1 Arrange your applications and services into product families
2.2.2 Define enabling and supporting applications
2.2.3 Build your product family canvas
This step involves the following participants:
Outcomes of this step
|
Alignment perspectives: | ||
Value Stream Align products based on the defined sources of value for a collection of products or services. For example: Wholesale channel for products that may also be sold directly to consumers, such as wireless network service. |
Users/Consumers Align products based on a common group of users or product consumers. For example: Consumer vs. small business vs. enterprise customers in banking, insurance, and healthcare. |
Common Domain Align products based on a common domain knowledge or skill set needed to deliver and support the products. For example: Applications in a shared service framework supporting other products. |
Value Stream Alignment | Enterprise Applications | Shared Services | Technical | Organizational Alignment |
---|---|---|---|---|
|
|
|
|
|
Top-Down |
Bottom-Up |
|
---|---|---|
We have a business architecture defined. (See Document Your Business Architecture and industry reference architectures for help.) |
Start with your business architecture |
Start with market segments |
We want to be more customer first or customer centric. |
Start with market segments |
|
Our organization has rigid lines of business and organizational boundaries. |
Start with LoB structure |
|
Most products are specific to a business unit or division. | Start with LoB structure | |
Products are aligned to people, not how we are operationally organized. |
Start with market or LoB structure |
|
We are focusing on enterprise or enabling applications. |
1. Start with enterprise app and service team |
2. Align supporting apps |
We already have applications and services grouped into teams but want to evaluate if they are grouped in the best families. |
Validate using multiple patterns |
Validate using multiple patterns |
Our applications and services are shared across the enterprise or support multiple products, value streams, or shared capabilities. |
||
Our applications or services are domain, knowledge, or technology specific. |
Start by grouping inventory |
|
We are starting from an application inventory. (See the APM Research Center for help.) |
Start by grouping inventory |
Example:
Your business architecture maps your value streams (value delivered to your customer or user personas) to the capabilities that deliver that value. A capability is the people, processes, and/or tools needed to deliver each value function.
Defining capabilities are specific to a value stream. Shared capabilities support multiple value streams. Enabling capabilities are core “keep the lights on” capabilities and enterprise functions needed to run your organization.
See Info-Tech’s industry coverage and reference architectures.
Download Document Your Business Architecture
Example:
Example:
Example:
For additional information about HRMS, please download Get the Most Out of Your HRMS.
Example:
Example:
Download Build a Better Product Owner for role support.
Output
Participants
Record the results in the Deliver Digital Products at Scale Workbook.
Output
Participants
Record the results in the Deliver Digital Products at Scale Workbook.
Product owners/managers
Provide target state to align child product and product family roadmaps.
Stakeholders
Communicate high-level concepts and key metrics with leadership teams and stakeholders.
Strategy teams
Use the canvas as a tool for brainstorming, scoping, and ideation.
Operations teams
Share background overview to align operational team with end-user value.
Impacted users
Refine communication strategy and support based on user impacts and value realization.
Download Deliver on Your Digital Product Vision.
Problem Statement: The problem or need the product family is addressing
Business Goals: List of business objectives or goals for the product
Personas/Customers/Users: List of groups who consume the product/service
Vision: Vision, unique value proposition, elevator pitch, or positioning statement
Child Product Families or Products: List of product families or products within this family
Stakeholders: List of key resources, stakeholders, and teams needed to support the product or service
Download Deliver on Your Digital Product Vision.
Output
Participants
Record the results in the Digital Product Family Strategy Playbook.
Phase 1 | Phase 2 | Phase 3 | Phase 4 | Phase 5 |
---|---|---|---|---|
1.1 Understand the organizational factors driving product-centric delivery 1.2 Establish your organization’s product inventory | 2.1 Determine your approach to scale product families 2.2 Define your product families | 3.1 Leverage product family roadmaps 3.2 Use stakeholder management to improve roadmap communication 3.3 Configure your product family roadmaps 3.4 Confirm product family to product alignment | 4.1 Assess your organization’s delivery readiness 4.2 Understand your delivery options 4.3 Determine your operating model 4.4 Identify how to fund product family delivery | 5.1 Learn how to introduce your digital product family strategy 5.2 Communicate changes on updates to your strategy 5.3 Determine your next steps |
This phase will walk you through the following activities:
This phase involves the following participants:
Activities
3.1.1 Evaluate your current approach to product family communication
This step involves the following participants:
Outcomes of this step
Adapted from: Pichler," What Is Product Management?"
✓ Lays out a strategy for your product family.
✓ Is a statement of intent for your family of products.
✓ Communicates direction for the entire product family and product teams.
✓ Directly connects to the organization’s goals.
However, it is not:
x Representative of a hard commitment.
x A simple combination of your current product roadmaps.
x A technical implementation plan.
There is no such thing as a roadmap that never changes.
Your product family roadmap represents a broad statement of intent and high-level tactics to get closer to the organization’s goals.
All good product family roadmaps embrace change!
Your strategic intentions are subject to volatility, especially those planned further in the future. The more costs you incur in planning, the more you leave yourself exposed to inefficiency and waste if those plans change.
A good product family roadmap is intended to manage and communicate the inevitable changes as a result of market volatility and changes in strategy.
Roadmaps for your product family are, by design, less detailed. This does not mean they aren’t actionable! Your product family roadmap should be able to communicate clear intentions around the future delivery of value in both the near and long term.
Your enterprise vision represents your “north star” – where you want to go. It represents what you want to do.
Download Deliver on Your Digital Product Vision for support.
Audience | Business/ IT Leaders | Users/Customers | Delivery Teams |
---|---|---|---|
Roadmap View | Portfolio | Product Family | Technology |
Objectives | To provide a snapshot of the portfolio and priority products | To visualize and validate product strategy | To coordinate broad technology and architecture decisions |
Artifacts | Line items or sections of the roadmap are made up of individual products, and an artifact represents a disposition at its highest level. | Artifacts are generally grouped by product teams and consist of strategic goals and the features that realize those goals. | Artifacts are grouped by the teams who deliver that work and consist of technical capabilities that support the broader delivery of value for the product family. |
GROUP/CATEGORY: Groups are collections of artifacts. In a product family context, these are usually product family goals, value streams, or products.
ARTIFACT: An artifact is one of many kinds of tangible by-products produced during the delivery of products. For a product family, the artifacts represented are capabilities or value streams.
MILESTONE: Points in the timeline when established sets of artifacts are complete. This is a critical tool in the alignment of products in a given family.
TIME HORIZON: Separated periods within the projected timeline covered by the roadmap.
Output
Participants
Record the results in the Deliver Digital Products at Scale Workbook.
Activities
3.2.1 Visualize interrelationships among stakeholders to identify key influencers
3.2.2 Group stakeholders into categories
3.2.3 Prioritize your stakeholders
Info-Tech Note
If you have done the stakeholder exercises in Deliver on Your Digital Product Vision or Build a Better Product Owner u don’t need to repeat the exercises from scratch.
You can bring the results forward and update them based on your prior work.
This step involves the following participants:
Outcomes of this step
Individuals who directly obtain value from usage of the product.
Represent individuals who provide the context, alignment, and constraints that influence or control what you will be able to accomplish.
Individuals both external and internal that fund the product initiative. Sometimes they are lumped in as stakeholders. However, motivations can be different.
For more information, see Deliver on Your Digital Product Vision.
Legend
Black arrows: indicate the direction of professional influence
Dashed green arrows: indicate bidirectional, informal influence relationships
Your stakeholder map defines the influence landscape your product family operates in. It is every bit as important as the teams who enhance, support, and operate your product directly.
Use connectors to determine who may be influencing your direct stakeholders. They may not have any formal authority within the organization, but they may have informal yet substantial relationships with your stakeholders.
Output
Participants
Record the results in the Deliver Digital Products at Scale Workbook.
There are four areas in the map, and the stakeholders within each area should be treated differently.
Players – players have a high interest in the initiative and the influence to effect change over the initiative. Their support is critical, and a lack of support can cause significant impediment to the objectives.
Mediators – mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.
Noisemakers – noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.
Spectators – generally, spectators are apathetic and have little influence over or interest in the initiative.
Level of Influence |
---|
|
Level of Interest |
---|
How much are the stakeholder’s individual performance and goals directly tied to the success or failure of the product? |
Output
Participants
Record the results in the Deliver Digital Products at Scale Workbook.
Level of Support |
|||||
---|---|---|---|---|---|
Stakeholder Category |
Supporter |
Evangelist |
Neutral | Blocker | |
Player |
Critical |
High |
High |
Critical |
|
Mediator |
Medium |
Low |
Low |
Medium |
|
Noisemaker |
High |
Medium |
Medium |
High |
|
Spectator |
Low |
Irrelevant |
Irrelevant |
Low |
Consider the three dimensions for stakeholder prioritization: influence, interest, and support. Support can be determined by answering the following question: How likely is it that this stakeholder would recommend your product?
These parameters are used to prioritize which stakeholders are most important and should receive your focused attention.
Stakeholder | Category | Level of Support | Prioritization |
---|---|---|---|
CMO | Spectator | Neutral | Irrelevant |
CIO | Player | Supporter | Critical |
Output
Participants
Record the results in the Deliver Digital Products at Scale Workbook.
Type |
Quadrant |
Actions |
---|---|---|
Players |
High influence, high interest – actively engage |
Keep them updated on the progress of the project. Continuously involve Players in the process and maintain their engagement and interest by demonstrating their value to its success. |
Mediators |
High influence, low interest – keep satisfied |
They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust and including them in important decision-making steps. In turn, they can help you influence other stakeholders. |
Noisemakers |
Low influence, high interest – keep informed |
Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using Mediators to help them. |
Spectators |
Low influence, low interest – monitor |
They are followers. Keep them in the loop by providing clarity on objectives and status updates. |
Each group of stakeholders draws attention and resources away from critical tasks. By properly identifying your stakeholder groups, the product owner can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy Spectators and Noisemakers, while ensuring the needs of Mediators and Players are met.
Activities
3.3.1 Define the communication objectives and audience of your product family roadmaps
3.3.2 Identify the level of detail that you want your product family roadmap artifacts to represent
If you are unfamiliar with product roadmaps, Deliver on Your Digital Product Vision contains more detailed exercises we recommend you review before focusing on product family roadmaps.
This step involves the following participants:
Outcomes of this step
I want to... | I need to talk to... | Because they are focused on... | |||
ALIGN PRODUCT TEAMS | Get my delivery teams on the same page. | Architects | Products Owners | PRODUCTS | A product that delivers value against a common set of goals and objectives. |
SHOWCASE CHANGES | Inform users and customers of product strategy. | Bus. Process Owners | End Users | FUNCTIONALITY | A group of functionality that business customers see as a single unit. |
ARTICULATE RESOURCE REQUIREMENTS | Inform the business of product development requirements. | IT Management | Business Stakeholders | FUNDING | An initiative that those with the money see as a single budget. |
Roadmap | Audience | Statement |
---|---|---|
Internal Strategic Roadmap | Internal Stakeholders | This roadmap is designed to detail the strategy for delivery. It tends to use language that represents internal initiatives and names. |
Customer Strategic Roadmap | External Customers | This roadmap is designed to showcase and validate future strategic plans and internal teams to coordinate the development of features and enablers. |
Output
Participants
Record the results in the Deliver Digital Products at Scale Workbook.
Given the relationship between product and product family roadmaps, the product family roadmap needs to serve the time horizons of its respective products.
This translates into product family roadmaps with timelines that, at a minimum, cover the full scope of the respective product roadmaps.
Swimlane/Stream-Based – Understanding when groups of items intend to be delivered.
Now, Next, Later – Communicate an overall plan with rough intentions around delivery without specific date ranges.
Sunrise Roadmap – Articulate the journey toward a given target state across multiple streams.
Your product family roadmap and product roadmap tell different stories. The product family roadmap represents the overall connection of products to the enterprise strategy, while the product roadmap focuses on the fulfillment of the product’s vision.
30-60 minutes
Examples | Level of Hierarchy | Artifact Type |
---|---|---|
Roadmap 1 | Goals | Capability |
Roadmap 2 | ||
Roadmap 3 |
Output
Participants
Record the results in the Deliver Digital Products at Scale Workbook.
Activities
3.4.1 Validate business value alignment between products and their product families
This step involves the following participants:
Outcomes of this step
Product-to-family alignment can be validated in two different ways:
Confirm the perceived business value at a family level is aligned with what is being delivered at a product level.
Validate family roadmap attainment through progression toward the specified product goals.
For more detail on calculating business value, see Build a Value Measurement Framework.
Over 700 Info-Tech members have implemented the Balanced Value Measurement Framework.
“The cynic knows the price of everything and the value of nothing.”
– Oscar Wilde
“Price is what you pay. Value is what you get.”
– Warren Buffett
Understanding where you derive value is critical to building solid roadmaps.
Business value is the value of the business outcome the application produces and how effective the product is at producing that outcome. Dissecting value by the benefit type and the value source allows you to see the many ways in which a product or service brings value to your organization. Capture the value of your products in short, concise statements, like an elevator pitch.
Increase Revenue
Product or service functions that are specifically related to the impact on your organization’s ability to generate revenue.
Reduce Costs
Reduction of overhead. The ways in which your product limits the operational costs of business functions.
Enhance Services
Functions that enable business capabilities that improve the organization’s ability to perform its internal operations.
Reach Customers
Application functions that enable and improve the interaction with customers or produce market information and insights.
Financial Benefits vs. Improved Capabilities
Inward vs. Outward Orientation
Download and complete Build a Value Measurement Framework for full support in focusing product delivery on business value–driven outcomes.
Output
Participants
Record the results in the Deliver Digital Products at Scale Workbook.
Assign metrics to your business value sources
Business Value Category |
Source Examples |
Metric Examples |
---|---|---|
Profit Generation |
Revenue |
Customer Lifetime Value (LTV) |
Data Monetization |
Average Revenue per User (ARPU) |
|
Cost Reduction |
Reduce Labor Costs |
Contract Labor Cost |
Reduce Overhead |
Effective Cost per Install (eCPI) |
|
Service Enablement |
Limit Failure Risk |
Mean Time to Mitigate Fixes |
Collaboration |
Completion Time Relative to Deadline |
|
Customer and Market Reach |
Customer Satisfaction |
Net Promoter Score |
Customer Trends |
Number of Customer Profiles |
The importance of measuring business value through metrics
The better an organization is at using business value metrics to evaluate IT’s performance, the more satisfied the organization is with IT’s performance as a business partner. In fact, those that say they’re effective at business value metrics have satisfaction scores that are 30% higher than those that believe significant improvements are necessary (Info-Tech’s IT diagnostics).
Assigning metrics to your prioritized values source will allow you to more accurately measure a product’s value to the organization and identify optimization opportunities. See Info-Tech’s Related Research: Value, Delivery Metrics, Estimation blueprint for more information.
As the saying goes “Be careful what you ask for, because you will probably get it.”
Metrics are powerful because they drive behavior.
It’s a cautionary tale that also offers a low-risk path through the complexities of metrics use.
For more information on the use (and abuse) of metrics, see Select and Use SDLC Metrics Effectively.
Metrics and measurements are powerful tools to drive behavior change and decision making in your organization. However, metrics are highly prone to creating unexpected outcomes, so use them with great care. Use metrics judiciously to uncover insights but avoid gaming or ambivalent behavior, productivity loss, and unintended consequences.
Build good practices in your selection and use of metrics:
Phase 1 | Phase 2 | Phase 3 | Phase 4 | Phase 5 |
---|---|---|---|---|
1.1 Understand the organizational factors driving product-centric delivery 1.2 Establish your organization’s product inventory | 2.1 Determine your approach to scale product families 2.2 Define your product families | 3.1 Leverage product family roadmaps 3.2 Use stakeholder management to improve roadmap communication 3.3 Configure your product family roadmaps 3.4 Confirm product family to product alignment | 4.1 Assess your organization’s delivery readiness 4.2 Understand your delivery options 4.3 Determine your operating model 4.4 Identify how to fund product family delivery | 5.1 Learn how to introduce your digital product family strategy 5.2 Communicate changes on updates to your strategy 5.3 Determine your next steps |
This phase will walk you through the following activities:
4.1.1 Assess your organization’s readiness to deliver digital product families
4.2.1 Consider pros and cons for each delivery model relative to how you wish to deliver
4.3.1 Understand the relationships between product management, delivery teams, and stakeholders
4.4.1 Discuss traditional vs. product-centric funding methods
This phase involves the following participants:
Realigning your delivery pipeline and org design takes significant effort and time. Although we won’t solve these questions here, it’s important to identify factors in your current or future models that improve value delivery.
Activities
4.1.1 Assess your organization’s readiness to deliver digital product families
This step involves the following participants:
Outcomes of this step
Just like product owners, product family owners are needed to develop long-term product value, strategy, and delivery. Projects can still be used as the source of funding and change management; however, the product family owner must manage product releases and operational support. The focus of this section will be on aligning product families to one or more releases.
Output
Participants
Download the Deliver Digital Products at Scale Readiness Assessment.
PRODUCT STRATEGY | What are the artifacts? | What are you saying? | Defined at the family level? | Defined at the product level? | |
---|---|---|---|---|---|
Vision | I want to... | ✓ | ✓ | Strategic focus Delivery focus | |
Goals | To get there we need to... | ✓ | ✓ | ||
Roadmap | To achieve our goals, we’ll deliver... | ✓ | ✓ | ||
Backlog | The work will be done in this order... | ✓ | |||
Release Plan | We will deliver in the following ways... | ✓ |
Activities
4.2.1 Consider pros and cons for each delivery model relative to how you wish to deliver
This step involves the following participants:
Outcomes of this step
The goal of your product delivery strategy is to establish streamlined, enforceable, and standardized product management and delivery capabilities that follow industry best practices. You will need to be strategic in how and where you implement your changes because this will set the stage for future adoption. Strategically select the most appropriate products, roles, and areas of your organization to implement your new or enhanced capabilities and establish a foundation for scaling.
Successful product delivery requires people who are knowledgeable about the products they manage and have a broad perspective of the entire delivery process, from intake to delivery, and of the product portfolio. The right people also have influence with other teams and stakeholders who are directly or indirectly impacted by product decisions. Involve team members who have expertise in the development, maintenance, and management of your selected products and stakeholders who can facilitate and promote change.
The primary goal of any product delivery team is to improve the delivery of value for customers and the business based on your product definition and each product’s demand. Each organization will have different priorities and constraints, so your team structure may take on a combination of patterns or may take on one pattern and then transform into another.
Delivery Team Structure Patterns |
How Are Resources and Work Allocated? |
|
---|---|---|
Functional Roles |
Teams are divided by functional responsibilities (e.g. developers, testers, business analysts, operations, help desk) and arranged according to their placement in the software development lifecycle (SDLC). |
Completed work is handed off from team to team sequentially as outlined in the organization’s SDLC. |
Shared Service and Resource Pools |
Teams are created by pulling the necessary resources from pools (e.g. developers, testers, business analysts, operations, help desk). |
Resources are pulled whenever the work requires specific skills or pushed to areas where product demand is high. |
Product or System |
Teams are dedicated to the development, support, and management of specific products or systems. |
Work is directly sent to the teams who are directly managing the product or directly supporting the requester. |
Skills and Competencies |
Teams are grouped based on skills and competencies related to technology (e.g. Java, mobile, web) or familiarity with business capabilities (e.g. HR, finance). |
Work is directly sent to the teams who have the IT and business skills and competencies to complete the work. |
Functional Roles | Shared Service and Resource Pools | Product or System | Skills and Competencies | |
---|---|---|---|---|
![]() |
![]() |
![]() |
![]() |
|
Pros |
✓ Product knowledge is maintained |
✓ Supports full utilization of resources |
✓ Standing teams enable continuous improvement |
✓ Standing teams enable continuous improvement |
Cons |
x Creates barriers to collaboration |
x Product knowledge can be lost as resources move |
x Cross-functional skills make staffing a challenge |
x Resource contention when team supports multiple solutions |
Considerations |
|
|
|
|
Use Case |
|
|
|
|
Functional Roles | Teams are divided by functional responsibilities (e.g. developers, testers, business analysts, operations, help desk) and arranged according to their placement in the software development lifecycle (SDLC). |
---|---|
Shared Service and Resource Pools | Teams are created by pulling the necessary resources from pools (e.g. developers, testers, business analysts, operations, help desk). |
Product or System | Teams are dedicated to the development, support, and management of specific products or systems. |
Skills and Competencies | Teams are grouped based on skills and competencies related to technology (e.g. Java, mobile, web) or familiarity with business capabilities (e.g. HR, finance). |
Output
Participants
Record the results in the Digital Product Family Strategy Playbook.
Activities
4.3.1 Understand the relationships between product management, delivery teams, and stakeholders
This step involves the following participants:
Value Stream Alignment |
Enterprise Applications |
Shared Services |
Technical |
Organizational Alignment |
---|---|---|---|---|
|
|
|
|
|
An operating model is an abstract visualization, used like an architect’s blueprint, that depicts how structures and resources are aligned and integrated to deliver on the organization’s strategy. It ensures consistency of all elements in the organizational structure through a clear and coherent blueprint before embarking on detailed organizational design
The visual should highlight which capabilities are critical to attaining strategic goals and clearly show the flow of work so that key stakeholders can understand where inputs flow in and outputs flow out of the IT organization.
For more information, see Redesign Your IT Organizational Structure.
A decentralized IT operating model that embeds specific functions within LoBs/product teams and provides cross-organizational support for their initiatives.
A best-of-both-worlds model that balances the benefits of centralized and decentralized approaches to achieve both customer responsiveness and economies of scale.
A model that supports what is commonly referred to as a matrix organization, organizing by highly related service categories and introducing the role of the service owner.
A highly typical IT operating model that focuses on centralized strategic control and oversight in delivering cost-optimized and effective solutions.
A centralized IT operating model that lends well to more mature operating environments. Aimed at leveraging economies of scale in an end-to-end services delivery model.
There are many different operating models. LoB/Product Aligned and Hybrid Functional align themselves most closely with how products and product families are typically delivered.
BENEFITS |
DRAWBACKS |
---|---|
|
|
For more information, see Redesign your IT Organizational Structure.
BENEFITS | DRAWBACKS |
---|---|
|
|
For more information, see Redesign your IT Organizational Structure.
BENEFITS | DRAWBACKS |
---|---|
|
|
For more information, see Redesign your IT Organizational Structure.
BENEFITS | DRAWBACKS |
---|---|
|
|
For more information, see Redesign your IT Organizational Structure.
BENEFITS | DRAWBACKS |
---|---|
|
|
For more information, see Redesign your IT Organizational Structure.
Value Stream Alignment | Enterprise Applications | Shared Services | Technical | |
---|---|---|---|---|
Plan-Build-Run: | Pro: Supports established and stable families. Con: Command-and-control nature inhibits Agile DevOps and business agility. | Pro: Supports established and stable families. Con: Command-and-control nature inhibits Agile DevOps and business agility. | Pro: Can be used to align high-level families. Con: Lacks flexibility at the product level to address shifting priorities in product demand. | Pro: Supports a factory model. Con: Lacks flexibility at the product level to address shifting priorities in product demand. |
Centralized Model 2: | Pro: Supports established and stable families. Con: Command-and-control nature inhibits Agile DevOps and business agility. | Pro: Supports established and stable families. Con: Command-and-control nature inhibits Agile DevOps and business agility. | Pro: Recommended for aligning high-level service families based on user needs. Con: Reduces product empowerment, prioritizing demand. Slow. | Pro: Supports factory models. Con: Reduces product empowerment, prioritizing demand. Slow. |
Decentralized Model: Functionally Aligned | Pro: Aligns product families to value streams, capabilities, and organizational structure. Con: Reduces shared solutions and may create duplicate apps and services. | Pro: Enterprise apps treated as distinct LoB groups. Con: Reduces shared solutions and may create duplicate apps and services. | Pro: Complements value stream alignment by consolidating shared apps and services. Con: Requires additional effort to differentiate local vs. shared solutions. | Pro: Fits within other groupings where technical expertise is needed. Con: Creates redundancy between localized and shared technical teams. |
Hybrid Model: Aligned | Pro: Supports multiple patterns of product grouping. Con: Requires additional effort to differentiate local vs. shared solutions. | Pro: Supports multiple patterns of product grouping. Con: Requires additional effort to differentiate local vs. shared solutions. | Pro: Supports multiple patterns of product grouping. Con: Requires additional effort to differentiate local vs. shared solutions. | Pro: Supports multiple patterns of product grouping. Con: Creates redundancy between localized and shared technical teams. |
Hybrid Model: Product-Aligned Operating Model | Pro: Supports multiple patterns of product grouping. Con: Requires additional effort to differentiate local vs. shared solutions. | Pro: Supports multiple patterns of product grouping. Con: Requires additional effort to differentiate local vs. shared solutions. | Pro: Supports multiple patterns of product grouping. Con: Requires additional effort to differentiate local vs. shared solutions. | Pro: Supports multiple patterns of product grouping. Con: Creates redundancy between localized and shared technical teams. |
Output
Participants
Record the results in the Digital Product Family Strategy Playbook.
Output
Participants
Activities
4.4.1 Discuss traditional vs. product-centric funding methods
This step involves the following participants:
Outcomes of this step
These models require increasing accuracy throughout the project lifecycle to manage actuals vs. estimates.
"Most IT funding depends on one-time expenditures or capital-funding mechanisms that are based on building-construction funding models predicated on a life expectancy of 20 years or more. Such models don’t provide the stability or flexibility needed for modern IT investments." – EDUCAUSE
Projects within products
Regardless of whether you recognize yourself as a product-based or project-based shop, the same basic principles should apply.
The purpose of projects is to deliver the scope of a product release. The shift to product delivery leverages a product roadmap and backlog as the mechanism for defining and managing the scope of the release.
Eventually, teams progress to continuous integration/continuous delivery (CI/CD) where they can release on demand or as scheduled, requiring org change management.
Autonomy | Flexibility | Accountability |
---|---|---|
Fund what delivers value | Allocate iteratively | Measure and adjust |
Fund long-lived delivery of value through products (not projects). Give autonomy to the team to decide exactly what to build. | Allocate to a pool based on higher-level business case. Provide funds in smaller amounts to different product teams and initiatives based on need. | Product teams define metrics that contribute to given outcomes. Track progress and allocate more (or less) funds as appropriate. |
Info-Tech Insight
Changes to funding require changes to product and Agile practices to ensure product ownership and accountability.
A flexible funding pool akin to venture capital models is maintained to support innovative ideas and fund proofs of concept for product and process improvements.
Proofs of concept (POCs) are run by standing innovation teams or a reserve of resources not committed to existing products, projects, or services.
Every product line has funding for all changes and ongoing operations and support.
Teams are funded continuously so that they can learn and improve their practices as much as possible.
TRADITIONAL PROJECTS WITH WATERFALL DELIVERY |
TRADITIONAL PROJECTS WITH AGILE DELIVERY |
PRODUCTS WITH AGILE PROJECT DELIVERY |
PRODUCTS WITH AGILE DELIVERY |
|
---|---|---|---|---|
WHEN IS THE BUDGET TRACKED? |
Budget tracked by major phases |
Budget tracked by sprint and project |
Budget tracked by sprint and project |
Budget tracked by sprint and release |
HOW ARE CHANGES HANDLED? |
All change is by exception |
Scope change is routine, budget change is by exception |
Scope change is routine, budget change is by exception |
Budget change is expected on roadmap cadence |
WHEN ARE BENEFITS REALIZED? |
Benefits realization after project completion |
Benefits realization is ongoing throughout the life of the project |
Benefits realization is ongoing throughout the life of the product |
Benefits realization is ongoing throughout life of the product |
WHO “DRIVES”? |
Project Manager
|
Product Owner
|
Product Manager
|
Product Manager |
As you evolve your approach to product delivery, you will be decoupling the expected benefits, forecast, and budget. Managing them independently will improve your ability to adapt to change and drive the right outcomes!
Adapted from: LookFar
While the exact balance point between development or implementation costs varies from application to application, over 80% of the cost is accrued after go-live.
The challenge has always been the myth that operations are only bug fixes, upgrades, and other operational expenditures. Research shows that most post-release work on developed solutions is the development of new features and changes to support material changes in the business. While projects could bundle some of these changes into capital expenditure, much of the business-as-usual work that goes on leaves capital expenses on the table because the work is lumped together as maintenance-related OpEx.
From “How to Stop Leaving Software CapEx on the Table With Agile and DevOps”
Output
Participants
Record the results in the Digital Product Family Strategy Playbook.
Phase 1 | Phase 2 | Phase 3 | Phase 4 | Phase 5 |
---|---|---|---|---|
1.1 Understand the organizational factors driving product-centric delivery 1.2 Establish your organization’s product inventory | 2.1 Determine your approach to scale product families 2.2 Define your product families | 3.1 Leverage product family roadmaps 3.2 Use stakeholder management to improve roadmap communication 3.3 Configure your product family roadmaps 3.4 Confirm product family to product alignment | 4.1 Assess your organization’s delivery readiness 4.2 Understand your delivery options 4.3 Determine your operating model 4.4 Identify how to fund product family delivery | 5.1 Learn how to introduce your digital product family strategy 5.2 Communicate changes on updates to your strategy 5.3 Determine your next steps |
This phase will walk you through the following activities:
5.1.1 Introduce your digital product family strategy
5.2.1 Define your communication cadence for your strategy updates
5.2.2 Define your messaging for each stakeholder
5.3.1 How do we get started?
This phase involves the following participants:
Activities
5.1.1 Introduce your digital product family strategy
This step involves the following participants:
Outcomes of this step
Software delivery teams and stakeholders traditionally make plans, strategies, and releases within their silos and tailor their decisions based on their own priorities. Interactions are typically limited to hand-offs (such as feature requests) and routing of issues and defects back up the delivery pipeline. These silos likely came about through well-intentioned training, mandates, and processes, but they do not sufficiently support today’s need to rapidly release and change platforms.
Siloed departments often have poor visibility into the activities of other silos, and they may not be aware of the ramifications their decisions have on teams and stakeholders outside of their silo.
In some cases, the only way to achieve greater visibility and communication for all roles across a platform’s lifecycle is implementing an overarching role or team.
“The majority of our candid conversations with practitioners and project management offices indicate that the platform ownership role is poorly defined and poorly executed.”
– Barry Cousins
Practice Lead, Applications – Project & Portfolio Management
Info-Tech Research Group
When building your communication strategy, revisit the work you completed in phase 3 developing your:
Type | Quadrant | Actions |
---|---|---|
Players | High influence, high interest – actively engage | Keep them updated on the progress of the project. Continuously involve Players in the process and maintain their engagement and interest by demonstrating their value to its success. |
Mediators | High influence, low interest – keep satisfied | They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust and including them in important decision-making steps. In turn, they can help you influence other stakeholders. |
Noisemakers | Low influence, high interest – keep informed | Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using Mediators to help them. |
Spectators | Low influence, low interest – monitor | They are followers. Keep them in the loop by providing clarity on objectives and status updates. |
This exercise is intended to help you lay out the framing of your strategy and the justification for the effort. A lot of these items can be pulled directly from the product canvas you created in phase 2. This is intended to be a single slide to frame your upcoming discussions.
Output
Participants
Record the results in the Digital Product Family Strategy Playbook.
Why do we need product families?
What is in our way?
Our first step will be...
Activities
5.2.1 Define your communication cadence for your strategy updates
5.2.2 Define your messaging for each stakeholder
This step involves the following participants:
Outcomes of this step
Remember the role of different artifacts when it comes to your strategy. The canvas contributes to the What, and the roadmap addresses the How. Any updates to the strategy are articulated and communicated through your roadmap.
EXAMPLE:
Roadmap Name |
Audience/Stakeholders |
Communication Cadence |
---|---|---|
External Customer Roadmap |
Customers and External Users |
Quarterly (Website) |
Product Delivery Roadmap |
Development Teams, Infrastructure, Architects |
Monthly (By Email) |
Technology Roadmap |
Development Teams, Infrastructure, Architects |
Biweekly (Website) |
Output
Participants
Record the results in the Digital Product Family Strategy Playbook.
Leaders of successful change spend considerable time developing a powerful change message, i.e. a compelling narrative that articulates the desired end state and makes the change concrete and meaningful to staff.
The change message should:
Five elements of communicating change
Source: Cornelius & Associates
Why are we here?
Speak to what matters to them
Sell the improvement
Show real value
Discuss potential fears
Ask for their support
Be gracious
It’s one thing to communicate the strategy, it’s another thing to send the right message to your stakeholders. Some of this will depend on the kind of news given, but the majority of this is dependent on the stakeholder and the cadence of communication.
EXAMPLE:
Roadmap Name | Audience/ Stakeholder | Communication Cadence | Messaging |
---|---|---|---|
External Customer Roadmap | Customers and External Users | Quarterly (Website) |
Output
Participants
Record the results in the Digital Product Family Strategy Playbook.
Activities
5.3.1 How do we get started?
This step involves the following participants:
Outcomes of this step
Learning Milestones |
Sprint Zero (AKA Project-before-the-project) |
---|---|
The completion of a set of artifacts dedicated to validating business opportunities and hypotheses. Possible areas of focus: Align teams on product strategy prior to build Market research and analysis Dedicated feedback sessions Provide information on feature requirements |
The completion of a set of key planning activities, typically the first sprint. Possible areas of focus: Focus on technical verification to enable product development alignment Sign off on architectural questions or concerns |
Go to your backlog and prioritize the elements that need to be answered sooner rather than later.
Possible areas of focus:
Regulatory requirements or questions to answer around accessibility, security, privacy.
Stress testing any new processes against situations that may occur.
Now: What are you going to do now?
Next: What are you going to do very soon?
Later: What are you going to do in the future?
Source: “Tips for Agile product roadmaps & product roadmap examples,” Scrum.org, 2017
Source: “Tips for Agile product roadmaps & product roadmap examples,” Scrum.org, 2017
Output
Participants
Record the results in the Digital Product Family Strategy Playbook.
Record the results in the Deliver Digital Products at Scale Workbook.
The journey to become a product-centric organization is not short or easy. Like with any improvement or innovation, teams need to continue to evolve and mature with changes in their operations, teams, tools, and user needs.You’ve taken a big step completing your product family alignment. This provides a backbone for aligning all aspects of your organization to your enterprise goals and strategy while empowering product teams to find solutions closer to the problem. Continue to refine your model and operations to improve value realization and your product delivery pipelines to embrace business agility. Organizations that are most responsive to change will continue to outperform command-and-control leadership.
Contact your account representative for more information.
1-888-670-8889
Emily Archer
Lead Business Analyst,
Enterprise Consulting, authentic digital agency
Emily Archer is a consultant currently working with Fortune 500 clients to ensure the delivery of successful projects, products, and processes. She helps increase the business value returned for organizations’ investments in designing and implementing enterprise content hubs and content operations, custom web applications, digital marketing, and e-commerce platforms.
Founder & CTO
Strainprint Technologies Inc.
David Berg is a product commercialization expert that has spent the last 20 years of his career delivering product management and business development services across a broad range of industries. Early in his career, David worked with product management and engineering teams to build core network infrastructure products that secure and power the internet we benefit from today. David’s experience also includes working with clean technologies in the area of clean power generation, agritech, and Internet of Things infrastructure. Over the last five years, David has been focused on his latest venture, Strainprint Technologies, a data and analytics company focused on the medical cannabis industry. Strainprint has built the largest longitudinal medical cannabis dataset in the world with the goal to develop an understanding of treatment behavior, interactions, and chemical drivers to guide future product development.
Kathy Borneman
Digital Product Owner, SunTrust Bank
Kathy Borneman is a senior product owner who helps people enjoy their jobs again by engaging others in end-to-end decision making to deliver software and operational solutions that enhance the client experience and allow people to think and act strategically.
Charlie Campbell
Product Owner, Merchant e-Solutions
Charlie Campbell is an experienced problem solver with the ability to quickly dissect situations and recommend immediate actions to achieve resolution, liaise between technical and functional personnel to bridge the technology and communication gap, and work with diverse teams and resources to reach a common goal.
Yarrow Diamond
Sr. Director, Business Architecture
Financial Services
Yarrow Diamond is an experienced professional with expertise in enterprise strategy development, project portfolio management, and business process reengineering across financial services, healthcare and insurance, hospitality, and real estate environments. She has a master’s in Enterprise Architecture from Penn State University, LSSMBB, PMP, CSM, ITILv3.
Cari J. Faanes-Blakey, CBAP, PMI-PBA
Enterprise Business Systems Analyst,
Vertex, Inc.
Cari J. Faanes-Blakey has a history in software development and implementation as a Business Analyst and Project Manager for financial and taxation software vendors. Active in the International Institute of Business Analysis (IIBA), Cari participated on the writing team for the BA Body of Knowledge 3.0 and the certification exam.
Kieran Gobey
Senior Consultant Professional Services
Blueprint Software Systems
Kieran Gobey is an IT professional with 24 years of experience, focused on business, technology, and systems analysis. He has split his career between external and internal customer-facing roles, and this has resulted in a true understanding of what is required to be a Professional Services Consultant. His problem-solving skills and ability to mentor others have resulted in successful software implementations. Kieran’s specialties include deep system troubleshooting and analysis skills, facilitating communications to bring together participants effectively, mentoring, leadership, and organizational skills.
Rupert Kainzbauer
VP Product, Digital Wallets
Paysafe Group
Rupert Kainzbauer is an experienced senior leader with a passion for defining and delivering products that deliver real customer and commercial benefit. Together with a team of highly experienced and motivated product managers, he has successfully led highly complex, multi-stakeholder payments initiatives, from proposition development and solution design through to market delivery. Their domain experience is in building online payment products in high-risk and emerging markets, remittance, prepaid cards, and mobile applications.
Saeed Khan
Founder,
Transformation Labs
Saeed Khan has been working in high tech for 30 years in both Canada and the US and has held a number of leadership roles in Product Management over that time. He speaks regularly at conferences and has been writing publicly about technology product management since 2005. Through Transformation Labs, Saeed helps companies accelerate product success by working with product teams to improve their skills, practices, and processes. He is a cofounder of ProductCamp Toronto and currently runs a Meetup group and global Slack community called Product Leaders; the only global community of senior level product executives.
Hoi Kun Lo
Product Owner
Nielsen
Hoi Kun Lo is an experienced change agent who can be found actively participating within the IIBA and WITI groups in Tampa, FL and a champion for Agile, architecture, diversity, and inclusion programs at Nielsen. She is currently a Product Owner in the Digital Strategy team within Nielsen Global Watch Technology.
Abhishek Mathur
Sr Director, Product Management
Kasisto, Inc.
Abhishek Mathur is a product management leader, an artificial intelligence practitioner, and an educator. He has led product management and engineering teams at Clarifai, IBM, and Kasisto to build a variety of artificial intelligence applications within the space of computer vision, natural language processing, and recommendation systems. Abhishek enjoys having deep conversations about the future of technology and helping aspiring product managers enter and accelerate their careers.
Jeff Meister
Technology Advisor and Product Leader
Jeff Meister is a technology advisor and product leader. He has more than 20 years of experience building and operating software products and the teams that build them. He has built products across a wide range of industries and has built and led large engineering, design, and product organizations. Jeff most recently served as Senior Director of Product Management at Avanade, where he built and led the product management practice. This involved hiring and leading product managers, defining product management processes, solution shaping and engagement execution, and evangelizing the discipline through pitches, presentations, and speaking engagements. Jeff holds a Bachelor’s of Applied Science (Electrical Engineering) and a Bachelor’s of Arts from the University of Waterloo, an MBA from INSEAD (Strategy), and certifications in product management, project management, and design thinking.
Vincent Mirabelli
Principal,
Global Project Synergy Group
With over 10 years of experience in both the private and public sectors, Vincent Mirabelli possesses an impressive track record of improving, informing, and transforming business strategy and operations through process improvement, design and re-engineering, and the application of quality to business analysis, project management, and process improvement standards.
Oz Nazili
VP, Product & Growth
TWG
Oz Nazili is a product leader with a decade of experience in both building products and product teams. Having spent time at funded startups and large enterprises, he thinks often about the most effective way to deliver value to users. His core areas of interest include Lean MVP development and data-driven product growth.
Mark Pearson
Principal IT Architect, First Data Corporation
Mark Pearson is an executive business leader grounded in the process, data, technology, and operations of software-driven business. He knows the enterprise software landscape and is skilled in product, technology, and operations design and delivery within information technology organizations, outsourcing firms, and software product companies.
Brenda Peshak
Product Owner,
Widget Industries, LLC
Brenda Peshak is skilled in business process, analytical skills, Microsoft Office Suite, communication, and customer relationship management (CRM). She is a strong product management professional with a Master’s focused in Business Leadership (MBL) from William Penn University.
Mike Starkey
Director of Engineering
W.W. Grainger
Mike Starkey is a Director of Engineering at W.W. Grainger, currently focusing on operating model development, digital architecture, and building enterprise software. Prior to joining W.W. Grainger, Mike held a variety of technology consulting roles throughout the system delivery lifecycle spanning multiple industries such as healthcare, retail, manufacturing, and utilities with Fortune 500 companies.
Anant Tailor
Cofounder & Head of Product
Dream Payments Corp.
Anant Tailor is a cofounder at Dream Payments where he currently serves as the COO and Head of Product, having responsibility for Product Strategy & Development, Client Delivery, Compliance, and Operations. He has 20+ years of experience building and operating organizations that deliver software products and solutions for consumers and businesses of varying sizes. Prior to founding Dream Payments, Anant was the COO and Director of Client Services at DonRiver Inc, a technology strategy and software consultancy that he helped to build and scale into a global company with 100+ employees operating in seven countries. Anant is a Professional Engineer with a Bachelor’s degree in Electrical Engineering from McMaster University and a certificate in Product Strategy & Management from the Kellogg School of Management at Northwestern University.
Angela Weller
Scrum Master, Businessolver
Angela Weller is an experienced Agile business analyst who collaborates with key stakeholders to attain their goals and contributes to the achievement of the company’s strategic objectives to ensure a competitive advantage. She excels when mediating or facilitating teams.
Deliver on Your Digital Product Vision
Build Your Agile Acceleration Roadmap
Implement Agile Practices That Work
Implement DevOps Practices That Work
Extend Agile Practices Beyond IT
Embed Security Into the DevOps Pipeline
Spread Best Practices With an Agile Center of Excellence
Enable Organization-Wide Collaboration by Scaling Agile
Application Portfolio Management for Small Enterprises
Streamline Application Maintenance
Build an Application Rationalization Framework
Review Your Application Strategy
Streamline Application Management
Optimize Applications Release Management
Embrace Business-Managed Applications
Build a Value Measurement Framework
Select and Use SDLC Metrics Effectively
Application Portfolio Assessment: End User Feedback
Create a Holistic IT Dashboard
Refine Your Estimation Practices With Top-Down Allocations
Estimate Software Delivery With Confidence
Reduce Time to Consensus With an Accelerated Business Case
Optimize Project Intake, Approval, and Prioritization
Enhance PPM Dashboards and Reports
Redesign Your IT Organizational Structure
Build a Strategic Workforce Plan
Implement a New Organizational Structure
Improve Employee Engagement to Drive IT Performance
Set Meaningful Employee Performance Measures
Master Organizational Change Management Practices
“12th Annual State of Agile Report.” VersionOne, 9 April 2018. Web.
A, Karen. “20 Mental Models for Product Managers.” Product Management Insider, Medium, 2 Aug. 2018. Web.
Adams, Paul. “Product Teams: How to Build & Structure Product Teams for Growth.” Inside Intercom, 30 Oct. 2019. Web.
Agile Alliance. “Product Owner.” Agile Alliance. n.d. Web.
Ambysoft. “2018 IT Project Success Rates Survey Results.” Ambysoft. 2018. Web.
Banfield, Richard, et al. “On-Demand Webinar: Strategies for Scaling Your (Growing) Enterprise Product Team.” Pluralsight, 31 Jan. 2018. Web.
Berez, Steve, et al. “How to Plan and budget for Agile at Scale.” Bain & Company, 08 Oct 2019. Web
Blueprint. “10 Ways Requirements Can Sabotage Your Projects Right From the Start.” Blueprint. 2012. Web.
Breddels, Dajo, and Paul Kuijten. “Product Owner Value Game.” Agile2015 Conference, Agile Alliance 2015. Web.
Cagan, Martin. “Behind Every Great Product.” Silicon Valley Product Group. 2005. Web.
Cohn, Mike. “What Is a Product?” Mountain Goat Software. 6 Sept. 2016. Web.
Connellan, Thomas K. Inside the Magic Kingdom, Bard Press, 1997.
Curphey, Mark. “Product Definition.” SlideShare, 25 Feb. 2007. Web.
“Delegation Poker Product Image.” Management 3.0, n.d. Web.
Distel, Dominic, et al. “Finding the sweet spot in product-portfolio management.’ McKinsey, 4 Dec. 2020. Web
Eringa, Ron. “Evolution of the Product Owner.” RonEringa.com, 12 June 2016. Web.
Fernandes, Thaisa. “Spotify Squad Framework - Part I.” PM101, Medium, 6 Mar. 2017. Web.
Galen, Robert. “Measuring Product Ownership – What Does ‘Good’ Look Like?” RGalen Consulting, 5 Aug. 2015. Web.
Halisky, Merland, and Luke Lackrone. “The Product Owner’s Universe.” Agile2016 Conference, Agile Alliance, 2016. Web.
Kamer, Jurriaan. “How to Build Your Own ‘Spotify Model’.” The Ready, Medium, 9 Feb. 2018. Web.
Kendis Team. “Exploring Key Elements of Spotify’s Agile Scaling Model.” Scaled Agile Framework, Medium, 23 Jul. 2018. Web.
Lindstrom, Lowell. “7 Skills You Need to Be a Great Product Owner.” Scrum Alliance, n.d. Web.
Lukassen, Chris. “The Five Belts Of The Product Owner.” Xebia.com, 20 Sept. 2016. Web.
McCloskey, Heather. “Scaling Product Management: Secrets to Defeating Common Challenges.” ProductPlan, 12 July 2019. Web.
McCloskey, Heather. “When and How to Scale Your Product Team.” UserVoice, 21 Feb. 2017. Web.
Mironov, Rich. “Scaling Up Product Manager/Owner Teams.” Rich Mironov's Product Bytes, Mironov Consulting, 12 Apr. 2014 . Web.
Overeem, Barry. “A Product Owner Self-Assessment.” Barry Overeem, 6 Mar. 2017. Web.
Overeem, Barry. “Retrospective: Using the Team Radar.” Barry Overeem, 27 Feb. 2017. Web.
Pichler, Roman. “How to Scale the Scrum Product Owner.” Roman Pichler, 28 June 2016 . Web.
Pichler, Roman. “Product Management Framework.” Pichler Consulting Limited, 2014. Web.
Pichler, Roman. “Sprint Planning Tips for Product Owners.” LinkedIn, 4 Sept. 2018. Web.
Pichler, Roman. “What Is Product Management?” Pichler Consulting Limited, 26 Nov. 2014. Web.
Radigan, Dan. “Putting the ‘Flow' Back in Workflow With WIP Limits.” Atlassian, n.d. Web.
Rouse, Margaret. “Definition: product.” TechTarget, Sept. 2005. Web.
Schuurman, Robbin. “10 Tips for Product Owners on (Business) Value.” Scrum.org, 30 Nov. 2017. Web.
Schuurman, Robbin. “10 Tips for Product Owners on Agile Product Management.” Scrum.org, 28 Nov. 2017. Web.
Schuurman, Robbin. “10 Tips for Product Owners on Product Backlog Management.” Scrum.org, 5 Dec. 2017. Web.
Schuurman, Robbin. “10 Tips for Product Owners on the Product Vision.” Scrum.org, 29 Nov. 2017. Web.
Schuurman, Robbin. “Tips for Starting Product Owners.” Scrum.org, 27 Nov. 2017. Web.
Sharma, Rohit. “Scaling Product Teams the Structured Way.” Monetary Musings, 28 Nov. 2016. Web.
Shirazi, Reza. “Betsy Stockdale of Seilevel: Product Managers Are Not Afraid To Be Wrong.” Austin Voice of Product, 2 Oct. 2018. Web.
Steiner, Anne. “Start to Scale Your Product Management: Multiple Teams Working on Single Product.” Cprime, 6 Aug. 2019. Web.
“The Qualities of Leadership: Leading Change.” Cornelius & Associates, 2016. Web.
“The Standish Group 2015 Chaos Report.” The Standish Group. 2015. Web.
Theus, Andre. “When Should You Scale the Product Management Team?” ProductPlan, 7 May 2019. Web.
Tolonen, Arto. “Scaling Product Management in a Single Product Company.” Smartly.io, 26 Apr. 2018. Web.
Ulrich, Catherine. “The 6 Types of Product Managers. Which One Do You Need?” Medium, 19 Dec. 2017. Web.
Verwijs, Christiaan. “Retrospective: Do The Team Radar.” The Liberators, Medium, 10 Feb. 2017. Web.
Vlaanderen, Kevin. “Towards Agile Product and Portfolio Management”. Academia.edu. 2010. Web.
Bastow, Janna. “Creating Agile Product roadmaps Everyone Understands.” ProdPad, 22 Mar. 2017. Accessed Sept. 2018.
Bastow, Janna. “The Product Tree Game: Our Favorite Way To Prioritize Features.” ProdPad, 21 Feb. 2016. Accessed Sept. 2018.
Chernak, Yuri. “Requirements Reuse: The State of the Practice.” 2012 IEEE International Conference, 12 June 2012, Herzliya, Israel. Web.
Fowler, Martin. “Application Boundary.” MartinFowler.com, 11 Sept. 2003. Accessed 20 Nov. 2017.
Harrin, Elizabeth. “Learn What a Project Milestone Is.” The Balance Careers, 10 May 2018. Accessed Sept. 2018.
“How to create a product roadmap.” Roadmunk, n.d. Accessed Sept. 2018.
Johnson, Steve. “How to Master the 3 Horizons of Product Strategy.” Aha!, 24 Sept. 2015. Accessed Sept. 2018.
Johnson, Steve. “The Product Roadmap vs. the Technology Roadmap.” Aha!, 23 June 2016. Accessed Sept. 2018
Juncal, Shaun. “How Should You Set Your Product Roadmap Timeframes?” ProductPlan, Web. Sept. 2018.
Leffingwell, Dean. “SAFe 4.0.” Scaled Agile, 2017. Web.
Maurya, Ash. “What is a Minimum Viable Product (MVP).” Leanstack, 12 June 2017. Accessed Sept. 2018.
Pichler, Roman. “10 Tips for Creating an Agile Product Roadmap.” Roman Pichler, 20 July 2016. Accessed Sept. 2018.
Pichler, Roman. Strategize: Product Strategy and Product Roadmap Practices for the Digital Age. Pichler Consulting, 2016.
“Product Roadmap Contents: What Should You Include?” ProductPlan, n.d. Accessed 20 Nov. 2017.
Saez, Andrea. “Why Your Roadmap Is Not a Release Plan.” ProdPad, 23 October 2015. Accessed Sept. 2018.
Schuurman, Robbin. “Tips for Agile product roadmaps & product roadmap examples.” Scrum.org, 7 Dec. 2017. Accessed Sept. 2018.
Adams, Paul. “The Future Product Canvas.” Inside Intercom, 10 Jan. 2014. Web.
“Aligning IT Funding Models to the Pace of Technology Change.” EDUCAUSE, 14 Dec. 2015. Web.
Altman, Igor. “Metrics: Gone Bad.” OpenView, 10 Nov. 2009. Web.
Barry, Richard. “The Product Vision Canvas – a Strategic Tool in Developing a Successful Business.” Polymorph, 2019. Web.
“Business Canvas – Business Models & Value Propositions.” Strategyzer, 2019. Web.
“Business Model Canvas.” Wikipedia: The Free Encyclopedia, 4 Aug. 2019. Web.
Charak, Dinker. “Idea to Product: The Working Model.” ThoughtWorks, 13 July 2017. Web.
Charak, Dinker. “Product Management Canvas - Product in a Snapshot.” Dinker Charak, 29 May 2017. Web.
Chudley, James. “Practical Steps in Determining Your Product Vision (Product Tank Bristol, Oct. 2018).” LinkedIn SlideShare. Uploaded by cxpartners, 2 Nov. 2018. Web.
Cowan, Alex. “The 20 Minute Business Plan: Business Model Canvas Made Easy.” COWAN+, 2019. Web.
Craig, Desiree. “So You've Decided To Become A Product Manager.” Start it up, Medium, 2 June 2019. Web.
Create an Aha! Business Model Canvas Strategic Model.” Aha! Support, 2019. Web.
Eick, Stephen. “Does Code Decay? Assessing the Evidence from Change Management Data.” IEEE Transactions on Software Engineering, vol. 27, no. 1, Jan. 2001, pp. 1-12. Web.
Eriksson, Martin. “The next Product Canvas.” Mind the Product, 22 Nov. 2013. Web.
“Experience Canvas: a Lean Approach: Atlassian Team Playbook.” Atlassian, 2019. Web.
Freeman, James. “How to Make a Product Canvas – Visualize Your Product Plan.” Edraw, 23 Dec. 2019. Web.
Fuchs, Danny. “Measure What Matters: 5 Best Practices from Performance Management Leaders.” OpenGov, 8 Aug. 2018. Web.
Gorisse, Willem. “A Practical Guide to the Product Canvas.” Mendix, 28 Mar. 2017. Web.
Gothelf, Jeff. “The Lean UX Canvas.” Jeff Gothelf, 15 Dec. 2016. Web.
Gottesdiener, Ellen. “Using the Product Canvas to Define Your Product: Getting Started.” EBG Consulting, 15 Jan. 2019. Web.
Gottesdiener, Ellen. “Using the Product Canvas to Define Your Product's Core Requirements.” EBG Consulting, 4 Feb. 2019. Web.
Gray, Mark Krishan. “Should I Use the Business Model Canvas or the Lean Canvas?” Emergn, 2019. Web.
Hanby, Jeff. "Software Maintenance: Understanding and Estimating Costs." LookFar, 21 Oct. 2016. Web.
“How do you define a product?” Scrum.org, 4 Apr 2017, Web
Juncal, Shaun. “How to Build a Product Roadmap Based on a Business Model Canvas.” ProductPlan, 19 June 2019. Web.
“Lean Canvas Intro - Uber Example.” YouTube, uploaded by Railsware Product Academy, 12 Oct. 2018. Web.
“Lesson 6: Product Canvas.” ProdPad Help Center, 2019. Web.
Lucero, Mario. “The Product Canvas.” Agilelucero.com, 22 June 2015. Web.
Maurya, Ash. “Create a New Lean Canvas.” Canvanizer, 2019. Web.
Maurya, Ash. “Don't Write a Business Plan. Create a Lean Canvas Instead.” LEANSTACK, 2019. Web.
Maurya, Ash. “Why Lean Canvas vs Business Model Canvas?” Medium, 27 Feb. 2012. Web.
Mirabelli, Vincent. “The Project Value Canvas.” Vincent Mirabelli, 2019. Web.
Mishra, LN. “Business Analysis Canvas – The Ultimate Enterprise Architecture.” BA Times, 19 June 2019. Web.
Muller. Jerry Z. “Why performance metrics isn’t always the best way to judge performance.” Fast Company, 3 April 2019. Web.
Perri, Melissa. “What Is Good Product Strategy?” Melissa Perri, 14 July 2016. Web.
Pichler, Roman. “A Product Canvas for Agile Product Management, Lean UX, Lean Startup.” Roman Pichler, 16 July 2012. Web.
Pichler, Roman. “Introducing the Product Canvas.” JAXenter, 15 Jan. 2013. Web.
Pichler, Roman. “Roman's Product Canvas: Introduction.” YouTube, uploaded by Roman Pichler, 3 Mar. 2017. Web.
Pichler, Roman. “The Agile Vision Board: Vision and Product Strategy.” Roman Pichler, 10 May 2011. Web.
Pichler, Roman. “The Product Canvas – Template.” Roman Pichler, 11 Oct. 2016. Web.
Pichler, Roman. “The Product Canvas Tutorial V1.0.” LinkedIn SlideShare. Uploaded by Roman Pichler, 14 Feb. 2013. Web.
Pichler, Roman. “The Product Vision Board: Introduction.” YouTube uploaded by Roman Pichler, 3 Mar. 2017. Web.
“Product Canvas PowerPoint Template.” SlideModel, 2019. Web.
Product Canvas.” SketchBubble, 2019, Web.
“Product Canvas.” YouTube, uploaded by Wojciech Szramowski, 18 May 2016. Web.
“Product Roadmap Software to Help You Plan, Visualize, and Share Your Product Roadmap.” Productboard, 2019. Web.
Roggero, Giulio. “Product Canvas Step-by-Step.” LinkedIn SlideShare, uploaded by Giulio Roggero, 18 May 2013. Web.
Royce, Dr. Winston W. “Managing the Development of Large Software Systems.” Scf.usc.edu, 1970. Web.
Ryan, Dustin. “The Product Canvas.” Qdivision, Medium, 20 June 2017. Web.
Snow, Darryl. “Product Vision Board.” Medium, 6 May 2017. Web.
Stanislav, Shymansky. “Lean Canvas – a Tool Your Startup Needs Instead of a Business Plan.” Railsware, 12 Oct. 2018. Web.
Stanislav, Shymansky. “Lean Canvas Examples of Multi-Billion Startups.” Railsware, 20 Feb. 2019. Web.
“The Product Vision Canvas.” YouTube, Uploaded by Tom Miskin, 20 May 2019. Web.
Tranter, Leon. “Agile Metrics: the Ultimate Guide.” Extreme Uncertainty, n.d. Web.
“Using Business Model Canvas to Launch a Technology Startup or Improve Established Operating Model.” AltexSoft, 27 July 2018. Web.
Veyrat, Pierre. “Lean Business Model Canvas: Examples + 3 Pillars + MVP + Agile.” HEFLO BPM, 10 Mar. 2017. Web.
“What Are Software Metrics and How Can You Track Them?” Stackify, 16 Sept. 2017. Web
“What Is a Product Vision?” Aha!, 2019. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Get an overview of emerging AI applications to understand how they will strengthen a shift-left service support strategy.
Review potential use cases for AI applications to prioritize improvement initiatives and align them to organizational goals.
Develop an ITSM AI strategy to prepare your organization for the coming of cognitive service management, and build a roadmap for implementation.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This blueprint will help you build a business case for selecting the right MMS platform, define key requirements, and conduct a thorough analysis and scan of the current state of the ever-evolving MMS market space.
Modern marketing management suites (MMS) are imperative given today's complex, multitiered, and often non-standardized marketing processes. Relying on isolated methods such as lead generation or email marketing techniques for executing key cross-channel and multichannel marketing initiatives is not enough to handle the complexity of contemporary marketing management activities.
Organizations need to invest in highly customizable and functionally extensive MMS platforms to provide value alongside the marketing value chain and a 360-degree view of the consumer's marketing journey. IT needs to be rigorously involved with the sourcing and implementation of the new MMS tool, and the necessary business units also need to own the requirements and be involved from the initial stages of software selection.
To succeed with MMS implementation, consider drafting a detailed roadmap that outlines milestone activities for configuration, security, points of integration, and data migration capabilities and provides for ongoing application maintenance and support.
Yaz Palanichamy
Senior Research Analyst, Customer Experience Strategy
Info-Tech Research Group
IT must collaborate with marketing professionals and other key stakeholder groups to define a unified vision and holistic outlook for a right-sized MMS platform.
1. Understand Core MMS Features |
2. Build the Business Case & Streamline Requirements |
3. Discover the MMS Market Space & Prepare for Implementation |
|
---|---|---|---|
Phase Steps |
|
|
|
Phase Outcomes |
|
|
|
Phase 1 | Phase 2 | Phase 3 |
---|---|---|
Call #1: Understand what a marketing management suite is. Discuss core capabilities and key trends. |
Call #2: Build the business case Call #3: Define your core Call #4: Build and sustain procurement vehicle best practices. |
Call #5: Evaluate the MMS vendor landscape and short-list viable options.
|
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
The MMS procurement process should be broken into segments:
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
Our Definition: Marketing management suite (MMS) platforms are core enterprise applications that provide a unified set of marketing processes for a given organization and, typically, the capability to coordinate key cross-channel marketing initiatives.
Key product capabilities for sophisticated MMS platforms include but are not limited to:
Using a robust and comprehensive MMS platform equips marketers with the appropriate tools needed to make more informed decisions around campaign execution, resulting in better targeting, acquisition, and customer retention initiatives. Moreover, such tools can help bolster effective revenue generation and ensure more viable growth initiatives for future marketing growth enablement strategies.
Feature sets are rapidly evolving over time as MMS offerings continue to proliferate in this market space. Ensure that you focus on core components such as customer conversion rates and new lead captures through maintaining well- integrated multichannel campaigns.
A right-sized MMS software selection and procurement decision should involve comprehensive requirements and needs analysis by not just Marketing but also other organizational units such as IT, in conjunction with input suppled from the internal vendor procurement team.
Phase 1 |
Phase 2 |
Phase 3 |
---|---|---|
1.1 Define MMS Platforms 1.2 Classify Table Stakes & Differentiating Capabilities 1.3 Explore Trends |
2.1 Build the Business Case 2.2 Streamline Requirements Elicitation 2.3 Develop an Inclusive RFP Approach |
3.1 Discover Key Players in the Vendor Landscape 3.2 Engage the Shortlist & Select Finalist 3.3 Prepare for Implementation |
This phase will walk you through the following activities:
This phase involves the following participants:
Our Definition: Marketing management suite (MMS) platforms are core enterprise applications that provide a unified set of marketing processes for a given organization and, typically, the capability to coordinate key cross-channel marketing initiatives.
Key product capabilities for sophisticated MMS platforms include but are not limited to:
Using a robust and comprehensive MMS platform equips marketers with the appropriate tools needed to make more informed decisions around campaign execution, resulting in better targeting, acquisition, and customer retention initiatives. Moreover, such tools can help bolster effective revenue generation and ensure more viable growth initiatives for future marketing growth enablement strategies.
Feature sets are rapidly evolving over time as MMS offerings continue to proliferate in this market space. Ensure that you focus on core components such as customer conversion rates and new lead captures through maintaining well- integrated multichannel campaigns.
Initial traction for marketing management strategies began with the need to holistically understand the effects of advertising efforts and how the media mix could be best optimized.
1902 |
1920s-1930s |
1942 |
1952-1964 |
1970s-1990s |
---|---|---|---|---|
Recognizing the increasing need for focused and professional marketing efforts, the University of Pennsylvania offers the first marketing course, dubbed "The Marketing of Products." |
As broadcast media began to peak, marketers needed to manage a greater number of complex and interspersed marketing channels. |
The introduction of television ads in 1942 offered new opportunities for brands to reach consumers across a growing media landscape. To generate the highest ROI, marketers sought to understand the consumer and focus on more tailored messaging and product personalization. Thus, modern marketing practices were born. |
Following the introduction of broadcast media, marketers had to develop strategies beyond traditional spray-and-pray methods. The first modern marketing measurement concept, "marketing mix," was conceptualized in 1952 and popularized in 1964 by Neil Borden. |
This period marked the digital revolution and the new era of marketing. With the advent of new communications technology and the modern internet, marketing management strategies reached new heights of sophistication. During the early 1990s, search engines emerged to help users navigate the web, leading to early forms of search engine optimization and advertising. |
6% |
As a continuously growing discipline, marketing management roles are predicted to grow faster than average, at a rate of 6% over the next decade. Source: U.S. Bureau of Labor Statistics, 2021 |
---|---|
17% |
While many marketing management vendors offer A/B testing, only 17% of marketers are actively using A/B testing on landing pages to increase conversion rates. Source: Oracle, 2022 |
70% |
It is imperative that technology and SaaS companies begin to use marketing automation as a core component of their martech strategy to remain competitive. About 70% of technology and SaaS companies are employing integrated martech tools. Source: American Marketing Association, 2021 |
Email Marketing |
Lead Nurturing |
Reporting, Analytics, and Marketing KPIs |
Marketing Campaign Management |
Integrational Catalog |
---|---|---|---|---|
The use of email alongside marketing efforts to promote a business' products and services. Email marketing can be a powerful tool to maintain connections with your audience and ensure sustained brand promotion. |
The process of developing and nurturing relationships with key customer contacts at every major touchpoint in their customer journey. MMS platforms can use automated lead-nurturing functions that are triggered by customer behavior. |
The use of well-defined metrics to help curate, gather, and analyze marketing data to help track performance and improve the marketing department's future marketing decisions and strategies. |
Tools needed for the planning, execution, tracking, and analysis of direct marketing campaigns. Such tools are needed to help gauge your buyers' sentiments toward your company's product offerings and services. |
MMS platforms should generally have a comprehensive open API/integration catalog. Most MMS platforms should have dedicated integration points to interface with various tools across the marketing landscape (e.g. social media, email, SEO, CRM, CMS tools, etc.). |
Digital Asset Management (DAM) |
A DAM can help manage digital media asset files (e.g. photos, audio files, video). |
---|---|
Customer Data Management |
Customer data management modules help your organization track essential customer information to maximize your marketing results. |
Text-Based Marketing |
Text-based marketing strategy is ideal for any organization primarily focused on coordinating structured and efficient marketing campaigns. |
Customer |
Customer journey orchestration enables users to orchestrate customer conversations and journeys across the entire marketing value chain. |
AI-Driven Workflows |
AI-powered workflows can help eliminate complexities and allow marketers to automate and optimize tasks across the marketing spectrum. |
Dynamic Segmentation |
Dynamic segmentation to target audience cohorts based on recent actions and stated preferences. |
Advanced Email Marketing |
These include capabilities such as A/B testing, spam filter testing, and detailed performance reporting. |
Data-Driven |
Adapt innovative techniques such as conversational marketing to help collect, analyze, and synthesize crucial audience information to improve the customer marketing experience and pre-screen prospects in a more conscientious manner. |
---|---|
Next Best Action Marketing |
Next best action marketing (NBAM) is a customer-centric paradigm/marketing technique designed to capture specific information about customers and their individual preferences. Predicting customers' future actions by understanding their intent during their purchasing decisions stage will help improve conversion rates. |
AI-Driven Customer |
The use of inclusive and innovative AI-based forecast modeling techniques can help more accurately analyze customer data to create more targeted segments. As such, marketing messages will be more accurately tailored to the customer that is reading them. |
Are you curious about the measures needed to boost engagement among your client base and other primary target audience groups? Conversational marketing intelligence metrics can help collect and disseminate key descriptive data points across a broader range of audience information.
Certain social media channels (e.g. LinkedIn and Facebook) like to take advantage of click-to-Messenger-style applications to help drive meaningful conversations with customers and learn more about their buying preferences. In addition, AI-driven chatbot applications can help the organization glean important information about the customer's persona by asking probing questions about their marketing purchase behaviors and preferences.
One of the newest phenomena in data-driven marketing technology and digital advertising techniques is the metaverse, where users can represent themselves and their brand via virtual avatars to further gamify their marketing strategies. Moreover, brands can create immersive experiences and engage with influencers and established communities and collect a wealth of information about their audience that can help drive customer retention and loyalty.
Metaverse marketing extends the potential for commercial brand development and representation: a deep dive into Gucci's metaverse practice
INDUSTRY: Luxury Goods Apparel
SOURCE: Vogue Business
Beginning with a small, family-owned leather shop known as House of Gucci in Florence, Italy, businessman and fashion designer Guccio Gucci sold saddles, leather bags, and other accessories to horsemen during the 1920s. Over the years, Gucci's offerings have grown to include various other personal luxury goods.
As consumer preferences have evolved over time, particularly with the younger generation, Gucci's professional marketing teams looked to invest in virtual technology environments to help build and sustain better brand awareness among younger consumer audiences.
In response to the increasing presence of metaverse-savvy gamers on the internet, Gucci began investing in developing its online metaverse presence to bolster its commercial marketing brand there.
A recent collaboration with Roblox, an online gaming platform that offers virtual experiences, provided Gucci the means to showcase its fashion items using the Gucci Garden – a virtual art installation project for Generation Z consumers, powered by Roblox's VR technology. The Gucci Garden virtual system featured a French-styled garden environment where players could try on and buy Gucci virtual fashion items to dress up their blank avatars.
Gucci's disruptive, innovative metaverse marketing campaign project with Roblox is proof of its commitment to tapping new marketing growth channels to showcase the brand to engage new and prospective consumers (e.g. Roblox's player base) across more unique sandboxed/simulation environments.
The freedom and flexibility in the metaverse environments allows brands such as Gucci to execute a more flexible digital marketing approach and enables them to take advantage of innovative metaverse-driven technologies in the market to further drive their data-driven digital marketing campaigns.
To improve conversion propensity, next best action techniques can use predictive modeling methods to help build a dynamic overview of the customer journey. With information sourced from actionable marketing intelligence data, MMS platforms can use NBAM techniques to identify customer needs based on their buying behavior, social media interactions, and other insights to determine what unique set of actions should be taken for each customer.
Rules-based recommender systems can help assign probabilities of purchasing behaviors based on the patterns in touchpoints of a customer's journey and interaction with your brand. For instance, a large grocery chain company such as Walmart or Whole Foods will use ML-based recommender systems to decide what coupons they should offer to their customers based on their purchasing history.
The inclusion of AI in data analytics helps make customer targeting more accurate
and meaningful. Organizations can analyze customer data more thoroughly and generate in-depth contextual and descriptive information about the targeted segments. In addition, they can use this information to automate the personalization of marketing campaigns for a specific target audience group.
To greatly benefit from AI-powered customer segmentation, organizations must deploy specialized custom AI solutions to help organize qualitative comments into quantitative data. This approach requires companies to use custom AI models and tools that will analyze customer sentiments and experiences based on data extracted from various touchpoints (e.g. CRM systems, emails, chatbot logs).
Phase 1 | Phase 2 | Phase 3 |
---|---|---|
1.1 Define MMS Platforms 1.2 Classify Table Stakes & Differentiating Capabilities 1.3 Explore Trends | 2.1 Build the Business Case 2.2 Streamline Requirements Elicitation 2.3 Develop an Inclusive RFP Approach | 3.1 Discover Key Players in the Vendor Landscape 3.2 Engage the Shortlist & Select Finalist 3.3 Prepare for Implementation |
This phase will walk you through the following activities:
This phase involves the following participants:
Expert analyst guidance over 5 weeks on average to select software and negotiate with the vendor.
Save money, align stakeholders, speed up the process and make better decisions.
Use a repeatable, formal methodology to improve your application selection process.
Better, faster results, guaranteed, included in your membership.
CLICK HERE to book your Selection Engagement
Understanding business needs through requirements gathering is the key to defining everything you need from your software. However, it is an area where people often make critical mistakes.
Poorly scoped requirements |
Best practices |
---|---|
|
|
Info-Tech Insight
Poor requirements are the number one reason projects fail. Review Info-Tech's Improve Requirements Gathering blueprint to learn how to improve your requirements analysis and get results that truly satisfy stakeholder needs.
Develop an inclusive and thorough approach to the RFP process
Review Info-Tech's process and understand how you can prevent your organization from leaking negotiation leverage while preventing vendors from taking control of your RFP.
You may be faced with multiple products, services, master service agreements, licensing models, service agreements, and more.
Use Info-Tech's Contract Review Service to gain insights on your agreements:
Validate that a contract meets IT's and the business' needs by looking beyond the legal terminology. Use a practical set of questions, rules, and guidance to improve your value for dollar spent.
CLICK to BOOK The Contract Review Service
CLICK to DOWNLOAD Master Contract Review and Negotiation for Software Agreements
Phase 1 | Phase 2 | Phase 3 |
---|---|---|
1.1 Define MMS Platforms 1.2 Classify Table Stakes & Differentiating Capabilities 1.3 Explore Trends | 2.1 Build the Business Case 2.2 Streamline Requirements Elicitation 2.3 Develop an Inclusive RFP Approach | 3.1 Discover Key Players in the Vendor Landscape 3.2 Engage the Shortlist & Select Finalist 3.3 Prepare for Implementation |
This phase will walk you through the following activities:
This phase involves the following participants:
The following slides provide a top-level overview of the popular players you will encounter in your MMS shortlisting process.
![]() |
The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions. Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform. |
![]() |
The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions. Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution. |
CLICK HERE to ACCESS |
---|
Comprehensive software reviews
|
We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy. |
Technology coverage is a priority for Info-Tech, and SoftwareReviews provides the most comprehensive unbiased data on today's technology. Combined with the insight of our expert analysts, our members receive unparalleled support in their buying journey.
"Adobe Experience Cloud (AEC), formerly Adobe Marketing Cloud (AMC), provides a host of innovative multichannel analytics, social, advertising, media optimization, and content management products (just to name a few). The Adobe Marketing Cloud package allows users with valid subscriptions to download the entire collection and use it directly on their computer with open access to online updates. Organizations that have a deeply ingrained Adobe footprint and have already reaped the benefits of Adobe's existing portfolio of cloud services products (e.g. Adobe Creative Cloud) will find the AEC suite a functionally robust and scalable fit for their marketing management and marketing automation needs.
However, it is important to note that AEC's pricing model is expensive when compared to other competitors in the space (e.g. Sugar Market) and, therefore, is not as affordable for smaller or mid-sized organizations. Moreover, there is the expectation of a learning curve with the AEC platform. Newly onboarded users will need to spend some time learning how to navigate and work comfortably with AEC's marketing automaton modules. "
-
Yaz Palanichamy
Senior Research Analyst, Info-Tech Research Group
Adobe Experience Cloud Platform pricing is opaque.
Request a demo.*
*Info-Tech recommends reaching out to the vendor's internal sales management team for explicit details on individual pricing plans for the Adobe Marketing Cloud suite.
2021 |
Adobe Experience Platform Launch is integrated into the Adobe Experience Platform as a suite of data collection technologies (Experience League, Adobe). |
---|---|
November 2020 |
Adobe announces that it will spend $1.5 billion to acquire Workfront, a provider of marketing collaboration software (TechTarget, 2020). |
September 2018 |
Adobe acquires marketing automation software company Marketo (CNBC, 2018). |
June 2018 |
Adobe buys e-commerce services provider Magento Commerce from private equity firm Permira for $1.68 billion (TechCrunch, 2018). |
2011 |
Adobe acquires DemDex, Inc. with the intention of adding DemDex's audience-optimization software to the Adobe Online Marketing Suite (Adobe News, 2011). |
2009 |
Adobe acquires online marketing and web analytics company Omniture for $1.8 billion and integrates its products into the Adobe Marketing Cloud (Zippia, 2022). |
Adobe platform launches in December 1982. |
Strengths:
Areas to Improve:
2021 |
Microsoft Dynamics 365 suite adds customer journey orchestration as a viable key feature (Tech Target, 2021) |
---|---|
2019 |
Microsoft begins adding to its Dynamics 365 suite in April 2019 with new functionalities such as virtual agents, fraud detection, new mixed reality (Microsoft Dynamics 365 Blog, 2019). |
2017 |
Adobe and Microsoft expand key partnership between Adobe Experience Manager and Dynamics 365 integration (TechCrunch, 2017). |
2016 |
Microsoft Dynamics CRM paid seats begin growing steadily at more than 2.5x year-over-year (TechCrunch, 2016). |
2016 |
On-premises application, called Dynamics 365 Customer Engagement, contains the Dynamics 365 Marketing Management platform (Learn Microsoft, 2023). |
Microsoft Dynamics 365 product suite is released on November 1, 2016. |
"Microsoft Dynamics 365 for Marketing remains a viable option for organizations that require a range of innovative MMS tools that can provide a wealth of functional capabilities (e.g. AI-powered analytics to create targeted segments, A/B testing, personalizing engagement for each customer). Moreover, Microsoft Dynamics 365 for Marketing offers trial options to sandbox their platform for free for 30 days to help users familiarize themselves with the software before buying into the product suite.
However, ensure that you have the time to effectively train users on implementing the MS Dynamics 365 platform. The platform does not score high on customizability in SoftwareReviews reports. Developers have only a limited ability to modify the core UI, so organizations need to be fully equipped with the knowledge needed to successfully navigate MS-based applications to take full advantage of the platform. For organizations deep in the Microsoft stack, D365 Marketing is a compelling option."
Yaz Palanichamy
Senior Research Analyst, Info-Tech Research Group
Dynamics 365 |
Dynamics 365 |
---|---|
|
|
* Pricing correct as of October 2022. Listed in USD and absent discounts. See pricing on vendor's website for latest information.
Strengths:
Areas to Improve:
2022 |
HubSpot Marketing Hub releases Campaigns 2.0 module for its Marketing Hub platform (HubSpot, 2022). |
---|---|
2018 |
|
2014 |
HubSpot celebrates its first initial public offering on the NYSE market (HubSpot Company News, 2014). |
2013 |
HubSpot opens its first international office location in Dublin, Ireland |
2010 |
Brian Halligan and Dharmesh Shah write "Inbound Marketing," a seminal book that focuses on inbound marketing principles (HubSpot, n.d.). |
HubSpot opens for business in Cambridge, MA, USA, in 2005. |
"HubSpot's Marketing Hub software ranks consistently high in scores across SoftwareReviews reports and remains a strong choice for organizations that want to run successful inbound marketing campaigns that make customers interested and engaged with their business. HubSpot Marketing Hub employs comprehensive feature sets, including the option to streamline ad tracking and management, perform various audience segmentation techniques, and build personalized and automated marketing campaigns.
However, SoftwareReviews reports indicate end users are concerned that HubSpot Marketing Hub's platform may be slightly overpriced in recent years and not cost effective for smaller and mid-sized companies that are working with a limited budget. Moreover, when it comes to mobile user accessibility reports, HubSpot's Marketing Hub does not directly offer data usage reports in relation to how mobile users navigate various web pages on the customer's website."
Yaz Palanichamy
Senior Research Analyst, Info-Tech Research Group
HubSpot Marketing Hub (Starter Package) |
HubSpot Marketing Hub (Professional Package) |
HubSpot Marketing Hub (Enterprise Package) |
---|---|---|
|
|
|
*Pricing correct as of October 2022. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.
Strengths:
Areas to Improve:
2022 | Maropost acquires Retail Express, leading retail POS software in Australia for $55M (PRWire, 2022). |
2018 |
|
2015 | US-based communications organization Success selects Maropost Marketing Cloud for marketing automation use cases (Apps Run The World, 2015). |
2017 | Maropost is on track to become one of Toronto's fastest-growing companies, generating $30M in annual revenue (MarTech Series, 2017). |
2015 | Maropost is ranked as a "High Performer" in the Email Marketing category in a G2 Crowd Grid Report (VentureBeat, 2015). |
Maropost is founded in 2011 as a customer-centric ESP platform. |
Maropost Marketing Cloud – Essential |
Maropost |
Maropost |
---|---|---|
|
|
|
*Pricing correct as of October 2022. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.
Strengths:
Areas to Improve:
2021 | New advanced intelligence capabilities within Oracle Eloqua Marketing Automation help deliver more targeted and personalized messages (Oracle, Marketing Automation documentation). |
2015 |
|
2014 | Oracle announces the launch of the Oracle Marketing Cloud (TechCrunch, 2014). |
2005 | Oracle acquires PeopleSoft, a company that produces human resource management systems, in 2005 for $10.3B (The Economic Times, 2016). |
1982 | Oracle becomes the first company to sell relational database management software (RDBMS). In 1982 it has revenue of $2.5M (Encyclopedia.com). |
Relational Software, Inc (RSI) – later renamed Oracle Corporation – is founded in 1977. |
"Oracle Marketing Cloud offers a comprehensive interwoven and integrated marketing management solution that can help end users launch cross-channel marketing programs and unify all prospect and customer marketing signals within one singular view. Oracle Marketing Cloud ranks consistently high across our SoftwareReviews reports and sustains top scores in overall customer experience rankings at a factor of 9.0. The emotional sentiment of users interacting with Oracle Marketing Cloud is also highly favorable, with Oracle's Emotional Footprint score at +93.
Users should be aware that some of the reporting mechanisms and report-generation capabilities may not be as mature as those of some of its competitors in the MMS space (e.g. Salesforce, Adobe). Data exportability also presents a challenge in Oracle Marketing Cloud and requires a lot of internal tweaking between end users of the system to function properly. Finally, pricing sensitivity may be a concern for small and mid-sized organizations who may find Oracle's higher-tiered pricing plans to be out of reach. "
Yaz Palanichamy
Senior Research Analyst, Info-Tech Research Group
Oracle Marketing Cloud pricing is opaque. Request a demo.* |
*Info-Tech recommends reaching out to the vendor's internal sales management team for explicit details on individual pricing plans for the Adobe Marketing Cloud suite.
Strengths:
Areas to Improve:
2022 | Salesforce announces sustainability as a core company value (Forbes, 2022). |
2012 |
|
2009 | Salesforce launches Service Cloud, bringing customer service and support automation features to the market (TechCrunch, 2009). |
2003 |
|
2001 |
|
Salesforce is founded in 1999. |
"Salesforce Marketing Cloud is a long-term juggernaut of the marketing management software space and is the subject of many Info-Tech member inquiries. It retains strong composite and customer experience (CX) scores in our SoftwareReviews reports. Some standout features of the platform include marketing analytics, advanced campaign management functionalities, email marketing automation, and customer journey management capabilities. In recent years Salesforce has made great strides in improving the overall user experience by investing in new product functionalities such as the Einstein What-If Analyzer, which helps test how your next email campaign will impact overall customer engagement, triggers personalized campaign messages based on an individual user's behavior, and uses powerful real-time segmentation and sophisticated AI to deliver contextually relevant experiences that inspire customers to act.
On the downside, we commonly see Salesforce's solutions as costlier than competitors' offerings, and its commercial/sales teams tend to be overly aggressive in marketing its solutions without a distinct link to overarching business requirements. "
Yaz Palanichamy
Senior Research Analyst, Info-Tech Research Group
Marketing Cloud Basics |
Marketing Cloud Pro |
Marketing Cloud Corporate |
Marketing Cloud Enterprise |
---|---|---|---|
|
|
|
"Request a Quote" |
*Pricing correct as of October 2022. Listed in USD and absent discounts. See pricing on vendor's website for latest information.
Strengths:
Areas to Improve:
2022 | SAP announces the second cycle of the 2022 SAP Customer Engagement Initiative. (SAP Community Blog, 2022). |
2020 | SAP acquires Austrian cloud marketing company Emarsys (TechCrunch, 2020). |
2015 | SAP Digital for Customer Engagement launches in May 2015 (SAP News, 2015). |
2009 | SAP begins branching out into three markets of the future (mobile technology, database technology, and cloud). SAP acquires some of its competitors (e.g. Ariba, SuccessFactors, Business Objects) to quickly establish itself as a key player in those areas (SAP, n.d.). |
1999 | SAP responds to the internet and new economy by launching its mysap.com strategy (SAP, n.d.). |
SAP is founded In 1972. |
"Over the years, SAP has positioned itself as one of the usual suspects across the enterprise applications market. While SAP has a broad range of capabilities within the CRM and customer experience space, it consistently underperforms in many of our user-driven SoftwareReviews reports for MMS and adjacent areas, ranking lower in MMS product feature capabilities such as email marketing automation and advanced campaign management than other mainstream MMS vendors, including Salesforce Marketing Cloud and Adobe Experience Cloud. The SAP Customer Engagement Marketing platform seems decidedly a secondary focus for SAP, behind its more compelling presence across the enterprise resource planning space.
If you are approaching an MMS selection from a greenfield lens and with no legacy vendor baggage for SAP elsewhere, experience suggests that your needs will be better served by a vendor that places greater primacy on the MMS aspect of their portfolio."
Yaz Palanichamy
Senior Research Analyst, Info-Tech Research Group
SAP Customer Engagement Marketing pricing is opaque: |
---|
*Info-Tech recommends reaching out to the vendor's internal sales management team for explicit details on individual pricing plans for the Adobe Marketing Cloud suite.
Strengths:
Areas to Improve:
Strengths:
Areas to Improve:
2021 |
Zoho announces CRM-Campaigns sync (Zoho Campaigns Community Learning, 2021). |
2020 |
Zoho reaches more than 50M customers in January ( Zippia, n.d.). |
2017 |
Zoho launches Zoho One, a comprehensive suite of 40+ applications (Zoho Blog, 2017). |
2012 |
Zoho releases Zoho Campaigns (Business Wire, 2012). |
2007 |
Zoho expands into the collaboration space with the release of Zoho Docs and Zoho Meetings (Zoho, n.d.). |
2005 |
Zoho CRM is released (Zoho, n.d.). |
Zoho platform is founded in 1996. |
"Zoho maintains a long-running repertoire of end-to-end software solutions for business development purposes. In addition to its flagship CRM product, the company also offers Zoho Campaigns, which is an email marketing software platform that enables contextually driven marketing techniques via dynamic personalization, email interactivity, A/B testing, etc. For organizations that already maintain a deep imprint of Zoho solutions, Zoho Campaigns will be a natural extension to their immediate software environment.
Zoho Campaigns is a great ecosystem play in environments that have a material Zoho footprint. In the absence of an existing Zoho environment, it's prudent to consider other affordable products as well."
Yaz Palanichamy
Senior Research Analyst, Info-Tech Research Group
Free Version |
Standard |
Professional |
---|---|---|
|
|
|
*Pricing correct as of October 2022. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.
1. Assess |
---|
2. Prepare |
3. Govern & Course Correct |
Download Info-Tech's Governance and Management of Enterprise Software Implementation
Establish and execute an end-to-end, agile framework to succeed with the implementation of a major enterprise application.
Teams must have some type of communication strategy. This can be broken into:
Distributed teams create complexity as communication can break down. This can be mitigated by:
Members should trust other members are contributing to the project and completing their required tasks on time. Trust can be developed and maintained by:
This selection guide allows organizations to execute a structured methodology for picking an MMS platform that aligns with their needs. This includes:
This formal MMS selection initiative will drive business-IT alignment, identify pivotal sales and marketing automation priorities, and thereby allow for the rollout of a streamlined MMS platform that is highly likely to satisfy all stakeholder needs.
If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop
contact your account representative for more information
workshops@infotech.com
1-888-670-8889
Knowledge Gained
Processes Optimized
Marketing Management
Vendors Analyzed
Select a Marketing Management Suite
Many organizations struggle with taking a systematic approach to selection that pairs functional requirements with specific marketing workflows, and as a result they choose a marketing management suite (MMS) that is not well aligned to their needs, wasting resources and causing end-user frustration.
Customer relationship management (CRM) application portfolios are often messy,
with multiple integration points, distributed data, and limited ongoing end-user training. A properly optimized CRM ecosystem will reduce costs and increase productivity.
Customer Relationship Management Platform Selection Guide
Speed up the process to build your business case and select your CRM solution. Despite the importance of CRM selection and implementation, many organizations struggle to define an approach to picking the right vendor and rolling out the solution in an effective and cost-efficient manner.
"16 Biggest Tech Acquisitions in History." The Economic Times, 28 July 2016. Web.
"Adobe Acquires Demdex – Brings Audience Optimization to $109 Billion Global Online Ad Market." Adobe News, 18 Jan 2011. Accessed Nov 2022.
"Adobe Company History Timeline." Zippia, 9 Sept 2022. Accessed Nov 2022.
"Adobe to acquire Magento for $1.68B." TechCrunch, 21 May 2018. Accessed Dec 2022.
Anderson, Meghan Keaney. "HubSpot Launches European Headquarters." HubSpot Company News, 3 Mar 2013.
Arenas-Gaitán, Jorge, et al. "Complexity of Understanding Consumer Behavior from the Marketing Perspective." Journal of Complexity, vol. 2019, 8 Jan 2019. Accessed Sept 2022.
Bureau of Labor Statistics. "Advertising, Promotions, and Marketing Managers." Occupational Outlook Handbook. U.S. Department of Labor, 8 Sept 2022. Accessed 1 Nov 2022.
"Campaigns." Marketing Hub, HubSpot, n.d. Web.
Conklin, Bob. "Adobe report reveals best marketing practices for B2B growth in 2023 and beyond." Adobe Experience Cloud Blog, 23 Sept 2022. Web.
"Consumer Behavior Stats 2021: The Post-Pandemic Shift in Online Shopping Habit" Nosto.com, 7 April 2022. Accessed Oct 2022.
"Data Collection Overview." Experience League, Adobe.com, n.d. Accessed Dec 2022.
Duduskar, Avinash. "Interview with Tony Chen, CEO at Channel Factory." MarTech Series, 16 June 2017. Accessed Nov 2022.
"Enhanced Release of SAP Digital for Customer Engagement Helps Anyone Go Beyond CRM." SAP News, 8 Dec. 2015. Press release.
Fang, Mingyu. "A Deep Dive into Gucci's Metaverse Practice." Medium.com, 27 Feb 2022. Accessed Oct 2022.
Flanagan, Ellie. "HubSpot Launches Marketing Hub Starter to Give Growing Businesses the Tools They Need to Start Marketing Right." HubSpot Company News, 17 July 2018. Web.
Fleishman, Hannah. "HubStop Announces Pricing of Initial Public Offering." HubSpot Company News, 8 Oct. 204. Web.
Fluckinger, Don. "Adobe to acquire Workfront for $1.5 billion." TechTarget, 10 Nov 2020. Accessed Nov 2022.
Fluckinger, Don. "Microsoft Dynamics 365 adds customer journey orchestration." TechTarget, 2 March 2021. Accessed Nov 2022.
Green Marketing: Explore the Strategy of Green Marketing." Marketing Schools, 19 Nov 2020. Accessed Oct 2022.
Ha, Anthony. "Oracle Announces Its Cross-Platform Marketing Cloud." TechCrunch, 30 April 2014. Web.
Heyd, Kathrin. "Partners Welcome – SAP Customer Engagement Initiative 2022-2 is open for your registration(s)!" SAP Community Blog, 21 June 2022. Accessed Nov 2022.
HubSpot. "Our Story." HubSpot, n.d. Web.
Jackson, Felicia. "Salesforce Tackles Net Zero Credibility As It Adds Sustainability As A Fifth Core Value." Forbes, 16 Feb. 2022. Web.
Kolakowski, Nick. "Salesforce CEO Marc Benioff Talks Social Future." Dice, 19 Sept. 2012. Web.
Lardinois, Frederic. "Microsoft's Q4 earnings beat Street with $22.6B in revenue, $0.69 EPS." TechCrunch, 19 July 2016. Web.
Levine, Barry. "G2 Crowd report finds the two email marketing tools with the highest user satisfaction." Venture Beat, 30 July 2015. Accessed Nov 2022.
Looking Back, Moving Forward: The Evolution of Maropost for Marketing." Maropost Blog, 21 May 2019. Accessed Oct 2022.
Maher, Sarah. "What's new with HubSpot? Inbound 2022 Feature Releases." Six & Flow, 9 July 2022. Accessed Oct 2022.
Marketing Automation Provider, Salesfusion, Continues to Help Marketers Achieve Their Goals With Enhanced User Interface and Powerful Email Designer Updates." Yahoo Finance, 10 Dec 2013. Accessed Oct 2022.
"Maropost Acquires Retail Express for $55 Million+ as it Continues to Dominate the Global Commerce Space." Marapost Newsroom, PRWire.com, 19 Jan 2022. Accessed Nov 2022.
McDowell, Maghan. "Inside Gucci and Roblox's new virtual world." Vogue Business, 17 May 2021. Web.
Miller, Ron. "Adobe and Microsoft expand partnership with Adobe Experience Manager and Dynamics 265 Integration." TechCrunch, 3 Nov 2017. Accessed Nov 2022.
Miller, Ron. "Adobe to acquire Magento for $1.68B" TechCrunch, 21 May 2018. Accessed Nov 2022.
Miller, Ron. "SAP continues to build out customer experience business with Emarys acquisition." TechCrunch, 1 Oct. 2020. Web.
Miller, Ron. "SugarCRM moves into marketing automation with Salesfusion acquisition." TechCrunch, 16 May 2019.
Novet, Jordan. "Adobe confirms it's buying Marketo for $4.75 billion." CNBC, 20 Sept 2018. Accessed Dec 2022.
"Oracle Corp." Encyclopedia.com, n.d. Web.
Phillips, James. "April 2019 Release launches with new AI, mixed reality, and 350+ feature updates." Microsoft Dynamics 365 Blog. Microsoft, 2 April 2019. Web.
S., Aravindhan. "Announcing an important update to Zoho CRM-Zoho Campaigns integration." Zoho Campaigns Community Learning, Zoho, 1 Dec. 2021. Web.
Salesforce. "The History of Salesforce." Salesforce, 19 March 2020. Web.
"Salesfusion Integrates With NetSuite CRM to Simplify Sales and Marketing Alignment" GlobeNewswire, 6 May 2016. Accessed Oct 2022. Press release.
"Salesfusion Integrates With NetSuite CRM to Simplify Sales and Marketing Alignment." Marketwired, 6 May 2016. Web.
"Salesfusion is Now Sugar Market: The Customer FAQ." SugarCRM Blog, 31 July 2019. Web.
"Salesfusion's Marketing Automation Platform Drives Awareness and ROI for Education Technology Provider" GlobeNewswire, 25 June 2015. Accessed Nov 2022. Press release.
SAP. "SAP History." SAP, n.d. Web.
"State of Marketing." 5th Edition, Salesforce, 15 Jan 2019. Accessed Oct 2022.
"Success selects Maropost Marketing Cloud for Marketing Automation." Apps Run The World, 10 Jan 2015. Accessed Nov 2022.
"SugarCRM Acquires SaaS Marketing Automation Innovator Salesfusion." SugarCRM, 16 May 2019. Press release.
Sundaram, Vijay. "Introducing Zoho One." Zoho Blog, 25 July 2017. Web.
"The State of MarTech: Is you MarTech stack working for you?" American Marketing Association, 29 Nov 2021. Accessed Oct 2022.
"Top Marketing Automation Statistics for 2022." Oracle, 15 Jan 2022. Accessed Oct 2022.
Trefis Team. "Oracle Energizes Its Marketing Cloud With New Features." Forbes, 7 April 2015. Accessed Oct 2022.
Vivek, Kumar, et al. "Microsoft Dynamics 365 Customer Engagement (on-premises) Help, version 9.x." Learn Dynamics 365, Microsoft, 9 Jan 2023. Web.
"What's new with HubSpot? Inbound 2022 feature releases" Six and Flow, 9 July 2022. Accessed Nov 2022.
Widman, Jeff. "Salesforce.com Launches The Service Cloud,, A Customer Service SaaS Application." TechCrunch, 15 Jan. 2009. Web.
"Zoho History." Zippia, n.d. Web.
"Zoho Launches Zoho Campaigns." Business Wire, 14 Aug. 2012. Press release.
Zoho. "About Us." Zoho, n.d. Web.
40 Hours of Advisory Assistance Delivered On-Line or In-Person
Select Better Software, Faster.
40 Hours of Expert Analyst Guidance
Project & Stakeholder Management Assistance
Save money, align stakeholders, Speed up the process & make better decisions.
Better, faster results, guaranteed, $25K standard engagement fee
CLICK HERE to book your Workshop Engagement
Understanding the differences in IaaS platform agreements, purchasing options, associated value, and risks. What are your options for:
IaaS platforms offer similar technical features, but they vary widely on their procurement model. By fully understanding the procurement differences and options, you will be able to purchase wisely, save money both long and short term, and mitigate investment risk.
Most vendors have similar processes and options to buy. Finding a transparent explanation and summary of each platform in a side-by-side review is difficult.
This project will provide several benefits for both IT and the business. It includes:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Learn the IaaS basics, terminologies, purchasing options, licensing requirements, hybrid options, support, and organization requirements through a checklist process.
Review and understand the features, downsides, and differences between the big three players.
Decide on a primary vendor that meets requirements, engage with a reseller, negotiate pricing incentives, migration costs, review, and execute the agreement.
Business process automation (BPA) has gained momentum, especially as pilots result in positive outcomes such as improved customer experience, efficiencies, and cost savings. Stakeholders want to invest more in BPA solutions and scale initial successes across different business and IT functions.
But it’s critical to get it right and not fall into the hype so that the costs don’t outweigh the benefits.
Ultimately, all BPA initiatives should align with a common vision.
Organizations should adopt a methodical approach to growing their BPA, taking cost, talent availability, and goals into account.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This blueprint helps you develop a strategy justify the scaling and maturing of your business process automation (BPA) practices and capabilities to fulfill your business priorities.
Document your business process automation strategy in the language your stakeholders understand. Tailor this document to fit your BPA objectives and initiatives.
Evaluate the maturity of the key capabilities of your BPA practice to determine its readiness to support complex and scaled BPA solutions.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand the business priorities and your stakeholders' needs that are driving your business process automation initiatives while abiding by the risk and change appetite of your organization.
Translate business priorities to the context of business process automation.
Arrive at a common definition of business value.
Come to an understanding of the needs, concerns, and problems of BPA stakeholders.
Discover organizational risk and change tolerance and appetite.
1.1 Set the Business Context
1.2 Understand Your Stakeholder Needs
1.3 Build Your Risk & Change Profile
Business problem, priorities, and business value definition
Customer and end-user assessment (e.g. personas, customer journey)
Risk and change profile
Set reasonable and achievable expectations for your BPA initiatives and practices, and select the right BPA opportunities to meet these expectations.
Align BPA objectives and metrics to your business priorities.
Create guiding principles that support your organization’s and team’s culture.
Define a vision of your target-state BPA practice
Create a list of BPA opportunities that will help build your practice and meet business priorities.
2.1 Define Your BPA Expectations
2.2 List Your Guiding Principles
2.3 Envision Your BPA Target State
2.4 Build Your Opportunity Backlog
BPA problem statement, objectives, and metrics
BPA guiding principles
Desired scaled BPA target state
Prioritized BPA opportunities
Evaluate the current state of your BPA practice and its readiness to support scaled and complex BPA solutions.
List key capabilities to implement and optimize to meet the target state of your BPA practice.
Brainstorm solutions to address the gaps in your BPA capabilities.
3.1 Assess Your BPA Maturity
BPA maturity assessment
Identify high-priority key initiatives to support your BPA objectives and goals, and establish the starting point of your BPA strategy.
Create an achievable roadmap of BPA initiatives designed to deliver good practices and valuable automations.
Perform a risk assessment of your BPA initiatives and create mitigations for high-priority risks.
Find the starting point in the development of your BPA strategy.
4.1 Roadmap Your BPA Initiatives
4.2 Assess and Mitigate Your Risks
4.3 Complete Your BPA Strategy
List of BPA initiatives and roadmap
BPA initiative risk assessment
Initial draft of your BPA strategy
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This storyboard will help you craft a project charter, create an RFP, and outline strategies to build a long-term relationship with the vendor.
These templates will help you determine your service desk requirements and document your proposed service desk outsourcing strategy.
This template will allow you to create a detailed RFP for your outsourcing agreement, document the statement of work, provide service overview, record exit conditions, and document licensing model and estimated pricing.
Use the Reference Interview Template to outline a list of questions for interviewing current/previous customers of your candidate vendors. These interviews will help you with unbiased vendor scoring. The RFP Vendor Scoring Tool will help you facilitate vendor briefings with your list of questions and score candidate vendors efficiently through quantifying evaluations.
Cost reduction has traditionally been an incentive for outsourcing the service desk. This is especially the case for organizations that don't have minimal processes in place and those that need resources and skills to fill gaps.
Although cost reduction is usually the main reason to outsource the service desk, in most cases service desk outsourcing increases the cost in a short run. But without a proper model, you will only outsource your problems rather than solving them. A successful outsourcing strategy follows a comprehensive plan that defines objectives, assigns accountabilities, and sets expectations for service delivery prior to vendor outreach.
For outsourcing the service desk, you should plan ahead, work as a group, define requirements, prepare a strong RFP, and contemplate tension metrics to ensure continual improvement. As you build a project charter to outline your strategy for outsourcing your IT services, ensure you focus on better customer service instead of cost optimization. Ensure that the outsourcer can support your demands, considering your long-term achievement.
Think about outsourcing like a marriage deed. Take into account building a good relationship before beginning the contract, ensure to include expectations in the agreement, and make it possible to exit the agreement if expectations are not satisfied or service improvement is not achieved.
Mahmoud Ramin, PhD
Senior Research Analyst
Infrastructure and Operations
Info-Tech Research Group
In organizations where technical support is viewed as non-strategic, many see outsourcing as a cost-effective way to provide this support. However, outsourcing projects often fall short of their goals in terms of cost savings and quality of support.
Significant administrative work and up-front costs are required to outsource the service desk, and poor planning often results in project failure and the decrease of end-user satisfaction.
A complete turnover of the service desk can result in lost knowledge and control over processes, and organizations without an exit strategy can struggle to bring their service desk back in house and reestablish the confidence of end users.
Outsourcing is easy. Realizing all of the expected cost, quality, and focus benefits is hard. Successful outsourcing without being directly involved in service desk management is almost impossible.
Source: HDI 2017 | About 68.5% of the service desk fund is allocated to agent salaries, while only 9.3% of the service desk fund is spent on technology. The high ratio of salaries and expenses over other expense drives organizations to outsource their service desk without taking other considerations into account. |
The outsourcing contract must preserve your control, possession, and ownership of the intellectual property involved in the service desk operation. From the beginning of the process, repatriation should be viewed as a possibility and preserved as a capability.
A benchmark study by Zendesk from 45,000 companies reveals that timely resolution of issues and 24/7 service are the biggest factors in customer service experience.
These factors push many businesses to consider service desk outsourcing to vendors that have capabilities to fulfill such requirements.
Many organizations may not get the value they expect from outsourcing in their first year.
Poor transition planning results in delayed benefits and a poor relationship with your outsourcing service provider. A poor relationship with your service provider results in poor communication and knowledge transfer.
In your service desk outsourcing strategy, rethink downsizing first-level IT service staff. This can be an opportunity to reassign resources to more valuable roles, such as asset management, development or project backlog. Your current service desk staff are most likely familiar with the current technology, processes, and regulations within IT. Consider the ways to better use your existing resources before reducing headcount.
Conduct activities in the blueprint to pinpoint your current challenges with the service desk and find out objectives to outsource customer service.
You need to be clear about the processes that will be outsourced. Considering your objectives, we'll help you discover the processes to outsource, to help you achieve your goals.
Your expectations should be documented in a formal proposal to help vendors provide solid information about how they will satisfy your requirements and what their plan is.
Make sure to plan for continual improvement by setting expectations, tracking the services with proper metrics, and using efficient communication with the provider. Think about the rainy day and include exit conditions for ending the relationship if needed.
1. Define the Goal | 2. Design an Outsourcing Strategy | 3. Develop an RFP and Make a Long-Term Relationship | |
---|---|---|---|
Phase Steps | 1.1 Identify goals and objectives 1.2 Assess outsourcing feasibility | 2.1 Identify project stakeholders 2.2 Outline potential risks and constraints | 3.1 Prepare service overview and responsibility matrix 3.2 Define approach to vendor relationship management 3.3 Manage the outsource relationship |
Phase Outcomes | Service Desk Outsourcing Vision and Goals Service Desk Processes to Outsource | Outsourcing Roles and Responsibilities Outsourcing Risks and Constraints Service Desk Outsourcing Project Charter | Service Desk Outsourcing RFP Continual Improvement Plan Exit Strategy |
Outsourcing is easy. Realizing all of the expected cost, quality, and focus benefits is hard. Successful outsourcing without being directly involved in service desk management is almost impossible.
Define outsourcing requirements
You don't need to standardize before you outsource, but you still need to conduct your due diligence. If you outsource without thinking about how you want the future to work, you will likely be unsatisfied with the result.
Don't focus on cost
If cost is your only driver for outsourcing, understand that there will be other challenges. Customer service quality will likely be less, and your outsourcer may not add on frills such as Continual Improvement. Be careful that your specialists don't end up spending more time working on incidents and service requests.
Emphasize on customer service
A bad outsourcer relationship will result in low business satisfaction with IT overall. The service desk is the face of IT, and if users are dissatisfied with the service desk, then they are much likelier to be dissatisfied with IT overall.
Vendors are not magicians
They have standards in place to help them succeed. Determine ITSM best practices, define your requirements, and adjust process workflows accordingly. Your staff and end users will have a much easier transition once outsourcing proceeds.
Plan ahead to guarantee success
Identify outsourcing goals, plan for service and system integrations, document standard incidents and requests, and track tension metrics to make sure the vendor does the work efficiently. Aim for building a long-term relationship but contemplate potential exit strategy.
![]() | Service Desk Outsourcing Requirements Database LibraryUse this library to guide you through processes to outsource |
![]() | Service Desk Outsourcing RFP TemplateUse this template to craft a proposal for outsourcing your service desk |
![]() | Service Desk Outsourcing Reference Interview TemplateUse this template to verify vendor claims on service delivery with pervious or current customers |
![]() | Service Desk Outsourcing Vendor Proposal Scoring ToolUse this tool to evaluate RFP submissions |
Key deliverable: | |
---|---|
![]() | Service Desk Outsourcing Project CharterDocument your project scope and outsourcing strategy in this template to organize the project for efficient resource and requirement allocation |
IT Benefits | Business Benefits |
---|---|
|
|
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
Phase 1 | Phase 2 | Phase 3 |
---|---|---|
Call #1: Scope your specific challenges and objectives | Call #3: Identify project stakeholders, and potential risks and constraints | Call #5: Create a detailed RFP |
Call #6: Identify strategy risks. | ||
Call #2: Assess outsourcing feasibility and processes to outsource | Call #4: Create a list of metrics to ensure efficient reporting | Call #7: Prepare for vendor briefing and scoring each vendor |
Call #8: Build a communication plan |
A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 8 to 10 calls over the course of 4 to 6 months.
Define the goal | Design an outsourcing strategy | Develop an RFP and make a long-term relationship |
---|---|---|
1.1 Identify goals and objectives 1.2 Assess outsourcing feasibility | 2.1 Identify project stakeholders 2.2 Outline potential risks and constraints | 3.1 Prepare a service overview and responsibility matrix 3.2 Define your approach to vendor relationship management 3.3 Manage the outsource relationship |
1.1.1 Find out why you want to outsource your service desk
1.1.2 Document the benefits of outsourcing your service desk
1.1.3 Identify your outsourcing vision and goals
1.1.4 Prioritize service desk outsourcing goals to help structure your mission statement
1.1.5 Craft a mission statement that demonstrates your decision to reach your outsourcing objectives
Service desk is the face of IT. Service desk improvement increases IT efficiency, lowers operation costs, and enhances business satisfaction.
Common challenges that result in deciding to outsource the service desk are:
Participants: IT Director, Service Desk Manager, Service Desk Team
Challenge | Example |
---|---|
Lack of tier 1 support | Startup does not have a dedicated service desk to handle incidents and provide services to end users. |
Inefficient ticket handling | MTTR is very high and end users are frustrated with their issues not getting solved quickly. Even if they call service desk, they are put on hold for a long time. Due to these inefficiencies, their daily work is greatly impacted. |
Restricted service hours | Company headquartered in Texas does not have resources to provide 24/7 IT service. When users in the East Asia branch have a laptop issue, they must wait until the next day to get response from IT. This has diminished their satisfaction. |
Restricted languages | Company X is headquartered in New York. An end user not fluent in English from Madrid calls in for support. It takes five minutes for the agent to understand the issue and log a ticket. |
Ticket backlog | IT is in firefighting mode, very busy with taking care of critical incidents and requests from upper management. Almost no one is committed to the SLA because of their limited availability. |
Brainstorm your challenges with the service desk. Why have you decided to outsource your service desk? Use the above table as a sample.
Download the Project Charter Template
When you outsource, the vendor's staff tend to gradually become less effective as:
You must actively manage the vendor to identify and resolve these issues. Many organizations find that service desk management takes more time after they outsource.
You need to keep spending on service desk management, and you may not get away from technology infrastructure spending.
In their first year, almost 42% of Info-Tech's clients do not get the real value of outsourcing services as expected. This iss primarily because of misalignment of organizational goals with outcomes of the outsourced services.
Expected Costs | Unexpected Costs | Example | |
---|---|---|---|
Transition Costs | Severance and staff retention |
|
|
Fees | Price of the engagement |
|
|
Management Costs | Time directing account |
|
|
Rework Costs | Downtime, defect rate, etc. (quality metrics measured in SLAs) |
|
|
Costs related to transitioning into the engagement | Adapting to standards and training costs |
---|---|
Adapting to standards: Define the process improvements you will need to work with each potential vendor. Training costs for vendor staff: Reduce training costs by keeping the same vendor staff on all of your projects. | |
Fee-related costs | Fees for additional services (that you thought were included) |
Carefully review each proposed statement of work to identify and reduce extra fees. Understand why extra fees occur in the SLA, the contract, and the proposed statement of work, and take steps to protect yourself and the vendor. | |
Management-related costs | Direct management of vendor staff and dispute resolution |
Direct management of vendor staff: Avoid excessive management costs by defining a two-tier management structure on both sides of the engagement. Time spent resolving disputes: Avoid prolonged resolution costs by defining terms of divorce for the engagement up front. | |
Rework costs | Unanticipated requirements and integration with existing systems |
Unanticipated requirements: Use a two-stage process to define requirements, starting with business people and then with review by technical staff. Integration with existing systems: Obtain a commitment from vendors that deliverables will conform to standards at points of integration with your systems. |
A clear vision of strategic objectives prior to entering an outsourcing agreement will allow you to clearly communicate these objectives to the Managed Service Provider (MSP) and use them as a contracted basis for the relationship.
"People often don't have a clear direction around what they're trying to accomplish. The strategic goals should be documented. Is this a cost-savings exercise? Is it because you're deficient in one area? Is it because you don't have the tools or expertise to run the service desk yourself? Figure out what problem you're trying to solve by outsourcing, then build your strategy around that.
– Jeremy Gagne, Application Support Delivery Manager, Allegis Group
Use your goals and objectives as a management tool. Clearly outline your desired project outcomes to both your in-house team and the vendor during implementation and monitoring. It will allow a common ground to unite both parties as the project progresses.
Desired outcome | Pitfalls to overcome |
---|---|
IT can focus on core competencies and strategic initiatives rather than break-fix tasks. | Escalation to second- and third-level support usually increases when the first level has been outsourced. Outsourcers will have less experience with your typical incidents and will give up on trying to solve some issues more quickly than your internal level-one staff. |
Low outsourcing costs compared to the costs needed to employ internal employees in the same role. | Due to lack of incentive to decrease ticket volume, costs are likely to increase. As a result, organizations often find themselves paying more overall for an outsourced service desk than if they had a few dedicated IT service desk employees in-house. |
Improved employee morale as a result of being able to focus on more interesting tasks. | Management often expects existing employee morale to increase as a result of shifting their focus to core and strategic tasks, but the fear of diminished job security often spreads to the remaining non-level-one employees. |
ID | Goal Description | KPI | Impacted Stakeholders | Checkpoint Schedule |
---|---|---|---|---|
1 | Provide capacity to take calls outside of current service desk work hours |
|
|
|
2 | Take calls in different languages |
|
|
|
3 | Provide field support at remote sites with no IT presence without having to fly out an employee |
|
|
|
4 | Improve ease of management by vendor helping with managing and optimizing service desk tasks |
|
|
|
Download the Project Charter Template
The size, complexity, and maturity of your organization are good indicators of service desk direction with regards to outsourcing.
Although less adherence to service desk best practices can be one of the main incentives to outsourcing the service desk, IT should have minimal processes in place to be able to set expectations with targeting vendors.
The evaluation process for outsourcing the service desk should be done very carefully. Project leaders should make sure they won't panic internal resources and impact their performance through the transition period.
If the outsourcing process is rushed, it will result in poor evaluation, inefficient decision making, and project failure.
Download the Project Charter Template
Participants: IT Director, Service Desk Manager
The IT mission statement specifies the function's purpose or reason for being. The mission should guide each day's activities and decisions. The mission statement should use simple and concise terminology and speak loudly and clearly, generating enthusiasm for the organization.
Download the Project Charter Template
1.2.1 Create a baseline of customer experience
1.2.2 Identify service desk processes to outsource
1.2.3 Design an outsourcing decision matrix for service desk processes and services
1.2.4 Discuss if you need to outsource only service desk or if additional services would benefit from outsourcing too
A decrease of business and end-user satisfaction is a big drive to outsourcing the service desk. Conduct a customer service survey to discover your end-user experience prior to and after outsourcing the service desk.
First-time outsourcers often assume they are transferring most of the operations over to the vendor, but this is often not the case.
Whether managing in-house or outsourcing, it is your job to ensure core issues have been clarified, processes defined, and standards maintained. If your processes are ad-hoc or non-existent right now, outsourcing won't fix them.
You must have the following in place before looking to outsource:
If you expect your problems to disappear with outsourcing, they might just get worse.
Don't select a vendor for what your company is today – select a vendor for what your company will be years from now. Define your future service desk requirements in addition to your current requirements and leave room for growth and development.
"You can't outsource management; you can only outsource supervision." Barry Cousins, Practice Lead, Info-Tech Research Group | |
---|---|
What can be the vendor in charge of? | What stays in-house? |
|
|
The need for a Service Desk Manager does not go away when you outsource. In fact, the need becomes even stronger and never diminishes.
Every effective service desk has a clear definition of the services that they are performing for the end user. You can't provide a service without knowing what the services are.
MSPs typically have their own set of standards and processes in play. If your service desk is not at a similar level of maturity, outsourcing will not be pleasant.
Make sure that your metrics are reported consistently and that they tell a story.
"Establish baseline before outsourcing. Those organizations that don't have enough service desk maturity before outsourcing should work with the outsourcer to establish the baseline."
– Yev Khobrenkov, Enterprise Consultant, Solvera Solutions
Outsourcing vendors are not service desk builders; they're service desk refiners. Switching to a vendor won't improve your maturity; you must have a certain degree of process maturity and standardization before moving.
INDUSTRY: Cleaning Supplies
SOURCE: PicNet
Review your prioritized project goals from activity 1.1.4.
Brainstorm requirements and use cases for each goal and describe each use case. For example: To improve service desk timeliness, IT should improve incident management, to resolve incidents according to the defined SLA and based on ticket priority levels.
Discuss if you're outsourcing just incident management or both incident management and request fulfillment. If both, determine what level of service requests will be outsourced? Will you ask the vendor to provide a service catalog? Will you outsource self-serve and automation?
Document your findings in the service desk outsourcing requirements database library.
Download the Requirements Database Library
Participants: IT Director, Service Desk Manager, Infrastructure manager
Most successful service desk outsourcing engagements have a primary goal of freeing up their internal resources to work on complex tasks and projects. The key outsourcing success factor is to find out internal services and processes that are standardized or should be standardized, and then determine if they can be outsourced.
| |
|
Download the Requirements Database Library
Download the Project Charter Template
For information on better knowledge management, refer to Info-Tech's blueprint Optimize the Service Desk With a Shift-Left Strategy.
SIAM Layers. Source: SIAM Foundation BoK
SIAM reduces service duplication and improves service delivery via managing internal and external service providers.
To utilize the SIAM model, determine the following components:
To learn more about adopting SIAM, visit Scopism.
Download the Requirements Database Library
Download the Project Charter Template
Problem management is a group effort. Make sure your internal team is assisted with sufficient and efficient data by the outsourcer to conduct a better problem management.
Clearly state your organization's expectations for enabling problem management. MSPs may not necessarily need, and cannot do, problem management; however, they should provide metrics to help you discover trends, define recurring issues, and enable root cause analysis.
For more information on problem management, refer to Info-Tech's blueprint Improve Incident and Problem Management.
INTAKE: Ticket data from incident management is needed for incident matching to identify problems. Critical Incidents are also a main input to problem management.
INTAKE: SMEs and operations teams monitoring system health events can identify indicators of potential future issues before they become incidents.
ACTION: Problem tickets require investigation from relevant SMEs across different IT teams to identify potential solutions or workarounds.
OUTPUT: Problem resolution may need to go through Change Management for proper authorization and risk management.
Your MSP tracks ticket volume by platform.
There are 100 network tickets/month, 200 systems tickets/month, and 5,000 end-user tickets/month.
Tracking these numbers is a good start, but the real value is in the analysis. Why are there 5,000 end-user tickets? What are the trends?
Your MSP should be providing a monthly root-cause analysis to help improve service quality.
Define the goal | Design an outsourcing strategy | Develop an RFP and make a long-term relationship |
---|---|---|
1.1 Identify goals and objectives 1.2 Assess outsourcing feasibility | 2.1 Identify project stakeholders 2.2 Outline potential risks and constraints | 3.1 Prepare a service overview and responsibility matrix 3.2 Define your approach to vendor relationship management 3.3 Manage the outsource relationship |
2.1.1 Identify internal outsourcing roles and responsibilities
An outsourcing strategy is crucial to the proper accomplishment of an outsourcing project. By taking the time to think through your strategy beforehand, you will have a clear idea of your desired outcomes. This will make your RFP of higher quality and will result in a much easier negotiation process.
Most MSPs are prepared to offer a standard proposal to clients who do not know what they want. These are agreements that are doomed to fail. A clearly defined set of goals (discussed in Phase 1), risks, and KPIs and metrics (covered in this phase) makes the agreement more beneficial for both parties in the long run.
"You should fill the gap before outsourcing. You should make sure how to measure tickets, how to categorize, and what the cost of outsourcing will be. Then you'll be able to outsource the execution of the service. Start your own processes and then outsource their execution."
– Kris Krishan, Head of IT and business systems, Waymo
INDUSTRY: Digital Media
SOURCE: Auxis
A Canadian multi-business company with over 13,000 employees would like to maintain a growing volume of digital content with their endpoint management.
The client operated a tiered model service desk. Tier 1 was outsourced, and tier 2 tasks were done internally, for more complex tasks and projects.
As a result of poor planning and defining goals, the company had issues with:
The company structured a strategy for outsourcing service desk and defined their expectations and requirements.
They engaged with another outsourcer that would fulfill their requirements as planned.
With the help of the outsourcer's consulting team, the client was able to define the gaps in their existing processes and system to:
The proactive planning led to:
Outsourcing is a complete top-to-bottom process that involves multiple levels of engagement:
The service desk doesn't operate in isolation. The service desk interfaces with many other parts of the organization (such as finance, purchasing, field support, etc.), so it's important to ensure you engage stakeholders from other departments as well. If you only engage the service desk staff in your discussions around outsourcing strategy and RFP development, you may miss requirements that will come up when it's too late.
Download the Project Charter Template
2.2.1 Identify potential risks and constraints that may impact achievement of objectives
2.2.2 Arrange groups of tension metrics to balance your reporting
Define your constraints to outsourcing the service desk.
Consider all types of constraints and opportunities, including:
Within the scope of a scouring decision, define your needs and objectives, measure those as much as possible, and compare them with the "as-is" situation.
Start determining what alternative approaches/scenarios the organization could use to fill the gaps. Start a comparison of scenarios against drivers, goals, and risks.
Constraints | Goals and objectives |
---|---|
|
|
Analyze the risks associated with a specific scenario. This analysis should identify and understand the most common sourcing and vendor risks using a risk-reward analysis for selected scenarios. Use tools and guidelines to assess and manage vendor risk and tailor risk evaluation criteria to the types of vendors and products.
Plan for the worst to prevent it from happening. Evaluating risk should cover a wide variety of scenarios including the worst possible cases. This type of thinking will be crucial when developing your exit strategy in a later exercise.
Risk Description | Probability(H/M/L) | Impact(H/M/L) | Planned Mitigation |
Lack of documentation | M | M | Use cloud-based solution to share documents. |
Knowledge transfer | L | M | Detailed knowledge-sharing agreement in place in the RFP. |
Processes not followed | L | H | Clear outline and definition of current processes. |
Download the Project Charter Template
Define the tiers and/or services that will be the responsibility of the MSP, as well as escalations and workflows across tiers. A sample outsourced structure is displayed here:
External Vendor | Tickets beyond the scope of the service desk staff need to be escalated back to the vendor responsible for the affected system. |
---|---|
Tier 3 | Tickets that are focused on custom applications and require specialized or advanced support are escalated back to your organization's second- and third-level support teams. |
Tier 2 | The vendor is often able to provide specialized support for standard applications. However, the desktop support still needs someone onsite as that service is very expensive to outsource. |
Tier 1 | Service desk outsource vendors provide first-line response. This includes answering the phones, troubleshooting simple problems, and redirecting requests that are more complex. |
If you outsource everything, you'll be at the mercy of consultancy or professional services shops later on. You won't have anyone in-house to help you deploy anything; you're at the mercy of a consultant to come in and tell you what to do and how much to spend. Keep your highly skilled people in-house to offset what you'd have to pay for consultancy. If you need to repatriate your service desk later on, you will need skills in-house to do so.
"Good" metric results may simply indicate proficient reactive fixing; long-term thinking involves implementing proactive, balanced solutions.
KPIs demonstrate that you are running an effective service desk because:
While these results may appear great on the surface, metrics don't tell the whole story.
![]() | First-Contact Resolution (FCR) Rate | Percentage of tickets resolved during first contact with user (e.g. before they hang up or within an hour of submitting ticket). Could be measured as first-contact, first-tier, or first-day resolution. |
---|---|---|
End-User Satisfaction | Perceived value of the service desk measured by a robust annual satisfaction survey of end users and/or transactional satisfaction surveys sent with a percentage of tickets. | |
Ticket Volume and Cost Per Ticket | Monthly operating expenses divided by average ticket volume per month. Report ticket volume by department or ticket category, and look at trends for context. | |
Average Time to Resolve (incidents) or Fulfill (service requests) | Time elapsed from when a ticket is "open" to "resolved." Distinguish between ticket resolution vs. closure, and measure time for incidents and service requests separately. |
Tension metrics help create a balance by preventing teams from focusing on a single element.
For example, an MSP built incentives around ticket volume for their staff, but not the quality of tickets. As a result, the MSP staff rushed through tickets and gamed the system while service quality suffered.
Use metrics to establish baselines and benchmarking data:
"We had an average talk time of 15 minutes per call and I wanted to ensure they could handle those calls in 15 minutes. But the behavior was opposite, [the vendor] would wrap up the call, transfer prematurely, or tell the client they'd call them back. Service levels drive behavior so make sure they are aligned with your strategic goals with no unintended consequences."
– IT Services Manager, Banking
Make sure your metrics work cooperatively. Metrics should be chosen that cause tension on one another. It's not enough to rely on a fast service desk that doesn't have a high end-user satisfaction rate or runs at too high a cost; there needs to be balance.
Download the Project Charter Template
Define the goal | Design an outsourcing strategy | Develop an RFP and make a long-term relationship |
---|---|---|
1.1 Identify goals and objectives 1.2 Assess outsourcing feasibility | 2.1 Identify project stakeholders 2.2 Outline potential risks and constraints | 3.1 Prepare a service overview and responsibility matrix 3.2 Define your approach to vendor relationship management 3.3 Manage the outsource relationship |
This phase will walk you through the following activities:
This phase involves the following participants:
3.1.1 Evaluate your technology, people, and process requirements
3.1.2 Outline which party will be responsible for which service desk processes
The RFP must cover business needs and the more detailed service desk functions required. Many enterprises only consider the functionality they need, while ignoring operational and selection requirements.
Negotiate a supply agreement with the preferred outsourcer for delivery of the required services. Ensure your RFP covers:
In addition to defining your standard requirements, don't forget to take into consideration the following factors when developing your RFP:
Although it may be tempting, don't throw everything over the wall at your vendor in the RFP. Evaluate your service desk functions in terms of quality, cost effectiveness, and the value provided from the vendor. Organizations should only outsource functions that the vendor can operate better, faster, or cheaper.
Involve the right stakeholders in developing your RFP, not just service desk. If only service desk is involved in RFP discussion, the connection between tier 1 and specialists will be broken, as some processes are not considered from IT's point of view.
Benefits of operating within your own ITSM while outsourcing the service desk: | Disadvantages of using your own ITSM while outsourcing the service desk: |
---|---|
|
|
Defining your tool requirements can be a great opportunity to get the tool functionality you always wanted. Many MSPs offer enterprise-level ITSM tools and highly mature processes that may tempt you to operate within their ITSM environment. However, first define your goals for such a move, as well as pros and cons of operating in their service management tool to weigh if its benefits overweigh its downfalls.
Lone Star College learned that it's important to select a vendor whose tool will work with your service desk
INDUSTRY: Education
SOURCE: ServiceNow
Lone Star College has an end-user base of over 100,000 staff and students.
The college has six campuses across the state of Texas, and each campus was using its own service desk and ITSM solution.
Initially, the decision was to implement a single ITSM solution, but organizational complexity prevented that initiative from succeeding.
A decision was made to outsource and consolidate the service desks of each of the campuses to provide more uniform service to end users.
Lone Star College selected a vendor that implemented FrontRange.
Unfortunately, the tool was not the right fit for Lone Star's service and reporting needs.
After some discussion, the outsourcing vendor made the switch to ServiceNow.
Some time later, a hybrid outsourced model was implemented, with Lone Star and the vendor combining to provide 24/7 support.
The consolidated, standardized approach used by Lone Star College and its vendor has created numerous benefits:
Lone Star outsourced in order to consolidate its service desks quickly, but the tools didn't quite match.
It's important to choose a tool that works well with your vendor's, otherwise the same standardization issues can persist.
Your RFP should be worded in a way that helps you understand what your vendor's standard offerings are because that's what they're most capable of delivering. Rather than laying out all your requirements in a high level of detail, carefully craft your questions in a probing way. Then, understand what your current baseline is, what your target requirements are, and assess the gap.
It is common to receive responses that are very different – RFPs don't provide a response framework. Comparing vastly different responses can be like comparing apples to oranges. Not only are they immensely time consuming to score, their scores also don't end up accurately reflecting the provider's capabilities or suitability as a vendor.
Your RFP should not be hundreds of pages long. If it is, there is too much detail.
Providing too much detail can box your responses in and be overly limiting on your responses. It can deter potentially suitable provider candidates from sending a proposal.
Request
For
Proposal
"From bitter experience, if you're too descriptive, you box yourself in. If you're not descriptive enough, you'll be inundated with questions or end up with too few bidders. We needed to find the best way to get the message across without putting too much detail around it."
– Procurement Manager, Utilities
![]() | The main point of focus in this document is defining your requirements (discussed in Phase 1) and developing proposal preparation instructions. The rest of the RFP consists mostly of standard legal language. Review the rest of the RFP template and adapt the language to suit your organization's standards. Check with your legal departments to make sure the RFP adheres to company policies. |
Download the Service Desk Outsourcing RFP Template
With end users becoming more and more tech savvy, organizational intelligence is becoming an increasingly important aspect of IT support. Modern employees are able and willing to troubleshoot on their own before calling into the service desk. The knowledgebase and FAQs largely facilitate self-serve trouble shooting, both of which are not core concerns for the outsource vendor.
Why would the vendor help you empower end users and decrease ticket volume when it will lead to less revenue in the future? Ticket avoidance is not simply about saving money by removing support. It's about the end-user community developing organizational intelligence so that it doesn't need as much technical support.
Organizational intelligence occurs when shared knowledge and insight is used to make faster, better decisions.
When you outsource, the flow of technical insight to your end-user community slows down or stops altogether unless you proactively drive it. Retain ownership of the knowledgebase and ensure that the content is:
Include knowledge management process in your ticket handling workflows to make sure knowledge is transferred to the MSP and end users. For more information on knowledge management, refer to Info-Tech's Standardize the Service Desk and Optimize the Service Desk With a Shift-Left Strategy blueprints.
Nowadays, outsourcers provide innovative services such as self-serve options. However, bear in mind that the quality of such services is a differentiating factor. A well-maintained portal makes it easy to:
In the outsourcing process, determine your expectations from your vendor on self-serve options and discuss how they will fulfill these requirements. Similar to other processes, work internally to define a list of services your organization is providing that you can pass over to the outsourcer to convert to a service catalog.
Use Info-Tech's Sample Enterprise Services document to start determining your business's services.
Provide your MSP with access rights to enable the service desk to have account management without giving too much authentication. This way you'll enable moving tickets to the outsourcer while you keep ownership and supervision.
This activity is an expansion to the outcomes of activity 1.2.1, where you determined the outsourcing requirements and the party to deliver each requirement.
Download the Service Desk Outsourcing RFP Template
3.2.1 Define your SLA requirements
3.2.2 Score each vendor to mitigate the risk of failure
3.2.3 Score RFP responses
3.2.4 Get referrals, conduct reference interviews and evaluate responses for each vendor
The most common mistake in vendor evaluation is moving too quickly. The process leading to an RFP evaluation can be exhausting, and many organizations simply want to be done with the whole process and begin outsourcing.
The most common mistake in vendor evaluation is moving too quickly. The process leading to an RFP evaluation can be exhausting, and many organizations simply want to be done with the whole process and begin outsourcing.
Vendors often include certain conditions in their proposals that masquerade as appealing but may spell disaster. Watch for these red flags:
Vendor sales and marketing people know just what to say to sway you: don't talk to them until you know what you're looking for.
Do you prefer global or local data centers? Do you need multiple locations for redundancy in case of disaster? Will language barriers be a concern?
Ensure you can terminate a poor arrangement by having shorter terms with optional renewals. It's better to renew and renegotiate if one side is losing in the deal in order to keep things fair. Don't assume that proposed long-term cost savings will provide a satisfactory service.
Vendors are aiming at different business segments, from startups to large enterprises. Some will accept existing virtual machines, and others enforce compliance to appeal to government and health agencies.
A robust SLA strengthens a vendor's reliability and accountability. Agencies with special needs should have room in negotiations for customization. Providers should also account for regular SLA reviews and updates. Vendors should be tracking call volume and making projections that should translate directly to SLAs.
Even if you don't need a vendor with 24/7 availability, vendors who cannot support this timing should be eliminated. You may want to upgrade later and will want to avoid the hassle of switching.
Vendors must have the willingness and ability to improve processes and efficiencies over time. Maintaining the status-quo isn't acceptable in the constantly evolving IT world.
Consider which model makes the most sense: will you go with per call or per user pricing? Which model will generate vendor motivation to continually improve and meet your long-term goals? Watch out for variable pricing models.
SLAs define the performance of the service desk and clarify what the provider and customer can expect in their outsourcing relationship.
Each MSP's RFP response will help you understand their basic SLA terms and enhanced service offerings. You need to understand the MSP's basic SLA terms to make sure they are adequate enough for your requirements. A well-negotiated SLA will balance the requirements of the customer and limit the liability of the provider in a win/win scenario.
For more information on defining service level requirements, refer to Info-Tech's blueprint Reduce Risk With Rock-Solid Service-Level Agreements.
Use the sample table as a starting point to determine your current incident management SLA:
Participants: IT Managers, Service Desk Manager, Project Team
Response | ||||
---|---|---|---|---|
Priority | Response SLO | Resolution SLO | Escalation Time | |
T1 | ||||
Severity 1 | Critical | Within 10 minutes | 4 hours to resolve | Immediate |
Severity 2 | High | Within 1 business hour | 8 business hours to resolve | 20 minutes |
Severity 3 | Medium | Within 4 business hours | 24 business hours to resolve | After 20 minutes without progress |
Severity 4 | Low | Same day (8 hours) | 72 business hours to resolve | After 1 hour without progress |
SLO Response | Time it takes for service desk to respond to service request or incident. | Target response is 80% of SLO | ||
SLO Resolution | Time it takes to resolve incident and return business services to normal. | Target resolution is 80% of SLO |
Download the Service Desk Outsourcing RFP Template
Use section 5 of Info-Tech's Service Desk Outsourcing RFP Template for commonly used questions and requirements for outsourcing the service desk. Ask the right questions to secure an agreement that meets your needs. If you are already in a contract with an MSP, tale the opportunity of contract renewal to improve the contract and service.
Download the Service Desk Outsourcing RFP Template
Add your finalized assessment questions into Info-Tech's Service Desk Outsourcing RFP Scoring Tool to aggregate responses in one repository for comparison. Since the vendors are asked to respond in a standard format, it is easier to bring together all the responses to create a complete view of your options.
Download the Service Desk Vendor Proposal Scoring Tool
Include the right requirements for your organization and analyze candidate vendors on their capability to satisfy them.
Download the Service Desk Outsourcing RFP Template
Download the Service Desk Vendor Proposal Scoring Tool
Download the Service Desk Vendor Proposal Scoring Tool
Research different pricing models and accurately assess which model fits your organization. Consider the following pricing models:
In this model, a flat rate is allocated to agents tackling your service desk tickets. This is a good option for building long-term relationship with outsourcer's agents and efficient knowledge transfer to the external team; however, it's not ideal for small organizations that deal with few tickets. This is potentially an expensive model for small teams.
This model considers the number of tickets handled by the outsourcer. This model is ideal if you only want to pay for your requirement. Although the internal team needs to have a close monitoring strategy to make sure the outsourcer's efficiency in ticket resolution.
This is based on outbound and inbound calls. This model is proper for call centers and can be less expensive than the other models; however, tracking is not easy, as you should ensure service desk calls result in efficient resolution rather than unnecessary follow-up.
The time spent on tickets is considered in this model. With this model, you pay for the work done by agents, so that it may be a good and relatively cheap option. As quicker resolution SLA is usually set by the organization, customer satisfaction may drop, as agents will be driven to faster resolution, not necessarily quality of work.
This model is based on number of all users, or number of users for particular applications. In this model, correlation between number of users and number of tickets should be taken into account. This is an ideal model if you want to deal with impact of staffing changes on service price. Although you should first track metrics such as mean time to resolve and average number of tickets so you can prevent unnecessary payment based on number of users when most users are not submitting tickets.
3.3.1 Analyze your outsourced service desk for continual improvement
3.3.2 Make a case to either rehabilitate your outsourcing agreement or exit
3.3.3 Develop an exit strategy in case you need to end your contract early
Key Activity:
Measure performance levels with an agreed upon standard scorecard.
Key Activity:
Periodical assessment of the vendors to ensure they are meeting compliance standards.
Key Activity:
Manage the contracts and renewal dates, the level of demand for the services/products provided, and the costs accrued.
Key Activity:
Develop a plan with procurement and key internal stakeholders to define clear, consistent, and stable requirements.
Key Activity:
Develop a consistent and effective process for selecting the most appropriate vendor.
Key Activity:
Contracts are consistently negotiated to ensure the vendor and the client have a documented and consistent understanding of mutual expectations.
You need this level of visibility into the service desk process, whether in-house or outsourced
Each of these steps requires documentation – either through standard operating procedures, SLAs, logs, or workflow diagrams.
"Make sure what they've presented to you is exactly what's happening."
– Service Desk Manager, Financial Services
Designate a relationship manager to act as a liaison at the business to be a conduit between the business and the MSP.
"When my company decided to outsource, I performed the same role but for a different company. There was a huge disruption to the business flow and a lack of communication to manage the change. The transition took weeks before any end users figured out what the new processes were for submitting a ticket and who to ask for help, and from a personal side, it became difficult to maintain relationships with colleagues."
– IT Specialist for a financial institution
Educate the enterprise on expectations and processes that are handled by the MSP. Identify stakeholder groups affected by the outsourced processes then build a communication plan on what's been changed, what the benefits are, and how they will be impacted. Determine a timeline for communicating these initiatives and how these announcements will be made. Use InfoTech's Sample Communication Plan as a starting point.
Build a feedback program for your outsourced services. Utilize transactional surveys to discover and tell outsourcing success to the impacted stakeholders.
Ensure you apply steps for providing feedback to make sure processes are handled as expected. Service desk is the face of IT. Customer satisfaction on ticket transactions reflects satisfaction with IT and the organization.
Build customer satisfaction surveys and conduct them for every transaction to get a better sense of outsourced service desk functionality. Collaborate with the vendor to make sure you build a proper strategy.
Download the Project Charter Template
MSPs often offer clients credit requests (service credits) for their service failures, which are applied to the previous month's monthly recurring charge. They are applied to the last month's MRC (monthly reoccurring charges) at the end of term and then the vendor pays out the residual.
However, while common, service credits are not always perceived to be a strong incentive for the provider to continually focus on improvement of mean-time-to-respond/mean-time-to-resolve.
Efficient outsourced service desk causes positive impacts on business satisfaction. To address the true value of the services outsourced, you should evaluate the return on investment (ROI) in these areas: Emotional ROI, Time ROI, Financial ROI
Service desk's main purpose should be to provide topnotch services to end users. Build a customer experience program and leverage transactional surveys and relationship surveys to constantly analyze customer feedback on service quality.
Ask yourself:
Besides customer satisfaction, SLA commitment is a big factor to consider when conducting ROI analysis.
Ask these questions:
As already mentioned in Phase 1, the main motivation for outsourcing the service desk should not be around cost reduction, but to improve performance. Regardless, it's still important to understand the financial implications of your decision.
To evaluate the financial impact of your outsourced service desk, ask these questions:
For more information on conducting this activity, refer to InfoTech's blueprint Terminate the IT Infrastructure Outsourcing Relationship
The end of outsourcing is difficult. Your organization needs to maintain continuity of service during the transition. Your MSP needs to ensure that its resources can be effectively transitioned to the next deployment with minimal downtime. It is crucial to define your exit conditions so that both sides can prepare accordingly.
If things start going south with your MSP, negotiate a "get well plan." Outline your problems to the MSP and have them come back to you with a list of how they're going to fix these problems to get well before you move forward with the contract.
You may consider terminating your outsourcing agreement if you are dissatisfied with the current agreement or there has been a change in circumstances (either the vendor has changed, or your organization has changed).
Diagnose the cause of the problem before assuming it's the MSP's fault. The issue may lie with poorly defined requirements and processes, lack of communication, poor vendor management, or inappropriate SLAs. Re-assess your strategy and re-negotiate your contract if necessary.
There are many reasons why outsourcing relationships fail, but it's not always the vendor's fault.
Clients often think their MSP isn't doing a great job, but a lot of the time the reason comes back to the client. They may not have provided sufficient documentation on processes, were not communicating well, didn't have a regular point of contact, and weren't doing regular service reviews. Before exiting the relationship, evaluate why it's not working and try to fix things first.
Plan out your transition timeline, taking into account current contract terms and key steps required. Be prepared to handle tickets immediately upon giving notice.
Develop a transition plan about six months before the contract notice date. Be proactive by constantly tracking the MSP, running ROI analyses and training staff before moving the services to the internal team or the next MSP. This will help you manage the transition smoothly and handle intake channels so that upon potential exit, users won't be disrupted.
Your exit strategy should encompass both the conditions under which you would need to end your contract with the MSP and the next steps you will take to transition your services.
Download the Service Desk Outsourcing RFP Template
You have now re-envisioned your service desk by building a solid strategy for outsourcing it to a vendor. You first analyzed your challenges with the current service desk and evaluated the benefits of outsourcing services. Then you went through requirements assessment to find out which processes should be outsourced. Thereafter, you developed an RFP to communicate your proposal and evaluate the best candidates.
You have also developed a continual improvement plan to ensure the outsourcer provides services according to your expectations. Through this plan, you're making sure to build a good relationship through incentivizing the vendor for accomplishments rather than punishing for service failures. However, you've also contemplated an exit plan in the RFP for potential consistent service failures.
Ideally, this blueprint has helped you go beyond requirements identification and served as a means to change your mindset and strategy for outsourcing the service desk efficiently to gain long-term benefits.
if you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop
Contact your account representative for more information
workshops@infotech.com
1-888-670-8889
If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop
To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Identify Processes to Outsource
Identify service desk tasks that will provide the most value upon outsourcing.
Score Candidate Vendors
Evaluate vendors on their capabilities for satisfying your service desk requirements.
Outsource IT Infrastructure to Improve System Availability, Reliability, and Recovery
Terminate the IT Infrastructure Outsourcing Relationship
Yev Khovrenkov; Enterprise Consultant, Solvera Solutions
Kamil Salagan; I&O Manager, Bartek Ingredients
Satish Mekerira; VP of IT, Coherus BioSciences
Kris Krishan; Head of IT and Business Systems, Waymo
Kris Arthur; Infra & Security Director, SEKO Logistics
Valance Howden; Principal Research Advisor, Info-Tech Research Group
Sandi Conrad; Principal Research Director, Info-Tech Research Group
Graham Price; Senior Director of Executive Services, Info-Tech Research Group
Barry Cousins; Practice Lead, Info-Tech Research Group
Mark Tauschek; VP of I&O Research, Info-Tech Research Group
Darin Stahl; Principal Research Advisor, Info-Tech Research Group
Scott Yong; Principal Research Advisor, Info-Tech Research Group
A special thank-you to five anonymous contributors
Allnutt, Charles. "The Ultimate List of Outsourcing Statistics." MicroSourcing, 2022. Accessed July 2022.
"Considerations for outsourcing the service desk. A guide to improving your service desk and service delivery performance through outsourcing." Giva. Accessed May 2022.
Hurley, Allison. "Service Desk Outsourcing | Statistics, Challenges, & Benefits." Forward BPO Inc., 2019. Accessed June 2022.
Mtsweni, Patricia, et al. "The impact of outsourcing information technology services on business operations." South African Journal of Information Management, 2021, Accessed May 2022.
"Offshore, Onshore or Hybrid–Choosing the Best IT Outsourcing Model." Calance, 2021. Accessed June 2022. Web.
"Service Integration and Management (SIAM) Foundation Body of Knowledge." Scopism, 2020. Accessed May 2022.
Shultz, Aaron. "IT Help Desk Outsourcing Pricing Models Comparison." Global Help Desk Services. Accessed June 2022. Web.
Shultz, Aaron. "4 Steps to Accurately Measure the ROI of Outsourced Help Desk Services" Global Help Desk Services, Accessed June 2022. Web.
Sunberg, John. "Great Expectations: What to Look for from Outsourced Service Providers Today." HDI. Accessed June 2022. Web.
Walters, Grover. "Pivotal Decisions in outsourcing." Muma Case Review, 2019. Accessed May 2022.
Wetherell, Steve. "Outsourced IT Support Services: 10 Steps to Better QA" Global Held Desk Services. Accessed May 2022. Web.
Use this deck to learn what projects security practitioners are prioritizing for 2020. Based on a survey of 460 IT security professionals, this report explains what you need to know about the top five priorities, including:
While the priorities should in no way be read as prescriptive, this research study provides a high-level guide to understand that priorities drive the initiatives, projects, and responsibilities that make up organizations' security strategies.
There is always more to do, and if IT leaders are to grow with the business, provide meaningful value, and ascend the ladder to achieve true business partner and innovator status, aggressive prioritization is necessary. Clearly, security has become a priority across organizations, as security budgets have continued to increase over the course of 2019. 2020’s priorities highlight that data security has become the thread that runs through all other security priorities, as data is now the currency of the modern digital economy. As a result, data security has reshaped organizations’ priorities to ensure that data is always protected.
Ultimately, understanding how changes in technology and patterns of work stand to impact the day-to-day lives of IT staff across seniority and industries will allow you to evaluate what your priorities should be for 2020. Ensure that you’re spending your time right. Use data to validate. Prioritize and implement.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Data security often rubs against other organizational priorities like data quality, but organizations need to understand that the way they store, handle, and dispose of data is now under regulatory oversight.
Cloud security means that organizations can take advantage of automation tools not only for patching and patch management but also to secure code throughout the SDLC. It is clear that cloud will transform how security is performed.
Email security is critical, since email continues to be one of the top points of ingress for cyberattacks from ransomware to business email compromise.
Security risk management requires organizations to make decisions based on their individual risk tolerance on such things as machine learning and IoT devices.
Human error continues to be a security issue. In 2020, organizations should tailor their security awareness and training to their people so that they are more secure not only at work but also in life.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This phase addresses the benefits and challenges of incident response communications and offers advice on how to assemble a communications team and develop a threat escalation protocol.
This phase focuses on creating an internal and external communications plan, managing incident fallout, and conducting a post-incident review.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Define the business context needed to complete strategic IT initiatives.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Conduct analysis and facilitate discussions to uncover business needs for IT.
A baseline understanding of what business needs mean for IT
1.1 Define the strategic CIO initiatives our organization will pursue.
1.2 Complete the Business Context Discovery Tool.
1.3 Schedule relevant interviews.
1.4 Select relevant Info-Tech diagnostics to conduct.
Business context scope
Completed Business Context Discovery Tool
Completed Info-Tech diagnostics
Analyze the outputs from step 1 and uncover the business context gaps.
A thorough understanding of business needs and why IT should pursue certain initiatives
2.1 Conduct group or one-on-one interviews to identify the missing pieces of the business context.
Documentation of answers to business context gaps
Analyze the outputs from step 1 and uncover the business context gaps.
A thorough understanding of business needs and why IT should pursue certain initiatives
3.1 Conduct group or one-on-one interviews to identify the missing pieces of the business context.
Documentation of answers to business context gaps
Review findings and implications for IT’s strategic initiative.
A thorough understanding of business needs and how IT’s strategic initiatives addresses those needs
4.1 Review documented business context with IT team.
4.2 Discuss next steps for strategic CIO initiative execution.
Finalized version of the business context
Addressing and managing critical negotiation elements helps:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Throughout this phase, ten essential negotiation elements are identified and reviewed.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Improve negotiation skills and outcomes.
Understand how to use the Info-Tech During Negotiations Tool.
A better understanding of the subtleties of the negotiation process and an identification of where the negotiation strategy can go awry.
The During Negotiation Tool will be reviewed and configured for the customer’s environment (as applicable).
1.1 Manage six key items during the negotiation process.
1.2 Set the right tone and environment for the negotiation.
1.3 Focus on improving three categories of intangibles.
1.4 Improve communication skills to improve negotiation skills.
1.5 Customize your negotiation approach to interact with different personality traits and styles.
1.6 Maximize the value of your discussions by focusing on seven components.
1.7 Understand the value of impasses and deadlocks and how to work through them.
1.8 Use concessions as part of your negotiation strategy.
1.9 Identify and defeat common vendor negotiation ploys.
1.10 Review progress and determine next steps.
Sample negotiation ground rules
Sample vendor negotiation ploys
Sample discussion questions and evaluation matrix
Your organization is considering holding an event online, or has been, but:
If you don't begin with strategy, you will fit your event to technology, instead of the other way around.
To determine your requirements:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This deck walks you through key decision points in creating virtual or hybrid events. Then, begin the process of selecting the right software by putting together the first draft of your requirements for a virtual event software solution.
The business should review the list of features and select which ones are mandatory and which are nice to have or optional. Add any features not included.
The COVID-19 pandemic imposed a dramatic digital transformation on the events industry. Though event ticket and registration software, mobile event apps, and onsite audio/visual technology were already important pieces of live events, the total transformation of events into online experiences presented major challenges to organizations whose regular business operations involve at least one annual mid-sized to large event (association meetings, conferences, trade shows, and more).
Many organizations worked to shift to online, or virtual events, in order to maintain business continuity. As time went on, and public gatherings began to restart, a shift to “hybrid” events began to emerge—events that accommodate both in-person and virtual attendance. Regardless of event type, this pivot to using virtual event software, or digital event technology, brings events more closely into IT’s areas of responsibility. If you don't begin with strategy, you risk fitting your event to technology, instead of the other way around.
If virtual and hybrid events are becoming standard forms of delivering content in your organization, use Info-Tech’s material to help define the scope of the event and your requirements, and to support your software selection process.
Emily Sugerman
Research Analyst, Infrastructure & Operations
Info-Tech Research Group
Your ChallengeThe organization (both on the business and IT sides) may not have extensive experience hosting events online. It is not immediately clear how a formerly in-person event’s activities translate to a virtual environment. Like the work-from-home transformation, bringing events online expands IT’s role and responsibilities. |
Common ObstaclesIt is not clear what technological capabilities are needed for the event, which capabilities you already own, and what you may need to purchase. Though virtual events remove some barriers to attendance (distance, travel), it introduces new complications and considerations for planners. Hybrid events introduce another level of complexity. |
Info-Tech’s ApproachIn order to determine your requirements: Determine the scope of the event. Narrow down your list of technical requirements. Use Info-Tech’s Rapid Application Selection Framework to select the right software solution. |
If you don't begin with strategy, you will fit your event to technology, instead of the other way around.
Though you do have some tools that support large meetings, it is not clear if you require a larger and more comprehensive virtual event solution. There is a need to determine what type of technology you might need to purchase versus leveraging what you already have.
It is difficult to quickly and practically identify core event requirements and how they translate into technical capabilities.
Maintaining or improving audience engagement is a perpetual challenge for virtual events.
38%
|
21%
|
40%
|
Source: Virtual Event Tech Guide, 2022
Events with networking objectives are not always well served by webinars, which are traditionally more limited in their interactive elements.
Events that include the conducting of organizational/association business (like voting) may have bylaws that make selecting a virtual solution more challenging.
Maintaining attendee engagement is more challenging in a virtual environment.
Prior to the pandemic, your organization may not have been as experienced in putting on fully virtual events, putting more responsibility in your corner as IT. Navigating virtual events can also require technological competencies that your attendee userbase may not universally possess.
Technological limitations and barriers to access can exclude potential attendees just as much as bringing events online can open up attendance to new audiences.
“We had 19,000 registrations from all over the world, almost 50 times the number of people we had expected to host in Amsterdam. . . . Most of this year’s [2020] attendees would not have been able to participate in a physical GrafanaCon in Amsterdam. That was a huge win.” – Raj Dutt, Grafana Labs CEO[5]
Event | In-person | Online | 2022 |
Microsoft Build | 2019: 6,000 attendees | 2020: 230,000+ registrants[1] | The 2022 conference was also held virtually[3] |
Stanford Institute for Human-Centered Artificial Intelligence | A few hundred attendees expected for the original (cancelled) 2020 in-person conference | 2020: 30,000 attendees attended the “COVID-19 and AI” virtual conference[2] | The 2022 Spring Conference was a hybrid event[4] |
[1] Kelly, 2020; [2] Price, 2020; [3] Stanford Digital Economy Lab, 2022; [4] Warren, 2022; [5] Fast Company, 2020
Apply project management principles to your virtual/hybrid event planning process.
Online event planning should follow the same established principles as in-person event planning.
Align the event’s concept and objectives with organizational goals.
Source: Adapted from Event Management Body of Knowledge, CC BY 4.0
Budget: Determine your organization’s budget for this event to help decide the scope of the event and the purchasing decisions you make as you plan.
Internal human resources: Identify who in your organization is usually involved in the organization of this event and if they are available to organize this one.
List of communication and collaboration tools: Acquire the list of the existing communication and collaboration tools you are currently licensed for. Ensure you know the following information about each tool:
Your organization may hold a variety of in-person events that you now wish, for various reasons, to hold fully or partially online. Each event likely has a slightly different set of goals.
Before getting into the details of how to transition your event online, return to the business/organizational goals the event is serving.
Ensure each event (and each component of each event) maps back to an organizational goal.
If a component of the event does not align to an organizational goal, assess whether it should remain as part of the event.
Attendee goals: Who are your attendees? Why do they attend this event? What attendee needs does your event serve? What is your event’s value proposition? Are they intrinsically or extrinsically motivated to attend?
Event goals: From the organizer perspective, why do you usually hold this event? Who are your stakeholders?
Organizational goals: How do the event goals map to your organizational goals? Is there a clear understanding of what the event’s larger strategic purpose is.
Education: our attendees need to learn something new that they cannot learn on their own.
Networking: our attendees need to meet people and make new professional connections.
Professional development: our attendees have certain obligations to keep credentials updated or to present their work publicly to advance their careers.
Entertainment: our attendees need to have fun.
Commerce: our attendees need to buy and sell things.
You can review this after working through the other decision points and the scope becomes clearer.
Planning roles | Description |
Project manager | Shepherd event planning until completion while ensuring project remains on schedule and on budget. |
Event manager | Correspond with presenters during leadup to event, communicate how to use online event tools/platform, perform tests with presenters/exhibitors, coordinate digital event staff/volunteers. |
Program planner | Select the topics, speakers, activity types, content, streams. |
Designer and copywriter | Design the event graphics; compose copy for event website. |
Digital event technologist | Determine event technology requirements; determine how event technology fits together; prepare RFP, if necessary, for new hardware/software. |
Platform administrator | Set up registration system/integrate registrations into platform(s) of choice; upload video files and collateral; add livestream links; add/delete staff roles and set controls and permissions; collect statistics and recordings after event. |
Commercial partner liaison | Recruit sponsors and exhibitors (offer sponsorship packages); facilitate agreement/contract between commercial partners and organization; train commercial partners on how to use event technology; retrieve lead data. |
Marketing/social media | Plan and execute promotional campaigns (email, social media) in the lead up to, and during, the event. Post-event, send follow-up communications, recording files, and surveys. |
Event production roles | Description |
Hosts/MCs |
Address attendees at beginning and end of event, and in-between sessions Provide continuity throughout event Introduce sessions |
Producers |
Prepare presenters for performance Begin and end sessions Use controls to share screens, switch between feeds Send backchannel messages to presenters (e.g., "Up next," "Look into webcam") |
Moderators |
Admit attendees from waiting room Moderate incoming questions from attendees Manage slides Pass questions to host/panelists to answer Moderate chat |
IT support |
Manage event technology stack Respond to attendee technical issues Troubleshoot network connectivity problems Ensure audio and video operational Start and stop session recording Save session recordings and files (chat, Q&As) |
Input: List of attendee benefits, List of event goals, List of organizational goals
Output: Ranked list of event goals as they relate to attendee needs and organizational goals
Materials: Whiteboard/flip charts
Participants: Planning team
Identify your event archetype
Decompose the event into its component parts
Identify technical requirements that help meet event goals
Benefits:
Analyze your event’s:
Begin the digital event planning process by understanding how your event’s content is typically consumed. This will help you make decisions later about how best to deliver the content virtually.
Major content
Community
Commercial Partners
Major content
Community interactions
Meeting events
Administration
Major content
Major content
Major content
Use the event archetypes to help you identify your event’s core components and value proposition.
Avoid trying to exactly reproduce the formerly in-person event online. Instead, identify the value proposition of each event component, then determine what its virtual expression could be.
Goals: Information transfer; sales; lead generation.
Event component |
Face-to-face expression |
Value proposition of component |
Virtual expression |
Attendee types | Paying attendees | Revenue for event organizer; sales and lead generation for booth rep | Access to virtual event space |
Attendee types | Booth rep | Revenue for event organizer; information source for paying attendees | Access to virtual event space |
Communication/connection | Conversation between booth rep and attendee | Lead generation for booth rep; information to inform decision making for attendee | Ability to enter open video breakout session staffed by booth reps OR Ability to schedule meeting times with booth rep Multiple booth reps on hand to monitor different elements of the booth (one person to facilitate the discussion over video, another to monitor chat and Q&A) |
Communication/connection | Serendipitous conversation between attendees | Increased attendee contacts; fun | Multiple attendees can attend the booth’s breakout session simultaneously and participate in web conferencing, meeting chat, or submit questions to Q&A |
Communication/connection | Badges scanned at booth/email sign-up sheets filled out at table | Lead generation for exhibitors | List of visitors to booth shared with exhibitor (if consent given by attendees) Ability for attendees to request to be contacted for more information |
Exchange of material | Catering (complimentary coffee, pastries) | Obviate the need for attendees to leave the event for refreshments | N/A: not included in virtual event |
Exchange of material | Pamphlets, product literature, swag | Portable information for attendee decision making | Downloadable files (pdf) |
Location | Responsibility of both the organizers (tables, chairs, venue) and booth reps (posters, handouts) | Booth reps need a dedicated space where they can be easily found by attendees and advertise themselves | Booth reps need access to virtual platform to upload files, images, provide booth description |
Engagement | Attendees able to visit all booths by strolling through space | Event organizers have a captive audience who is present in the immediacy of the event site | Attendees motivated to stay in the event space and attend booths through gamification strategies (points awarded for number of booths visited or appointments booked) |
Length of event | 2 full days | Attendees travel to event site and spend the entire 2 days at the event, allowing them to be immersed in the event and absorb as much information in as little time as possible | Exhibitors’ visiting hours will be scheduled so they work for both attendees attending in Eastern Standard Time and Pacific Time |
Metrics for success | -Positive word of mouth -Number of registrations |
These metrics can be used to advertise to future exhibitors and attendees | Number of virtual booths visited Number of file downloads Survey sent to attendees after event (favorite booths, preferred way to interact with exhibitors, suggestions for improvement, most valuable part of experience) |
Use the analytics and reporting features available in your event technology toolset to capture the data you want to measure. Decide how each metric will impact your planning process for the next event.
Examples of metrics:
Ensure the data you capture feeds into better planning for the next event
A greater event reach also means new data privacy considerations, depending on the location of your guests.
Concerns over the collection of personal electronic data may not have previously been a part of your event planning considerations. However, now that your event is online, it’s wise to explore which data protection regulations apply to you. Remember, even if your organization is not located in the EU, if any of your attendees are European data subjects you may still be required to comply with GDPR, which involves the notification of data collected, allowing for opt-out options and the right to have data purged. The data must be collected for a specific purpose; if that purpose is expired, it can no longer be retained. You also have an obligation to report any breaches.
What kind of accessibility laws are you subject to (AODA, WCAG2)? Regardless of compliance requirements, it is a good idea to ensure the online event follows accessibility best practices.
What event policies need to be documented?
How will you communicate them to attendees?
One trend in the large event and conference space in recent years has been the development of codes of conduct that attendees are required to abide by to continue participating in the event.
Now that your event is online, consider whether your code of conduct requires updating. Are there new types of appropriate/inappropriate online behavior that you need to define for your attendees?
If your organization has an event harassment reporting process, determine how this process will transfer over to the digital event.
Ensure the reporting process has an owner and a clear methodology to follow to deal with complaints, as well as a digital reporting channel (a dedicated email or form) that is only accessed by approved staff to protect sensitive information.
Plan for how you will mitigate technical risks during your virtual event
Provide presenters with a process to follow if technical problems arise.
Test audio hardware: Ensure speakers use headphones/earbuds and mics (they do not have to be fancy/expensive). Relying on the computer/laptop mic can lead to more ambient noise and potential feedback problems.
Check lighting: Avoid backlighting. Reposition speakers so they are not behind windows. Ask them to open/close shades. Add lamps as needed.
Prevent interruptions: Before the event, ask panelists to turn phone and computer notifications to silent. Put a sign on the door saying Do not Disturb.
Control audience view of screenshare: If your presenters will be sharing their screens, teach them how this works on the platform they are using. Advise them to exit out of any other application that is not part of their presentation, so they do not share the wrong screen unintentionally. Advise them to remove anything from the desktop that they do not want the audience to see, in case their desktop becomes visible at any point.
Control audience view of physical environment: Before the event, advise participants to turn their cameras on and examine their backgrounds. Remove anything the audience should not be able to see.
Test network connectivity: Send the presenters a link to a speed test and check their internet speed.
Emergency contact: Exchange cell phone numbers for emergency backchannel conversations if problems arise on the day of the event.
Set expectations: Presenting to an online audience feels very different to a live crowd. Prepare presenters for a lack of applause and lack of ability to see their audience, and that this does not mean the presentation was unsuccessful.
To determine what kind of technical requirements you need to build the virtual expression of your event, consult the Virtual Event Platform Requirements Tool.
Download the Virtual/Hybrid Event Software Feature Analysis Tool
Launch Info-Tech’s Rapid Application Selection Framework.
Using the requirements you’ve just gathered as a base, use Info-Tech’s complete framework to improve the efficiency and effectiveness of software selection.
Once you’ve selected a vendor(s), review the contract. Does it define an exit strategy? Does it define when your data will be deleted? Does it set service-level agreements that you find acceptable? Leverage Info-Tech’s contract review service once you have selected the virtual event solution and have received a contract from the vendor.
Dutt, Raj. “7 Lessons from This Company’s First-Ever Virtual Conference.” Fast Company, 29 Jul 2020. Web.
Kelly, Samantha Murphy. “Microsoft Build Proves Splashy Tech Events Can Thrive Online.” CNN, 21 May 2020. Web.
“Phases.” Event Management Body of Knowledge (EMBOK), n.d. Web.
Price, Michael. “As COVID-19 Forces Conferences Online, Scientists Discover Upsides of Virtual Format.” Science, 28 Apr 2020. Web.
“Stanford HAI Spring Conference - Key Advances in Artificial Intelligence.” Stanford Digital Economy Lab, 2022. Web.
“Virtual Event Tech Guide 2022.” Skift Meetings, April 2022. Web.
Warren, Tom. “Microsoft Build 2022 Will Take Place May 24th–26th.” The Verge, 30 March 2022. Web.
6 anonymous contributors
The ways you measure success as a business are based on the typical business environment, but during a crisis like a pandemic, the business environment is rapidly changing or significantly different.
Measure what you have the data for and focus on managing the impacts to your employees, customers, and suppliers. Be willing to make decisions based on imperfect data. Don’t forget to keep an eye on the long-term objectives and remember that how you act now can reflect on your business for years to come.
Use Info-Tech’s approach to:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Identify the short-term goals for your organization and reconsider your long-term objectives.
Determine your tool for data collection and your data requirements and collect initial data.
Determine the appropriate cadence for reviewing the dashboard and action planning.
Under the best of circumstances, mainframe systems are complex, expensive, and difficult to scale. In today’s world, applications written for mainframe legacy systems also present significant operational challenges to customers compounded by the dwindling pool of engineers who specialize in these outdated technologies. Many organizations want to migrate their legacy applications to the cloud but to do so they need to go through a lengthy migration process that is made more challenging by the complexity of mainframe applications.
The most common tactic is for the organization to better realize their z/Series options and adopt a strategy built on complexity and workload understanding. To make the evident, obvious, the options here for the non-commodity are not as broad as with commodity server platforms and the mainframe is arguably the most widely used and complex non-commodity platform on the market.
This research will help you:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This blueprint will help you assess the fit, purpose, and price; develop strategies for overcoming potential challenges; and determine the future of z/Series for your organization.
Use this tool to play with the pre-populated values or insert your own amounts to compare possible database decisions, and determine the TCO of each. Note that common assumptions can often be false; for example, open-source Cassandra running on many inexpensive commodity servers can actually have a higher TCO over six years than a Cassandra environment running on a larger single expensive piece of hardware. Therefore, calculating TCO is an essential part of the database decision process.
“A number of market conditions have coalesced in a way that is increasingly driving existing mainframe customers to consider running their application workloads on alternative platforms. In 2020, the World Economic Forum noted that 42% of core skills required to perform existing jobs are expected to change by 2022, and that more than 1 billion workers need to be reskilled by 2030.” – Dale Vecchio
Your Challenge |
It seems like anytime there’s a new CIO who is not from the mainframe world there is immediate pressure to get off this platform. However, just as there is a high financial commitment required to stay on System Z, moving off is risky and potentially more costly. You need to truly understand the scale and complexity ahead of the organization. |
---|---|
Common Obstacles |
Under the best of circumstances, mainframe systems are complex, expensive, and difficult to scale. In today’s world, applications written for mainframe legacy systems also present significant operational challenges to customers compounded by the dwindling pool of engineers who specialize in these outdated technologies. Many organizations want to migrate their legacy applications to the cloud, but to do so they need to go through a lengthy migration process that is made more challenging by the complexity of mainframe applications. |
Info-Tech Approach |
The most common tactic is for the organization to better realize its z/Series options and adopt a strategy built on complexity and workload understanding. To make the evident, obvious: the options here for the non-commodity are not as broad as with commodity server platforms and the mainframe is arguably the most widely used and complex non-commodity platform on the market. |
Problem statement: The z/Series remains a vital platform for many businesses and continues to deliver exceptional reliability and performance and play a key role in the enterprise. With the limited and aging resources at hand, CIOs and the like must continually review and understand their migration path with the same regard as any other distributed system roadmap. |
This research is designed for: IT strategic direction decision makers. IT managers responsible for an existing z/Series platform. Organizations evaluating platforms for mission critical applications. |
This research will help you:
|
Good Luck.
![]() |
Modernize the mainframe … here we go again. Prior to 2020, most organizations were muddling around in “year eleven of the four-year plan” to exit the mainframe platform where a medium-term commitment to the platform existed. Since 2020, it appears the appetite for the mainframe platform changed. Again. Discussions mostly seem to be about what the options are beyond hardware outsourcing or re-platforming to “cloud” migration of workloads – mostly planning and strategy topics. A word of caution: it would appear unwise to stand in front of the exit door for fear of being trampled. Hardware expirations between now and 2025 are motivating hosting deployments. Others are in migration activities, and some have already decommissioned and migrated but now are trying to rehab the operations team now lacking direction and/or structure. |
Darin Stahl |
Thinking of modernizing your mainframe can cause you angst so grab a fidget spinner and relax because we have you covered!
External Business Pressures:
Internal Considerations:
With multiple control points to be addressed, care must be taken to simplify your options while addressing all concerns to ease operational load.
Dating back to 2011, Darin Stahl has been the primary z/Series subject matter expert within the Infrastructure & Operations Research team. Below represents the percentage of calls, per industry, where z/Series advisory has been provided by Darin*: 37% - State Government 19% - Insurance 11% - Municipality 8% - Federal Government 8% - Financial Services 5% - Higher Education 3% - Retail 3% - Hospitality/Resort 3% - Logistics and Transportation 3% - Utility Based on the Info-Tech call history, there is a consistent cross section of industry members who not only rely upon the mainframe but are also considering migration options. |
Note:Of course, this only represents industries who are Info-Tech members and who called for advisory services about the mainframe. There may well be more Info-Tech members with mainframes who have no topic to discuss with us about the mainframe specifically. Why do we mention this? We caution against suggesting things like, ”somewhat less than 50% of mainframes live in state data centers” or any other extrapolated inference from this data. Our viewpoint and discussion is based on the cases and the calls that we have taken over the years. *37+ enterprise calls were reviewed and sampled. |
For most workloads “scale out" (e.g. virtualized cloud or IaaS ) is going to provide obvious and quantifiable benefits. However, with some workloads (extremely large analytics or batch processing ) a "scale up" approach is more optimal. But the scale up is really limited to very specific workloads. Despite some assumptions, the gains made when moving from scale up to scale out are not linear. Obviously, when you scale out from a performance perspective you experience a drop in what a single unit of compute can do. Additionally, there will be latency introduced in the form of network overhead, transactions, and replication into operations that were previously done just bypassing object references within a single frame. Some applications or use cases will have to be architected or written differently (thinking about the high-demand analytic workloads at large scale). Remember the “grid computing” craze that hit us during the early part of this century? It was advantageous for many to distribute work across a grid of computing devices for applications but the advantage gained was contingent on the workload able to be parsed out as work units and then pulled back together through the application. There can be some interesting and negative consequences for analytics or batch operations in a large scale as mentioned above. Bottom line, as experienced previously with Microfocus mainframe ports to x86, the batch operations simply take much longer to complete. |
Big Data Considerations*:
|
Below is a summary of concerns regarding core mainframe skills:
|
The Challenge An aging workforce, specialized skills, and high salary expectations
The In-House Solution: Build your mentorship program to create a viable succession plan
|
Migrate to another platform |
Use a hosting provider |
Outsource |
Re-platform (cloud/vendors) |
Reinvest |
---|---|---|---|---|
There are several challenges to overcome in a migration project, from finding an appropriate alternative platform to rewriting legacy code. Many organizations have incurred huge costs in the attempt, only to be unsuccessful in the end, so make this decision carefully. |
Organizations often have highly sensitive data on their mainframes (e.g. financial data), so many of these organizations are reluctant to have this data live outside of their four walls. However, the convenience of using a hosting provider makes this an attractive option to consider. |
The most common tactic is for the organization to adopt some level of outsourcing for the non-commodity platform, retaining the application support/development in-house. |
A customer can “re-platform” the non-commodity workload into public cloud offerings or in a few offerings |
If you’re staying with the mainframe and keeping it in-house, it’s important to continue to invest in this platform, keep it current, and look for opportunities to optimize its value. |
If this sounds like your organization, it’s time to do the analysis so you can decide and get clarity on the future of the mainframe in your organization.
|
*3 of the top 4 challenges related to shortfalls of alternative platforms |
*Source: Maximize the Value of IBM Mainframes in My Business |
Potential for reduced costs
Reliable infrastructure and experienced staff
So, what are the risks?
The most common tactic is for the organization to adopt some level of outsourcing for the non-commodity platform, retaining the application support/development in-house. The options here for the non-commodity (z/Series, IBM Power platforms, for example) are not as broad as with commodity server platforms. More confusingly, the term “outsourcing” for these can include: |
Traditional/Colocation – A customer transitions their hardware environment to a provider’s data center. The provider can then manage the hardware and “system.” Onsite Outsourcing – Here a provider will support the hardware/system environment at the client’s site. The provider may acquire the customer’s hardware and provide software licenses. This could also include hiring or “rebadging” staff supporting the platform. This type of arrangement is typically part of a larger services or application transformation. While low risk, it is not as cost-effective as other deployment models. Managed Hosting – A customer transitions their legacy application environment to an off-prem hosted multi-tenanted environment. It will provide the most cost savings following the transition, stabilization, and disposal of existing environment. Some providers will provide software licensing, and some will also support “Bring Your Own,” as permitted by IBM terms for example. |
Info-Tech Insight Technical debt for non-commodity platforms isn’t only hardware based. Moving an application written for the mainframe onto a “cheaper” hardware platform (or outsourced deployment) leaves the more critical problems and frequently introduces a raft of new ones. |
While the majority of the coded functionality (JCLs, programs, etc.) migrate easily, there will be a need to re-code or re-write objects – especially if any object, code, or location references are not exactly the same in the new environment. Micro Focus has solid experience in this but if consider it within the context of an 80/20 rule (the actual metrics might be much better than that), meaning that some level of rework would have to be accomplished as an overhead to the exercise. Build that thought into your thinking and business case. |
AWS Cloud
Azure Cloud
Micro Focus COBOL (Visual COBOL)
|
Yeah, a complication for this situation is the legacy code. While re-platforming/re-hosting non-COBOL code is not new, we have not had many member observations compared to the re-platforming/re-hosting of COBOL functionality initiatives. That being said, there are a couple of interesting opportunities to explore. |
NTT Data Services (GLOBAL)
ModernSystems (or ModSys) has relevant experience.
ATOS, as a hosting vendor mostly referenced by customers with global locations in a short-term transition posture, could be an option. Lastly, the other Managed Services vendors with NATURAL and Adabas capabilities: |
*92% of organizations that added capacity said TCO is lower than for commodity servers (compared to 50% of those who did not add capacity) |
*63% of organizations that added capacity said finding resources is not very difficult (compared to 42% of those who did not add capacity) |
![]() |
![]() |
| Temporary workaround. This would align with a technical solution allowing the VASM files to be accessed using platforms other than on mainframe hardware (Micro Focus or other file store trickery). This can be accomplished relatively quickly but does run the risk of technology obsolesce for the workaround at some point in the future. Bulk conversion. This method would involve the extract/transform/load of the historical records into the new application platform. Often the order of the conversion is completed on work newest to oldest (the idea is that the newest historical records would have the highest likelihood of an access need), but all files would be converted to the new application and the old data store destroyed. Forward convert, which would have files undergo the extract/transform/load conversion into the new application as they are accessed or reopened. This method would keep historical records indefinitely or until they are converted – or the legal retention schedule allows for their destruction (hopefully no file must be kept forever). This could be a cost-efficient approach since the historical files remaining on the VSAM platform would be shrunk over time based on demand from the district attorney process. The conversion process could be automated and scripted, with a QR step allowing for the records to be deleted from the old platform. |
Info-Tech Insight It is not usual for organizations to leverage options #2 and #3 above to move the functionality forward while containing the scope creep and costs for the data conversions. |
Note: Enterprise job scheduling is a topic with low member interest or demand. Since our published research is driven by members’ interest and needs, the lack of activity or member demand would obviously be a significant influence into our ability to aggregate shared member insight, trends, or best practices in our published agenda.
|
|
✓ Advanced Systems Concepts ✓ BMC ✓ Broadcom ✓ HCL ✓ Fortra |
✓ Redwood ✓ SMA Technologies ✓ StoneBranch ✓ Tidal Software ✓ Vinzant Software |
Creating vendor profiles will help quickly filter the solution providers that directly meet your z/Series needs.
ActiveBatch
Workload Management: | ||
Summary Founded in 1981, ASCs ActiveBatch “provides a central automation hub for scheduling and monitoring so that business-critical systems, like CRM, ERP, Big Data, BI, ETL tools, work order management, project management, and consulting systems, work together seamlessly with minimal human intervention.”* URL Coverage: Global |
Amazon EC2 Hadoop Ecosystem IBM Cognos DataStage IBM PureData (Netezza) Informatica Cloud Microsoft Azure Microsoft Dynamics AX Microsoft SharePoint Microsoft Team Foundation Server |
Oracle EBS Oracle PeopleSoft SAP BusinessObjects ServiceNow Teradata VMware Windows Linux Unix IBM i |
*Advanced Systems Concepts, Inc.
Control-M
Workload Management: | ||
Summary Founded in 1980, BMCs Control-M product “simplifies application and data workflow orchestration on premises or as a service. It makes it easy to build, define, schedule, manage, and monitor production workflows, ensuring visibility, reliability, and improving SLAs.”* URL bmc.com/it-solutions/control-m.html Coverage: Global | AWS Azure Google Cloud Platform Cognos IBM InfoSphere DataStage SAP HANA Oracle EBS Oracle PeopleSoft BusinessObjects | ServiceNow Teradata VMware Windows Linux Unix IBM i IBM z/OS zLinux |
*BMC
Atomic Automation
Autosys Workload Automation
Workload Management: | ||
Summary Broadcom offers Atomic Automation and Autosys Workload Automation which ”gives you the agility, speed and reliability required for effective digital business automation. From a single unified platform, Atomic centrally provides the orchestration and automation capabilities needed accelerate your digital transformation and support the growth of your company.”* URL broadcom.com/products/software/automation/automic-automation broadcom.com/products/software/automation/autosys Coverage: Global
| Windows MacOS Linux UNIX AWS Azure Google Cloud Platform VMware z/OS zLinux System i OpenVMS Banner Ecometry | Hadoop Oracle EBS Oracle PeopleSoft SAP BusinessObjects ServiceNow Teradata VMware Windows Linux Unix IBM i |
Workload Automation
Workload Management: | |||
Summary “HCL Workload Automation streamlined modelling, advanced AI and open integration for observability. Accelerate the digital transformation of modern enterprises, ensuring business agility and resilience with our latest version of one stop automation platform. Orchestrate unattended and event-driven tasks for IT and business processes from legacy to cloud and kubernetes systems.”* URL hcltechsw.com/workload-automation Coverage: Global
| Windows MacOS Linux UNIX AWS Azure Google Cloud Platform VMware z/OS zLinux System i OpenVMS IBM SoftLayer IBM BigInsights | IBM Cognos Hadoop Microsoft Dynamics 365 Microsoft Dynamics AX Microsoft SQL Server Oracle E-Business Suite PeopleSoft SAP ServiceNow Apache Oozie Informatica PowerCenter IBM InfoSphere DataStage Salesforce BusinessObjects BI | IBM Sterling Connect:Direct IBM WebSphere MQ IBM Cloudant Apache Spark |
JAMS Scheduler
Workload Management: | ||
Summary Fortra’s “JAMS is a centralized workload automation and job scheduling solution that runs, monitors, and manages jobs and workflows that support critical business processes. JAMS reliably orchestrates the critical IT processes that run your business. Our comprehensive workload automation and job scheduling solution provides a single pane of glass to manage, execute, and monitor jobs—regardless of platforms or applications.”* URL Coverage: Global
| OpenVMS OS/400 Unix Windows z/OS SAP Oracle Microsoft Infor Workday AWS Azure Google Cloud Compute ServiceNow Salesforce | Micro Focus Microsoft Dynamics 365 Microsoft Dynamics AX Microsoft SQL Server MySQL NeoBatch Netezza Oracle PL/SQL Oracle E-Business Suite PeopleSoft SAP SAS Symitar |
*JAMS
Redwood SaaS
Workload Management: | ||
Summary Founded in 1993 and delivered as a SaaS solution, ”Redwood lets you orchestrate securely and reliably across any application, service or server, in the cloud or on-premises, all inside a single platform. Automation solutions are at the core of critical business operations such as forecasting, replenishment, reconciliation, financial close, order to cash, billing, reporting, and more. Enterprises in every industry — from manufacturing, utility, retail, and biotech to healthcare, banking, and aerospace.”* URL Coverage: Global
| OpenVMS OS/400 Unix Windows z/OS SAP Oracle Microsoft Infor Workday AWS Azure Google Cloud Compute ServiceNow Salesforce | Github Office 365 Slack Dropbox Tableau Informatica SAP BusinessObjects Cognos Microsoft Power BI Amazon QuickSight VMware Xen Kubernetes |
Robot Scheduler
Workload Management: | |
Summary “Robot Schedule’s workload automation capabilities allow users to automate everything from simple jobs to complex, event-driven processes on multiple platforms and centralize management from your most reliable system: IBM i. Just create a calendar of when and how jobs should run, and the software will do the rest.”* URL fortra.com/products/job-scheduling-software-ibm-i Coverage: Global
| IBM i (System i, iSeries, AS/400) AIX/UNIX Linux Windows SQL/Server Domino JD Edwards EnterpriseOne SAP Automate Schedule (formerly Skybot Scheduler) |
OpCon
Workload Management: | |||
Summary Founded in1980, SMA offers to “save time, reduce error, and free your IT staff to work on more strategic contributions with OpCon from SMA Technologies. OpCon offers powerful, easy-to-use workload automation and orchestration to eliminate manual tasks and manage workloads across business-critical operations. It's the perfect fit for financial institutions, insurance companies, and other transactional businesses.”* URL Coverage: Global | Windows Linux Unix z/Series IBM i Unisys Oracle SAP Microsoft Dynamics AX Infor M3 Sage Cegid Temenos | FICS Microsoft Azure Data Management Microsoft Azure VM Amazon EC2/AWS Web Services RESTful Docker Google Cloud VMware ServiceNow Commvault Microsoft WSUS Microsoft Orchestrator | Java JBoss Asysco AMT Tuxedo ART Nutanix Corelation Symitar Fiserv DNA Fiserv XP2 |
Universal Automation Center (UAC)
Workload Management: | |||
Summary Founded in 1999, ”the Stonebranch Universal Automation Center (UAC) is an enterprise-grade business automation solution that goes beyond traditional job scheduling. UAC's event-based workload automation solution is designed to automate and orchestrate system jobs and tasks across all mainframe, on-prem, and hybrid IT environments. IT operations teams gain complete visibility and advanced control with a single web-based controller, while removing the need to run individual job schedulers across platforms.”* URL stonebranch.com/it-automation-solutions/enterprise-job-scheduling Coverage: Global | Windows Linux Unix z/Series Apache Kafka AWS Databricks Docker GitHub Google Cloud Informatica | Jenkins Jscape Kubernetes Microsoft Azure Microsoft SQL Microsoft Teams PagerDuty PeopleSoft Petnaho RedHat Ansible Salesforce | SAP ServiceNow Slack SMTP and IMAP Snowflake Tableau VMware |
Workload Automation
Workload Management: | |||
Summary Founded in 1979, Tidal’s Workload Automation will “simplify management and execution of end-to-end business processes with our unified automation platform. Orchestrate workflows whether they're running on-prem, in the cloud or hybrid environments.”* URL Coverage: Global | CentOS Linux Microsoft Windows Server Open VMS Oracle Cloud Oracle Enterprise Linux Red Hat Enterprise Server Suse Enterprise Tandem NSK Ubuntu UNIX HPUX (PA-RISC, Itanium) Solaris (Sparc, X86) | AIX, iSeries z/Linux z/OS Amazon AWS Microsoft Azure Oracle OCI Google Cloud ServiceNow Kubernetes VMware Cisco UCS SAP R/3 & SAP S/4HANA Oracle E-Business | Oracle ERP Cloud PeopleSoft JD Edwards Hadoop Oracle DB Microsoft SQL SAP BusinessObjects IBM Cognos FTP/FTPS/SFTP Informatica |
Global ECS
Workload Management: | |
Summary Founded in 1987, Global ECS can “simplify operations in all areas of production with the GECS automation framework. Use a single solution to schedule, coordinate and monitor file transfers, database operations, scripts, web services, executables and SAP jobs. Maximize efficiency for all operations across multiple business units intelligently and automatically.”* URL Coverage: Global | Windows Linux Unix iSeries SAP R/3 & SAP S/4HANA Oracle, SQL/Server |
Activities:
This activity involves the following participants:
IT strategic direction decision makers
IT managers responsible for an existing z/Series platform
Organizations evaluating platforms for mission critical applications
Outcomes of this step:
This checkpoint process creates transparency around agreement costs with the business and gives the business an opportunity to re-evaluate its requirements for a potentially leaner agreement.
The Scale Up vs. Scale Out TCO Tool provides organizations with a framework for estimating the costs associated with purchasing and licensing for a scale-up and scale-out environment over a multi-year period. Use this tool to:
| ![]() |
Info-Tech InsightWatch out for inaccurate financial information. Ensure that the financials for cost match your maintenance and contract terms. | Use the Scale Up vs. Scale Out TCO Tool to determine your TCO options. |
Effectively Acquire Infrastructure Services
Acquiring a service is like buying an experience. Don’t confuse the simplicity of buying hardware with buying an experience.
Outsource IT Infrastructure to Improve System Availability, Reliability, and Recovery
There are very few IT infrastructure components you should be housing internally – outsource everything else.
Build Your Infrastructure Roadmap
Move beyond alignment: Put yourself in the driver’s seat for true business value.
Make the most of cloud for your organization.
Drive consensus by outlining how your organization will use the cloud.
Build a Strategy for Big Data Platforms
Know where to start and where to focus attention in the implementation of a big data strategy.
Improve your RFPs to gain leverage and get better results.
![]() |
Darin Stahl, Principal Research Advisor, Info-Tech Research Group Darin is a Principal Research Advisor within the Infrastructure Practice, and leveraging 38+ years of experience, his areas of focus include: IT Operations Management, Service Desk, Infrastructure Outsourcing, Managed Services, Cloud Infrastructure, DRP/BCP, Printer Management, Managed Print Services, Application Performance Monitoring/ APM, Managed FTP, non-commodity servers (z/Series, mainframe, IBM i, AIX, Power PC). |
![]() |
Troy Cheeseman, Practice Lead, Info-Tech Research Group Troy has over 25 years of IT management experience and has championed large enterprise-wide technology transformation programs, remote/home office collaboration and remote work strategies, BCP, IT DRP, IT Operations and expense management programs, international right placement initiatives, and large technology transformation initiatives (M&A). Additionally, he has deep experience working with IT solution providers and technology (cloud) start-ups. |
“AWS Announces AWS Mainframe Modernization.” Business Wire, 30 Nov. 2021.
de Valence, Phil. “Migrating a Mainframe to AWS in 5 Steps with Astadia?” AWS, 23 Mar. 2018.
Graham, Nyela. “New study shows mainframes still popular despite the rise of cloud—though times are changing…fast?” WatersTechnology, 12 Sept. 2022.
“Legacy applications can be revitalized with API.” MuleSoft, 2022.
Vecchio, Dale. “The Benefits of Running Mainframe Applications on LzLabs Software Defined Mainframe® & Microsoft Azure.” LzLabs Sites, Mar. 2021.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use this report to understand the current situation in the cybersecurity space and inform your plan for 2022. This report includes sections on protecting against and responding to ransomware, acquiring and retaining talent, securing a remote workforce, securing digital transformation, and adopting zero trust.
The pandemic has introduced a lot of changes to our lives over the past two years, and this is also true for various aspects of how we work. In particular, a large workforce moved online overnight, which shifted the work environment rapidly.
People changed how they communicate, how they access company information, and how they connect to the company network. These changes make cybersecurity a more important focus than ever.
Although changes like the shift to remote work occurred in response to the pandemic, they are largely expected to remain, regardless of the progression of the pandemic itself. This report will look into important security trends and the priorities that stemmed from these trends.
30% more professionals expect transformative permanent change compared to one year ago.
47% of professionals expect a lot of permanent change; this remains the same as last year. (Source: Info-Tech Tech Trends 2022 Survey; N=475)
$4.24 millionAverage cost of a data breach in 2021 |
The cost of a data breach rose by nearly 10% in the past year, the highest rate in over seven years. |
$1.07 millionMore costly when remote work involved in the breach |
The average cost of breaches where remote work is involved is $1.07 million higher than breaches where remote work is not involved. The ubiquitous remote work that we saw in 2021 and continue to see in 2022 can lead to more costly security events. (Source: IBM, 2021) |
Remote work is here to stay, and the cost of a breach is higher when remote work is involved.
The cost comes not only directly from payments but also indirectly from reputational loss. (Source: IBM, 2021)
$1.76 millionSaved when zero trust is deployed facing a breach |
Zero trust controls are realistic and effective controls. Organizations that implement zero trust dramatically reduce the cost of an adverse security event. |
35%More costly if it takes more than 200 days to identify and contain a breach |
With increased BYOD and remote work, detection and response is more challenging than ever before – but it is also highly effective. Organizations that detect and respond to incidents quickly will significantly reduce the impact. (Source: IBM, 2021) |
Breaches are 34% less costly when mature zero trust is implemented.
A fully staffed and well-prepared security team could save the cost through quick responses. (Source: IBM, 2021)
As part of its research process for the 2022 Security Priorities Report, Info-Tech Research Group surveyed security and IT leaders (N=97) to ask their top security priorities as well as their main obstacles to security success in 2022:
Top Priorities
![]() Survey respondents were asked to force-rank their security priorities. Among the priorities chosen most frequently as #1 were talent management, addressing ransomware threats, and securing hybrid/remote work. |
Top Obstacles
![]() Talent management is both the #1 priority and the top obstacle facing security leaders in 2022. Unsurprisingly, the ever-changing environment in a world emerging from a pandemic and budget constraints are also top obstacles. |
This report details what we see the world demanding of security leaders in the coming year.
Setting aside the demands – what are security leaders actually working on?
![]() |
Many organizations are still mastering the foundations of a mature cybersecurity program. This is a good idea! Most breaches are still due to gaps in foundational security, not lack of advanced controls. |
![]() |
One industry plainly stands out from the rest. Government organizations are proportionally much more active in security than other industries, and for good reason: they are common targets. Manufacturing and professional services are proportionally less interested in security. This is concerning, given the recent targeting of supply chain and personal data holders by ransomware gangs. |
Main Influencing Factors |
||
COVID-19 Pandemic
The pandemic has changed the way we interact with technology. Organizations are universally adapting their business and technology processes to fit the post-pandemic paradigm. |
Rampant Cybercrime Activity
By nearly every conceivable metric, cybercrime is way up in the past two years. Cybercriminals smell blood and pose a more salient threat than before. Higher standards of cybersecurity capability are required to respond to this higher level of threat. |
Remote Work and Workforce Reallocation
Talented IT staff across the globe enabled an extraordinarily fast shift to remote and distance work. We must now reckon with the security and human resourcing implications of this huge shift. |
Cybersecurity talent has been in short supply for years, but this shortage has inflected upward since the pandemic.
The Great Resignation contributed to the existing talent gap. The pandemic has changed how people work as well as how and where they choose work. More and more senior workers are retiring early or opting for remote working opportunities.
The cost to acquire cybersecurity talent is huge, and the challenge doesn’t end there. Retaining top talent can be equally difficult.
2.72 million unfilled cybersecurity openings (Source: (ISC)2, 2021)
Burnout | 30% |
Other remote opportunities | 20% |
Lack of growth opportunities | 20% |
Poor culture | 20% |
Acquisition concerns | 10% |
Staffing obstacles in 2022:
“Attracting and retaining talent is always challenging. We don’t pay as well and my org wants staff in the office at least half of the time. Most young, smart, talented new hires want to work remotely 100 percent of the time.“ “Trying to grow internal resources into security roles.” “Remote work expectations by employees and refusal by business to accommodate.” “Biggest obstacle: payscales that are out of touch with cybersecurity market.” “Request additional staff. Obtaining funding for additional position is most significant obstacle.” (Info-Tech Tech Security Priorities Survey 2022) |
Top obstacles in 2022:
As you can see, respondents to our security priorities survey have strong feelings on the challenges of staffing a cybersecurity team. The growth of remote work means local talent can now be hired by anybody, vastly increasing your competition as an employer. Hiring local will get tougher – but so will hiring abroad. People who don’t want to relocate for a new job now have plenty of alternatives. Without a compelling remote work option, you will find non-local prospects unwilling to move for a new job. Lastly, many organizations are still reeling at the cost of experienced cybersecurity talent. Focused internal training and development will be the answer for many organizations. |
Provide career development opportunities
Many security professionals are dissatisfied with their unclear career development paths. To improve retention, organizations should provide their staff with opportunities and clear paths for career and skills advancement. |
Be open-minded when hiring
To broaden the candidate pool, organizations should be open-minded when considering who to hire.
|
Facilitate work-life balance
Many security professionals say they experience burnout. Promoting work-life balance in your organization can help retain critical skills. |
Create inclusive environment
Hire a diverse team and create an inclusive environment where they can thrive. |
Use this template to explain the priorities you need your stakeholders to know about.
Provide a brief value statement for the initiative.
Initiative Description:
|
Description must include what IT will undertake to complete the initiative. | |||
Primary Business Benefits:![]() Reduction in costs due to turnover and talent loss |
Other Expected Business Benefits:
|
Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts. | ||
Risks:
|
Related Info-Tech Research: |
Remote work poses unique challenges to cybersecurity teams. The personal home environment may introduce unauthorized people and unknown network vulnerabilities, and the organization loses nearly all power and influence over the daily cyber hygiene of its users.
In addition, the software used for enabling remote work itself can be a target of cybersecurity criminals.
70% of tech workers work from home (Source: Statcan, 2021)
The security perimeter is finally goneThe data is outside the datacenter.
Organizations that did not implement digital transformation changes following COVID-19 experience higher costs following a breach, likely because it is taking nearly two months longer, on average, to detect and contain a breach when more than 50% of staff are working remotely (IBM, 2021). In 2022 the cumulative risk of so many remote connections means we need to rethink how we secure the remote/hybrid workforce. |
Security
|
![]() |
Network
|
Mature your identity management
Compromised identity is the main vector to breaches in recent years. Stale accounts, contractor accounts, misalignment between HR and IT – the lack of foundational practices leads to headline-making breaches every week.
|
Get a handle on your endpoints
Work-from-home (WFH) often means unknown endpoints on unknown networks full of other unknown devices…and others in the home potentially using the workstation for non-work purposes. Gaining visibility into your endpoints can help to keep detection and resolution times short. |
Educate users
Educate everyone on security best practices when working remotely:
|
Ease of use
Many workers complain that the corporate technology solution makes it difficult to get their work done. Employees will take productivity over security if we force them to choose, so IT needs to listen to end users’ needs and provide a solution that is nimble and secure. |
Use this template to explain the priorities you need your stakeholders to know about.
Provide a brief value statement for the initiative.
Initiative Description:
| Description must include what IT will undertake to complete the initiative. | |||
Primary Business Benefits: | Other Expected Business Benefits:
| Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts. | ||
Risks:
| Related Info-Tech Research: |
Digital transformation is occurring at an ever-increasing rate these days. As Microsoft CEO Satya Nadella said early in the pandemic, “We’ve seen two years’ worth of digital transformation in two months.”
We have heard similar stories from Info-Tech members who deployed rollouts that were scheduled to take months over a weekend instead.
Microsoft’s own shift to rapidly expand its Teams product is a prime example of how quickly the digital landscape has changed. The global adaption to a digital world has largely been a success story, but rapid change comes with risk, and there is a parallel story of rampant cyberattacks like we have never seen before.
There is an adage that “slow is smooth, and smooth is fast” – the implication being that fast is sloppy. In 2022 we’ll see a pattern of organizations working to catch up their cybersecurity with the transformations we all made in 2020.
$1.78 trillion expected in digital transformation investments (Source: World Economic Forum, 2021)
Digital transformations often rely heavily on third-party cloud service providers, which increases exposure of corporate data.
Further, adoption of new technology creates a new threat surface that must be assessed, mitigations implemented, and visibility established to measure performance. However, digital transformations are often run on slim budgets and without expert guidance. Survey respondents report as much: rushed deployments, increased cloud migration, and shadow IT are the top vulnerabilities reported by security leaders and executives. |
In a 2020 Ponemon survey, 82% of IT security and C-level executives reported experiencing at least one data breach directly resulting from a digital transformation they had undergone. Scope creep is inevitable on any large project like a digital transformation. A small security shortcut early in the project can have dire consequences when it grows to affect personal data and critical systems down the road. |
Engage the business early and often
Despite the risks, organizations engage in digital transformations because they also have huge business value. Security leaders should not be seeking to slow or stop digital transformations; rather, we should be engaging with the business early to get ahead of risks and enable successful transformation. |
Establish a vendor security program
Data is moving out of datacenters and onto third-party environments. Without security requirements built into agreements, and clear visibility into vendor security capabilities, that data is a major source of risk. A robust vendor security program will create assurance early in the process and help to reinforce the responsibility of securing data with other parts of the organization. |
Build/revisit your security strategy
The threat surface has changed since before your transformation. This is the right time to revisit or rebuild your security strategy to ensure that your control set is present throughout the new environment – and also a great opportunity to show how your current security investments are helping secure your new digital lines of business! |
Educate your key players
Only 16% of security leaders and executives report alignment between security and business processes during digital transformation. If security is too low a priority, then key players in your transformation efforts are likely unaware of how security risks impact their own success. It will be incumbent upon the CISO to start that conversation. |
Use this template to explain the priorities you need your stakeholders to know about.
Provide a brief value statement for the initiative.
Initiative Description:
| Description must include what IT will undertake to complete the initiative. | |||
Primary Business Benefits: | Other Expected Business Benefits:
| Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts. | ||
Risks:
| Related Info-Tech Research: |
John Kindervag modernized the concept of zero trust back in 2010, and in the intervening years there has been enormous interest in cybersecurity circles, yet in 2022 only 30% of organizations report even beginning to roll out zero trust capabilities (Statista, 2022).
Why such little action on a revolutionary and compelling model?
Zero trust is not a technology; it is a principle. Zero trust adoption takes concerted planning, effort, and expense, for which the business value has been unclear throughout most of the last 10 years. However, several recent developments are changing that:
The time has come for zero trust adoption to begin in earnest.
97% will maintain or increase zero trust budget (Source: Statista, 2022)
A hybrid workforce using traditional VPN creates an environment where we are exposed to all the risks in the wild (unknown devices at any location on any network), but at a stripped-down security level that still provides the trust afforded to on-premises workers using known devices.
What’s more, threats such as ransomware are known to exploit identity and remote access vulnerabilities before moving laterally within a network – vectors that are addressed directly by zero trust identity and networking. Ninety-three percent of surveyed zero trust adopters state that the benefits have matched or exceeded their expectations (iSMG, 2022).
44%Enforce least privilege access to critical resources |
44%Reduce attacker ability to move laterally |
41%Reduce enterprise attack surface |
A major obstacle to zero trust adoption has been the sheer cost, along with the lack of business case for that investment. Two factors are changing that paradigm in 2022:
The May 2021 US White House Executive Order for federal agencies to adopt zero trust architecture finally placed zero trust on the radar of many CEOs and board members, creating the business interest and willingness to consider investing in zero trust.
In addition, the cost of adopting zero trust is quickly being surpassed by the cost of not adopting zero trust, as cyberattacks become rampant and successful zero trust deployments create a case study to support investment.
![]() |
The cost to remediate a ransomware attack more than doubled from 2020 to 2021. Widespread adoption of zero trust capabilities could keep that number from doubling again in 2022. (Source: Sophos, 2021) |
The cost of a data breach is on average $1.76 million less for organizations with mature zero trust deployments.
That is, the cost of a data breach is 35% reduced compared to organizations without zero trust controls. (Source: IBM, 2021)
Start small
Don’t put all your eggs in one basket by deploying zero trust in a wide swath. Rather, start as small as possible to allow for growing pains without creating business friction (or sinking your project altogether). |
Build a sensible roadmap
Zero trust principles can be applied in a myriad of ways, so where should you start? Between identities, devices, networking, and data, decide on a use case to do pilot testing and then refine your approach. |
Beware too-good-to-be-true products
Zero trust is a powerful buzzword, and vendors know it. Be skeptical and do your due diligence to ensure your new security partners in zero trust are delivering what you need. |
Use this template to explain the priorities you need your stakeholders to know about.
Provide a brief value statement for the initiative.
Initiative Description:
| Description must include what IT will undertake to complete the initiative. | ||||
Primary Business Benefits: | Other Expected Business Benefits:
| Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts. | |||
Risks:
| Related Info-Tech Research: |
150% increase ransomware attacks in 2020 (Source: ENISA)
What is the same in 2022
Unbridled ransomware attacks make it seem like attackers must be using complex new techniques, but prevalent ransomware attack vectors are actually well understood. Nearly all modern variants are breaching victim systems in one of three ways:
|
What is new in 2022
The sophistication of victim targetingVictims often find themselves asking, “How did the attackers know to phish the most security-oblivious person in my staff?” Bad actors have refined their social engineering and phishing to exploit high-risk individuals, meaning your chain is only as strong as the weakest link. Ability of malware to evade detectionModern ransomware is getting better at bypassing anti-malware technology, for example, through creative techniques such as those seen in the MedusaLocker variant and in Ghost Control attacks. Effective anti-malware is still a must-have control, but a single layer of defense is no longer enough. Any organization that hopes to avoid paying a ransom must prepare to detect, respond, and recover from an attack. |
Do you know what it would take to recover from a ransomware incident?
…and does your executive leadership know what it would take to recover? The organizations that are most likely to pay a ransom are unprepared for the reality of recovering their systems. If you have not done a tabletop or live exercise to simulate a true recovery effort, you may be exposed to more risk than you realize. |
Are your defenses sufficiently hardened against ransomware?
Organizations with effective security prevention are often breached by ransomware – but they are prepared to contain, detect, and eradicate the infection. Ask yourself whether you have identified potential points of entry for ransomware. Assume that your security controls will fail. How well are your security controls layered, and how difficult would it be for an attacker to move east/west within your systems? |
Be prepared for a breach
There is no guarantee that an organization will not fall victim to ransomware, so instead of putting all their effort into prevention, organizations should also put effort into planning to respond to a breach. |
Security awareness training/phishing detection
Phishing continues to be the main point of entry for ransomware. Investing in phishing awareness and detection among your end users may be the most impactful countermeasure you can implement. |
Zero trust adoption
Always verify at every step of interaction, even when access is requested by internal users. Manage access of sensitive information based on the principle of least privilege access. |
Encrypt and back up your data
Encrypt your data so that even if there is a breach, the attackers don’t have a copy of your data. Also, keep regular backups of data at a separate location so that you still have data to work with after a breach occurs. You never want to pay a ransom. Being prepared to deal with an incident is your best chance to avoid paying! |
Use this template to explain the priorities you need your stakeholders to know about.
Provide a brief value statement for the initiative.
Initiative Description:
| Description must include what IT will undertake to complete the initiative. | |||
Primary Business Benefits: | Other Expected Business Benefits:
| Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts. | ||
Risks:
| Related Info-Tech Research: |
How long has it been since you’ve gone a full workday without having a videoconference with someone?
We have become inherently trustful that the face we see on the screen is real, but the technology required to falsify that video is widely available and runs on commercially available hardware, ushering in a genuinely post-truth online era.
Criminals can use deepfakes to enhance social engineering, to spread misinformation, and to commit fraud and blackmail.
Many financial institutions have recently deployed voiceprint authentication. TD describes its VoicePrint as “voice recognition technology that allows us to use your voiceprint – as unique to you as your fingerprint – to validate your identity” over the phone.
However, hackers have been defeating voice recognition for years already. There is ripe potential for voice fakes to fool both modern voice recognition technology and the accounts payable staff.
“2021 Ransomware Statistics, Data, & Trends.” PurpleSec, 2021. Web.
Bayern, Macy. “Why 60% of IT security pros want to quit their jobs right now.” TechRepublic, 10 Oct. 2018. Web.
Bresnahan, Ethan. “How Digital Transformation Impacts IT And Cyber Risk Programs.” CyberSaint Security, 25 Feb. 2021. Web.
Clancy, Molly. “The True Cost of Ransomware.” Backblaze, 9 Sept. 2021.Web.
“Cost of a Data Breach Report 2021.” IBM, 2021. Web.
Cybersecurity Ventures. “Global Ransomware Damage Costs To Exceed $265 Billion By 2031.” Newswires, 4 June 2021. Web.
“Digital Transformation & Cyber Risk: What You Need to Know to Stay Safe.” Ponemon Institute, June 2020. Web.
“Global Incident Response Threat Report: Manipulating Reality.” VMware, 2021.
Granger, Diana. “Karmen Ransomware Variant Introduced by Russian Hacker.” Recorded Future, 18 April 2017. Web.
“Is adopting a zero trust model a priority for your organization?” Statista, 2022. Web.
“(ISC)2 Cybersecurity Workforce Study, 2021: A Resilient Cybersecurity Profession Charts the Path Forward.” (ISC)2, 2021. Web.
Kobialka, Dan. “What Are the Top Zero Trust Strategies for 2022?” MSSP Alert, 10 Feb. 2022. Web.
Kost, Edward. “What is Ransomware as a Service (RaaS)? The Dangerous Threat to World Security.” UpGuard, 1 Nov. 2021. Web.
Lella, Ifigeneia, et al., editors. “ENISA Threat Landscape 2021.” ENISA, Oct. 2021. Web.
Mello, John P., Jr. “700K more cybersecurity workers, but still a talent shortage.” TechBeacon, 7 Dec. 2021. Web.
Naraine, Ryan. “Is the ‘Great Resignation’ Impacting Cybersecurity?” SecurityWeek, 11 Jan. 2022. Web.
Oltsik, Jon. “ESG Research Report: The Life and Times of Cybersecurity Professionals 2021 Volume V.” Enterprise Security Group, 28 July 2021. Web.
Osborne, Charlie. “Ransomware as a service: Negotiators are now in high demand.” ZDNet, 8 July 2021. Web.
Osborne, Charlie. “Ransomware in 2022: We’re all screwed.” ZDNet, 22 Dec. 2021. Web.
“Retaining Tech Employees in the Era of The Great Resignation.” TalentLMS, 19 Oct. 2021. Web.
Rubin, Andrew. “Ransomware Is the Greatest Business Threat in 2022.” Nasdaq, 7 Dec. 2021. Web.
Samartsev, Dmitry, and Daniel Dobrygowski. “5 ways Digital Transformation Officers can make cybersecurity a top priority.“ World Economic Forum, 15 Sept. 2021. Web.
Seymour, John, and Azeem Aqil. “Your Voice is My Passport.” Presented at black hat USA 2018.
Solomon, Howard. “Ransomware attacks will be more targeted in 2022: Trend Micro.” IT World Canada, 6 Jan. 2022. Web.
“The State of Ransomware 2021.” Sophos, April 2021. Web.
Tarun, Renee. “How The Great Resignation Could Benefit Cybersecurity.” Forbes Technology Council, Forbes, 21 Dec. 2021. Web.
“TD VoicePrint.” TD Bank, n.d. Web.
“Working from home during the COVID-19 pandemic, April 202 to June 2021.” Statistics Canada, 4 Aug. 2021. Web.
“Zero Trust Strategies for 2022.” iSMG, Palo Alto Networks, and Optiv, 28 Jan. 2022. Web.
Establish an enterprise architecture practice that:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
You need to define a sound set of design principles before commencing with the design of your EA organization.
The EA operating model structure should be rigid but pliable enough to fit the needs of the stakeholders it provide services to.
A phased approach and a good communications strategy are key to the success of the new EA organization.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Identify how EA looks within the organization and ensure all the necessary skills are accounted for within the function.
EA is designed to be the most appropriately placed and structured for the organization.
1.1 Place the EA department.
1.2 Define roles for each team member.
1.3 Find internal and external talent.
1.4 Create job descriptions with required proficiencies.
EA organization design
Role-based skills and competencies
Talent acquisition strategy
Job descriptions
Create a thorough engagement model to interact with stakeholders.
An understanding of each process within the engagement model.
Create stakeholder interaction cards to plan your conversations.
2.1 Define each engagement process for your organization.
2.2 Document stakeholder interactions.
EA Operating Model Template
EA Stakeholder Engagement Model Template
Develop EA boards, alongside a charter and policies to effectively govern the function.
Governance that aids the EA function instead of being a bureaucratic obstacle.
Adherence to governace.
3.1 Outline the architecture review process.
3.2 Position the architecture review board.
3.3 Create a committee charter.
3.4 Make effective governance policy.
Architecture Board Charter Template
EA Policy Template
Create an operating model that is influenced by universal standards including TOGAF, Zachmans, and DoDAF.
A thoroughly articulated development framework.
Understanding of the views that influence each domain.
4.1 Tailor an architecture development framework to your organizational context.
EA Operating Model Template
Enterprise Architecture Views Taxonomy
Create a change management and communication plan or roadmap to execute the operating model.
Build a plan that takes change management and communication into consideration to achieve the wanted benefits of an EA program.
Effectively execute the roadmap.
5.1 Create a sponsorship action plan.
5.2 Outline a communication plan.
5.3 Execute a communication roadmap.
Sponsorship Action Plan
EA Communication Plan Template
EA Roadmap
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Consistently meet project goals through enhanced PM knowledge and awareness.
Take action and mitigate a pitfall before it becomes a problem.
Learn from issues encountered to help map PM strategies for future projects.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
State the success criteria of your application management practice through defined objectives and metrics. Assess your maturity.
Structure your application management governance model with the right process and roles. Inject product ownership into your practice.
Build your application management optimization roadmap to achieve your target state.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
State the success criteria of your application management practice through defined objectives and metrics.
Assess your maturity.
Grounded stakeholder expectations
Application management maturity and identification of optimization opportunities
1.1 Set your objectives.
1.2 Assess your maturity.
Application management objectives and metrics
Application management maturity and optimization opportunities
Structure your application management governance model with the right process and roles.
Inject product ownership into your practice.
Management approach aligned to product value and criticality
Management techniques to govern the product backlog
Target-state application management process and roles
2.1 Select your management approach.
2.2 Manage your single product backlog.
2.3 Optimize your management process.
2.4 Define your management roles.
Application management approach for each application
Product backlog management practices
Application management process
Application management roles and responsibilities and communication flow
Build your application management optimization roadmap to achieve your target state.
Optimization opportunities
Application management optimization roadmap
3.1 Build your optimization roadmap.
Application management optimization roadmap
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Equip managers to become more effective with managing remote teams.
The workbook serves as a reference guide participants will use to support formal training.
Many organizations are developing plans to allow employees more flexible work options, including remote work. Use these resources to help managers and employees make the most of remote work arrangements.
Describe the benefits of virtual teams.
Create a plan for adopting effective management practices and setting clear expectations with virtual teams.
Identify potential solutions to the challenges of managing performance and developing members of virtual teams.
Create an action plan to increase effectiveness in managing virtual teams.
People managers who manage or plan to manage virtual teams.
Two three-hour sessions
Section 1 |
Section 2 |
||
---|---|---|---|
10 min |
Welcome: Overview & Introductions
|
10 min |
Welcome: Overview & Introductions
|
50 min |
1.1 Introduction to virtual teams
|
55 min |
2.1 Managing wellbeing in a virtual team context
|
5 min |
Break |
5 min | Break |
45 min |
1.2 Laying the foundation for a virtual team
|
60 min |
2.2 Managing performance in a virtual team context
|
10 min |
Break |
10 min | Break |
55 min |
1.2 Laying the foundation for a virtual team
|
40 min |
Action planning & conclusion
|
5 min |
Session 1 Wrap-Up |
Review all slides and adjust the language or content as needed to suit your organizational context and culture.
The pencil icon to the left denotes slides requiring customization of the slide and/or the speaker’s notes, e.g. adding in an organization-specific process.
Customization instructions are found in the notes pane.
Practical foundations for managing teams in a remote environment
Most organizations are planning some combination of remote and onsite work in 2022.
Source: IT Talent Trends, 2022; n=199
Most organizations are planning some combination of remote and onsite work in 2022 – the highest reported plans for WFH were hybrid, balanced, and partial work-from-home. This builds on our findings in the IT Talent Trends 2022 report.
What percentage of roles in IT are capable of being performed remotely permanently?
IT Talent Trends, 2022; n=207
80% of respondents estimated that 50 to 100% of IT roles can be performed remotely.
A virtual team is any team that has members that are not colocated and relies on technology for communications.
Before we start, it will be useful to review what we mean by the term “virtual team.” For our purposes we will be defining a virtual team as any team that has members that are not colocated and relies on technology for communications.
There are a wide variety of virtual work arrangements and a variety of terms used to describe them. For example, some common terms include:
Our definition of virtual work covers all of these terms. It is also distance neutral, meaning that it applies equally to teams that are dispersed globally or regionally or even those working in the same cities but dispersed throughout different buildings. Our definition also applies whether virtual employees work full time or part time.
The challenges facing managers arise as soon as some team members are not colocated and have to rely on technology to communicate and coordinate work. Greater distances between employees can complicate challenges (e.g. time zone coordination), but the core challenges of managing virtual teams are the same whether those workers are merely located in different buildings in the same city or in different buildings on different continents.
Working on your own, take five minutes to figure out what kind of virtual team you lead.
Download the Workbook: Equip Managers to Effectively Manage Virtual Teams
Benefits to the organization |
Benefits to employees |
---|---|
Operational continuity in disaster situations that prevent employees from coming into the office. |
Cost savings: Employees who WFH half the time can save $2,500 to $4,000 per year (Global Workplace Analytics, 2021). |
Cost savings: Organizations save ~$11,000 annually per employee working from home half the time (Global Workplace Analytics, 2021). |
Time savings: Employees who WFH half the time save on average 11 workdays per year (Global Workplace Analytics, 2021). |
Increased attraction: 71% of employees would likely choose one employer over another based on WFH offerings (Owl Labs, 2021). |
Improved wellbeing: 83% employees agree that WFH would make them happier. 80% agree that WFH would decrease their stress. 81% agree that WFH would improve their ability to manage their work-life balance. (Owl Labs, 2021) |
Increased retention: 74% of employees would be less likely to leave their employer if they could WFH (Owl Labs, 2021). |
Increased flexibility: 32% of employees rated the “ability to have a flexible schedule” as the biggest benefit of WFH (OWL Labs, 2021). |
Increased productivity: 50% of employees report they would maintain or increase their productivity while working from home (Glassdoor Team, 2020). |
|
Increased engagement: Offsite employees tend to have higher overall engagement than onsite employees (McLean & Company Engagement Survey, 2020). |
Remote work arrangements are becoming more and more common, and for good reason: there are a lot of benefits to the organization – and to employees.
Perhaps one of the most common reasons for opting for remote-work arrangements is the potential cost savings. One study found that organizations could save about $11,000 per employee working from home half the time (Global Workplace Analytics, 2021).
In addition, supporting remote-work arrangements can attract employees. One study found that 71% of employees would likely choose one employer over another based on WFH offerings (Owl Labs, 2019).
There are also improvements to productivity. Fifty percent of employees report they would maintain or increase their productivity while working from home (Glassdoor Team, 2020).
Remote work also has benefits to employees.
As with organizations, employees also benefit financially from remote work arrangements, saving between $2,500 and $4,000 and on average 11 working days while working from home half of the time.
Most employees agree that working from home makes them happier, reduces stress, and provides an improved work-life balance through increased flexibility.
Many of these barriers can be addressed by changing traditional mindsets and finding alternative ways of working, but the traditional approach to work is so entrenched that it has been hard to make the shift.
Many organizations are still grappling with the challenges of remote work. Some are just perceived challenges, while others are quite real.
Limited innovation and a lack of informal interaction are a potential consequence of failing to properly adapt to the remote-work environment.
Leaders also face challenges with remote work. Losing in-person supervision has led to the lack of trust and a perceived drop in productivity.
A study conducted 2021 asked remote workers to identify their biggest struggle with working remotely. The top three struggles remote workers report facing are unplugging after work, loneliness, and collaborating and/or communicating.
Seeing the struggles remote workers identify is a good reminder that these employees have a unique set of challenges. They need their managers to help them set boundaries around their work; create feelings of connectedness to the organization, culture, and team; and be expert communicators.
Download the Workbook: Equip Managers to Effectively Manage Virtual Teams
Laying the foundations for a virtual team
Inform |
Interact | Involve |
---|---|---|
↓ Down |
Connect |
↑ Up |
Tell employees the whys |
Get to know employees |
Solicit input from employees |
Effectively managing a virtual team really comes down to adopting management approaches that will engage virtual employees.
Managing a virtual team does not actually require a new management style. The basics of effective management are the same in both colocated and virtual teams; however, the emphasis on certain behaviors and actions we take often differs. Managing a virtual team requires much more thoughtfulness and planning in our everyday interactions with our teams as we cannot rely on the relative ease of face-to-face interactions available to colocated teams.
The 3i’s Engaging Management Model is useful when interacting with all employees and provides a handy framework for more planful interactions with virtual employees.
Think of your management responsibilities in these three buckets – they are the most important components of being an effective manager. We’re first going to look at inform and involve before moving on to interact.
Inform: Relay information down from senior management and leaders to employees. Communicate the rationale behind decisions and priorities, and always explain how they will directly affect employees.
Why is this important? According to McLean & Company’s Engagement Survey data, employees who say their managers keep them well informed about decisions that affect them are 3.4 times more likely to be engaged (Source: McLean & Company, 2020; N=77,363). Your first reaction to this might be “I already do this,” which may very well be the case. Keep in mind, though, we sometimes tend to communicate on a “need-to-know basis,” especially when we are stressed or short on time. Engaging employees takes more. Always focus on explaining the “why?” or the rationale behind business decisions.
It might seem like this domain should be the least affected, since important company announcements probably continue in a remote environment. But remember that information like that also flows informally. And even in formal settings, there are question-and-answer opportunities. Or maybe your employee might come to your office to ask for more details. Virtual team members can’t gather around the watercooler. They don’t have the same opportunities to hear information in passing as people who are colocated do, so managers need to make a concerted effort to share information with virtual team members in a clear and timely way.
Swinging over to the other end, we have involve: Involve your employees. Solicit information and feedback from employees and collaborate with them.
However, it’s not enough to just solicit their feedback and input; you also need to act on it.
Make sure you involve your employees in a meaningful way. Such collaboration makes employees feel like a valued part of the team. Not to mention that they often have information and perspectives that can help make your decisions stronger!
Employees who say their department leaders act on feedback from them are 3.9 times more likely to be engaged than those whose leaders don’t. (Source: McLean & Company, 2020; N=59,779). That is a huge difference!
Keeping virtual employees engaged and feeling connected and committed to the organization requires planful and regular application of the 3i’s model.
Finally, Interact: Connect with employees on a personal level; get to know them and understand who they are on a personal and professional level.
Why? Well, over and above the fact that it can be rewarding for you to build stronger relationships with your team, our data shows that human connection makes a significant difference with employees. Employees who believe their managers care about them as a person are 3.8 times more likely to be engaged than those who do not (Source: McLean & Company, 2017; N=70,927).
And you might find that in a remote environment, this is the area that suffers the most, since a lot of these interactions tend to be unscripted, unscheduled, and face to face.
Typically, if we weren’t in the midst of a pandemic, we’d emphasize the importance of allocating some budget to travel and get some face-to-face time with your staff. Meeting and interacting with team members face to face is crucial to building trusting relationships, and ultimately, an effective team, so given the context of our current circumstances, we recommend the use of video when interacting with your employees who are remote.
Relay information down from senior management to employees.
Ensure they’ve seen and understand any organization-wide communication.
Share any updates in a timely manner.
Connect with employees on a personal level.
Ask how they’re doing with the new work arrangement.
Express empathy for challenges (sick family member, COVID-19 diagnosis, etc.).
Ask how you can support them.
Schedule informal virtual coffee breaks a couple of times a week and talk about non-work topics.
Get information from employees and collaborate with them.
Invite their input (e.g. have a “winning remotely” brainstorming session).
Escalate any challenges you can’t address to your VP.
Give them as much autonomy over their work as possible – don’t micromanage.
Download the Workbook: Equip Managers to Effectively Manage Virtual Teams
Clear expectations are important in any environment, remote or not. But it is much harder to do in a remote environment. The barrier to seeking clarification is so much higher (For example, email vs. catching someone in hallway, or you can’t notice that a colleague is struggling without them asking).
Communication – This is one area where the importance actually changes in a remote context. We’ve been talking about a lot of practices that are the same in importance whether you’re in an office or remote, and maybe you just enact them differently. But clarity around communication processes is actually tremendously more important in a remote environment.
Suggested best practices: Hold daily team check-ins and hold separate individual check-ins. Increase frequency of these.
With organizational expectations set, we need to establish team expectations around how we collaborate and communicate.
Today there is no lack of technology available to support our virtual communication. We can use the phone, conference calls, videoconferencing, Skype, instant messaging, [insert organization-specific technological tools.], etc.
However, it is important to have a common understanding of which tools are most appropriate when and for what.
What are some of the communication channel techniques you’ve found useful in your informal interactions with employees or that you’ve seen work well between employees?
[Have participants share any technological tools they find useful and why.]
Whenever we interact, we make the following kinds of social exchanges. We exchange:
We need to make sure that these exchanges are happening as each team member intends. To do this, we have to be sensitive to what information is being conveyed, what emotions are involved in the interaction, and how we are motivating each other to act through the interaction. Every interaction will have intended and unintended effects on others. No one can pay attention to all of these aspects of communication all the time, but if we develop habits that are conducive to successful exchanges in all three areas, we can become more effective.
In addition to being mindful of the exchange in our communication, as managers it is critical to build trusting relationships and rapport with employees as we saw in the 3i's model. However, in virtual teams we cannot rely on running into someone in the kitchen or hallway to have an informal conversation. We need to be thoughtful and deliberate in our interactions with employees. We need to find alternative ways to build these relationships with and between employees that are both easy and accepted by ourselves and employees. Because of that, it is important to set communication norms and really understand each other’s preferences. For example:
Download the Workbook: Equip Managers to Effectively Manage Virtual Teams
Section 2.1
Balancing wellbeing and performance in a virtual team context
44% of employees reported declined mental wellbeing since the start of the pandemic.
"If one of our colleagues were to fall, break their leg, and get a cast, colleagues would probably rally around that person signing their cast. But, really, we don’t view the health of our brain the same as we do the health of our body."
– Centre for Addiction and Mental Health (CAMH) Employee
Despite being over two years into the pandemic, we are still seeing its effect on the physical and mental health of employees.
The mental health aspect has been often overlooked by organizations, but in order to have a safe, happy, and productive team, you need to give mental health the same level of focus as physical heath. This requires a change in mindset in order for you as a leader to support your team's mental wellbeing during the pandemic and beyond.
Employees report increasingly high levels of stress from the onset of COVID-19, stating that it has been the most stressful time in their careers.
(Qualtrics, 2020)
Similarly, employees’ anxiety levels have peaked because of the pandemic and the uncertainty it brings.
(Qualtrics, 2020)
The stress and uncertainty about the future caused by the pandemic and its fallout are posing the biggest challenges to employees.
Organizations shutting down operations, moving to fully remote, or requiring some of their employees to be on site based on the current situation causes a lot of anxiety as employees are not able to plan for what is coming next.
Adding in the loss of social networks and in-person interactions exacerbates the problem employees are facing. As leaders, it is your job to understand and mitigate these challenges wherever possible.
New Barriers |
Old Barriers |
---|---|
|
|
Organizational barriers to mental wellbeing are sadly not new. Workloads, stigma around mental health, lack of sick days, and limits to benefits for mental health supports were challenges before the pandemic. Adding in the new barriers can very easily result in a tipping point for many employees who are simply not equipped to deal with or supported in dealing with the added burden of remote work in a post-pandemic world.
To provide the needed support to your employees, it’s important to be mindful of the key considerations.
The physical body; ensuring a person has the freedom, opportunities, and resources needed to sustainably maintain bodily health.
The psychological ability to cope with information, emotions, desires, and stressors (e.g. change, threats, etc.) in a healthy and balanced way. Essential for day-to-day living and functioning.
The state of personal and professional relationships, including personal and community engagement. The capability for genuine, authentic, and mutually affirming interactions with others.
The state of a person’s finances; ensuring that a person feels capable to handle their financial situation and behaviors. The ability to live productively without the weight of financial stress.
As a manager, you need to be mindful of all of these. Create an atmosphere where people are able to come to you for help if they are struggling in one of these areas. For example, some people might be more comfortable raising physical safety or comfort concerns (personal protective equipment, ergonomics) than concerns about mental health. Or they might feel like their feelings of loneliness are not appropriate to bring into their professional life.
Wellbeing is a delicate subject, and most of the time, people are reluctant to talk about it. It requires vulnerability. And here’s the thing about it: Your staff will not drive a change in your team around making these topics more acceptable. It has to be the manager. You have to be the one to not just tell but show them that it’s OK to talk about this
As a leader, your focus should be on encouraging the right behaviors on your team and in yourself.
Show empathy; allowing room for emotion and showing you are willing and able to listen goes a long way to establishing trust.
A growth mindset applies to resilience too. A person with a growth mindset is more likely to believe that even though they’re struggling now, they will get through it.
Infuse fun – schedule social check-ins. This is not wasted time, or time off work – it is an integral part of the workday. We have less of it now organically, so you must bring it back deliberately. Remember that theme? We are deliberately reinfusing important organic elements into the workday.
The last item, empowerment, is interesting – being clear on accountability. Have clear performance expectations. It might sound like telling people what to do would be disempowering, but it’s the opposite. By clarifying the goals of what they need to achieve, you empower them to invent their own “how,” because you and they are both sure they will arrive at the place that you agreed on. We will talk more about this in performance management.
Emphasize the importance of wellbeing with what you do. If you do not model self-care behavior, people will follow what you do, not what you say.
Lead by example – Live the behaviors you want to see in your employees. If you show confidence, positivity, and resiliency, it will filter down to your team.
Encourage open communication – Have regular meetings where your team is able to set the agenda, or allow one-on-ones to be guided by the employee. Make sure these are scheduled and keep them a priority.
Acknowledge the situation – Pretending things are normal doesn’t help the situation. Talk about the stress that the team is facing and express confidence that you will get through it together.
Promote wellbeing – Take time off, don’t work when you’re sick, and you will be better able to support your team!
Reduce stigma – Call it out when you see it and be sure to remind people of and provide access to any supports that the organization has.
Going back to the idea of a growth mindset – this may be uncomfortable for you as a manager. So here’s a step-by-step guide that over time you can morph into your own style.
With your team – be prepared to share first and to show it is OK to be vulnerable and address wellbeing seriously.
As a leader, it is important to be on the lookout for warning signs of burnout and know when to step in and direct individuals to professional help.
Poor work performance – They struggle to maintain work performance, even after you’ve worked with them to create coping strategies.
Overwhelmed – They repeatedly tell you that they feel overwhelmed, very stressed, or physically unwell.
Frequent personal disclosure – They want to discuss their personal struggles at length on a regular basis.
Trouble sleeping and focusing – They tell you that they are not sleeping properly and are unable to focus on work.
Frequent time off – They feel the need to take time off more frequently.
Strained relationships – They have difficulty communicating effectively with coworkers; relationships are strained.
Substance abuse – They show signs of substance abuse (e.g. drunk/high while working, social media posts about drinking during the day).
Keeping an eye out for these signs and being able to step in before they become unmanageable can mean the difference between keeping and losing an employee experiencing burnout.
If you’ve got managers under you, be mindful of their unique stressors. Don’t forget to check in with them, too.
If you are a manager, remember to take care of yourself and check in with your own manager about your own wellbeing.
Download the Workbook: Equip Managers to Effectively Manage Virtual Teams
A survey indicated that, overall, remote employees showed less satisfaction with manager interactions compared to other non-remote employees.
In many cases, we have put people into virtual roles because they are self-directed and self-motivated workers who can thrive with the kind of autonomy and flexibility that comes with virtual work. As managers, we should expect many of these workers to be proactively interested in how they are performing and in developing their careers.
It would be a mistake to take a hands-off approach when managing virtual workers. A recent survey indicated that, overall, remote employees showed less satisfaction with manager interactions compared to other non-remote employees. It was also one of the aspects of their work experience they were least satisfied with overall (Gallup, State of the American Workplace, 2017). Simply put, virtual employees are craving more meaningful conversations with their managers.
While conversations about performance and development are important for all employees (virtual or non-virtual), managers of remote teams can have a significant positive impact on their virtual employees’ experience and engagement at work by making efforts to improve their involvement and support in these areas.
During this module we will work together to identify ways that each of us can improve how we manage the performance of our virtual employees. At the end of the module everyone will create an action plan that they can put in place with their own teams. In the next module, we go through a similar set of activities to create an action plan for our interactions with employees about their development.
[Include a visualization of your existing performance management process in the slide. Walk the participants through the process to remind them of what is expected. While the managers participating in the training should know this, there may be different understandings of it, or it might just be the case that it’s been a while since people looked at the official process. The intention here is merely to ensure everyone is on the same page for the purposes of the activities that follow.]
Now that we’ve reviewed performance management at a high level, let’s dive into what is currently happening with the performance management of virtual teams.
I know that you have some fairly extensive material at your organization around how to manage performance. This is fantastic. And we’re going to focus mainly on how things change in a virtual context.
When measuring progress, how do you as a manager make sure that you are comfortable not seeing your team physically at their desks? This is the biggest challenge for remote managers.
Download the Workbook: Equip Managers to Effectively Manage Virtual Teams
When assisting your employees with their goals, think about the organization’s overall mission and goals to help you determine team and individual goals.
Sometimes it’s difficult to get employees thinking about goals and they need assistance from managers. It’s also important to be clear on team goals to help guide employees in setting individual ones.
The basic idea is to show people how their individual day-to-day work contributes to the overall success of the organization. It gives them a sense of purpose and a rationale, which translates to motivation. And also helps them problem solve with more autonomy.
You’re giving people a sense of the importance of their own contribution.
Tailor performance goals to address any root causes of poor performance.
For example:
Focus on results: Be flexible about how and when work gets done, as long as team members are hitting their targets.
Encourage your team members to unplug: If they’re sending you emails late at night and they haven’t made an alternate work hours agreement with you, encourage them to take time away from work.
How well tasks are accomplished
Related to specific employee actions, skills, or attitudes
How much work gets done
Holistic measures demonstrate all the components required for optimal performance. This is the biggest driver in having comfort as a manager of a remote team and avoiding micromanagement. Typically these are set at the organizational level. You may need to adjust for individual roles, etc.
Metrics come in different types. One way to ensure your metrics capture the full picture is to use a mix of different kinds of metrics.
Some metrics are quantitative: they describe quantifiable or numerical aspects of the goal. This includes timeliness. On the other hand, qualitative metrics have to do with the final outcome or product. And behavioral metrics have to do with employees' actions, skills, or attitudes. Using different kinds of metrics together helps you set holistic measures, which capture all the components of optimal performance toward your goal and prevent gaming the system.
Let's take an example:
A courier might have an objective to do a good job delivering packages. An example of a quantitative measure might be that the courier is required to deliver X number of packages per day on time. The accompanying metrics would be the number of packages delivered per day and the ratio of packages delivered on time vs. late.
Can you see a problem if we use only these quantitative measures to evaluate the courier's performance?
Wait to see if anyone volunteers an answer. Discuss suggestions.
That's right, if the courier's only goal is to deliver more packages, they might start to rush, may ruin the packages, and may offer poor customer service. We can help to guard against this by implementing qualitative and behavioral measures as well. For example, a qualitative measure might be that the courier is required to deliver the packages in mint condition. And the metric would be the number of customer complaints about damaged packages or ratings on a satisfaction survey related to package condition.
For the behavioral aspect, the courier might be required to provide customer-centric service with a positive attitude. The metrics could be ratings on customer satisfaction surveys related to the courier's demeanor or observations by the manager.
It’s crucial to acknowledge that an employee might have an “off week” or need time to balance work and life – things that can be addressed with performance management (PM) techniques. Managers should move into the process for performance improvement when:
Always use video calls instead of phone calls when possible so that you don’t lose physical cues and body language.
Adding HR/your leader to a meeting invite about performance may cause undue stress. Think through who needs to participate and whether they need to be included in the invite itself.
Ensure there are no misunderstandings by setting context for each discussion and having the employee reiterate the takeaways back to you.
Don’t assume the intent behind the behavior(s) being discussed. Instead, just focus on the behavior itself.
Be sure to adhere to any relevant HR policies and support systems. Working with HR throughout the process will ensure none are overlooked.
There are a few best practices you should follow when having performance conversations:
Download the Workbook: Equip Managers to Effectively Manage Virtual Teams
As we have seen, our virtual employees crave more meaningful interactions with their managers. In addition to performance conversations, managers should also be having regular discussions with their employees about their employee development plans. One key component of these discussions is career planning. Whether you are thinking shorter term – how to become better at their current role – or longer term – how to advance beyond their current role – discussions about employee development are a great way to engage employees. Employees are ultimately responsible for creating and executing their own development plans, but managers are responsible for making sure that employees have thought through these plans and helping employees identify opportunities for executing those plans.
To help us think about our own employee development practices, identify challenges they pose when working with virtual employees, and create solutions to these challenges, it is useful to think about employee development opportunities according to three types:
According to McLean & Company, organizations should use the “70-20-10” rule as a rough guideline when working with employees to create their development plans: 10% of the plan should be dedicated to formal training opportunities, 20% to relational learning, and 70% to experiential learning. Managers should work with employees to identify their performance and career goals, ensure that their development plans are aligned with these goals, and include an appropriate mixture of all three kinds of development opportunities.
To help identify challenges and solutions, think about how virtual work arrangements will impact the employee’s ability to leverage each type of opportunity at our organization.
Here are some examples that can help us start thinking about the kinds of challenges virtual employees on our team face:
Now that we have considered some general examples of challenges and solutions, let’s look at our own employee development practices and think about the practical steps we can take as managers to improve employee development for our virtual employees.
[Customize this slide according to your organization’s own policies and processes for employee development. Provide useful images that outline this on the slide, and in these notes describe the processes/policies that are in place. Note: In some cases policies or processes may not be designed with virtual employees or virtual teams in mind. That is okay for the purposes of this training module. In the following activities participants will discuss how they apply these policies and processes with their virtual teams. If your organization is interested in adapting its policies/processes to better support virtual workers, it may be useful to record those conversations to supplement existing policies later.]
Now that we have considered some general examples of challenges and solutions, let’s look at our own employee development practices and think about the practical steps we can take as managers to improve employee development for our virtual employees.
Download the Workbook: Equip Managers to Effectively Manage Virtual Teams
Download the Workbook: Equip Managers to Effectively Manage Virtual Teams
If you would like additional support, have our analysts guide you through an info-tech workshop or guided implementation.
Contact your account representative for more information
workshops@infotech.com
1-888-670-8889
First, let’s take a moment to summarize the key things we have learned today:
Is there anything that anyone has learned that is not on this list and that they would like to share with the group?
Finally, were there any challenges identified today that were not addressed?
[Note to facilitator: Take note of any challenges not addressed and commit to getting back to the participants with some suggested solutions.]
Train managers to navigate the interpersonal challenges associated with change management and develop their communication and leadership skills. Upload this LMS module into your learning management system to enable online training.
Management skills training is needed, but organizations are struggling to provide training that makes a long-term difference in the skills managers use in their day to day.
Many training programs are ineffective because they offer the wrong content, deliver it in a way that is not memorable, and are not aligned with the IT department’s business objectives.
Assess and improve remote work performance with our ready-to-use tools.
April, Richard. “10 KPIs Every Sales Manager Should Measure in 2019.” HubSpot, 24 June 2019. Web.
Banerjea, Peter. “5 Powerful Strategies for Managing a Remote Sales Team.” Badger - Maps for field sales, n.d. Web.
Bibby, Adrianne. “5 Employers’ Awesome Quotes about Work Flexibility.” FlexJobs, 9 January 2017. Web.
Brogie, Frank. “The 14 KPIs every field sales rep should strive to improve.” Repsly, 2018. Web.
Dunn, Julie. “5 smart tips for leading field sales teams.” LevelEleven, March 2015. Web.
Edinger, Scott. “How great sales leaders coach.” Forbes, 2013. Web.
“Employee Outlook: Employee Views on Working Life.” CIPD, April 2016. Web.
Hall, Becki. “The 5 biggest challenges facing remote workers (and how to solve them).” interact, 7 July 2017. Web.
Hofstede, Geert. “National Cultural Dimensions.” Hofstede Insights, 2012. Web.
“Inventory of U.S. Greenhouse Gas Emissions and Sinks: 1990-2014 (EPA 430-R-16-002).” Environmental Protection Agency (EPA), 15 April 2016.
“Latest Telecommuting Statistics.” Global Workplace Analytics, June 2021. Web.
Knight, Rebecca. “How to manage remote direct reports.” Harvard Business Review, 2015. Web.
“Rewards and Recognition: 5 ways to show remote worker appreciation.” FurstPerson, 2019. Web.
Palay, Jonathan. "How to build your sales management cadence." CommercialTribe, 22 March 2018. Web.
“Sales Activity Management Matrix.” Asian Sales Guru, 2019. Web.
Smith, Simone. “9 Things to Consider When Recognizing Remote Employees.” hppy, 2018. Web.
“State of Remote Work 2017.” OWL Labs, 2021. Web.
“State of the American Workplace.” Gallup, 2017. Web.
“Telework Savings Potential.” Global Workplace Analytics, June 2021. Web.
“The Future of Jobs Employment Trends.” World Economic Forum, 2016. Web.
“The other COVID-19 crisis: Mental health.” Qualtrics, 14 April 2020. Web.
Thompson, Dan. “The straightforward truth about effective sales leadership.” Sales Hacker, 2017. Web.
Tsipursky, Gleb. “Remote Work Can Be Better for Innovation Than In-Person Meetings.” Scientific American, 14 Oct. 2021. Web.
Walsh, Kim. “New sales manager? Follow this guide to crush your first quarter.” HubSpot, May 2019. Web.
“What Leaders Need to Know about Remote Workers: Surprising Differences in Workplace Happiness and Relationships.” TINYpulse, 2016.
Zenger, Jack, and Joe Folkman. “Feedback: The Leadership Conundrum.” Talent Quarterly: The Feedback Issue, 2015.
Anonymous CAMH Employee
Despite the universally agreed-upon benefit of formulating a coherent strategy, several obstacles make execution difficult:
A cloud strategy might seem like a big project, but it’s just a series of smaller conversations. The methodology presented here is designed to facilitate those conversations, using a curated list of topics, prompts, participant lists, and sample outcomes. We have divided the strategy into four key areas:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This storyboard comprises four phases, covering mission and vision, people, governance, and technology, and how each of these areas requires forethought when migrating to the cloud.
Each section of Document Your Cloud Strategy corresponds to a section in the document template. Once you’ve completed each exercise, you can record your results in the document template, leaving you with an artifact you can share with stakeholders.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand and document your cloud vision and its alignment with your other strategic priorities.
A complete understanding of your strategy, vision, alignment, and a list of success metrics that will help you find your way.
1.1 Record your cloud mission and vision.
1.2 Document your cloud strategy’s alignment with other strategic plans.
1.3 Record your cloud guiding principles.
Documented strategy, vision, and alignment.
Defined success metrics.
Define how people, skills, and roles will contribute to the broader cloud strategy.
Sections of the strategy that highlight skills, roles, culture, adoption, and the creation of a governance body.
2.1 Outline your skills and roles strategy.
2.2 Document your approach to culture and adoption
2.3 Create a cloud governing body.
Documented people strategy.
This section facilitates governance in the cloud, developing principles that apply to architecture, integration, finance management, and more.
Sections of the strategy that define governance principles.
3.1 Conduct discussion on architecture.
3.2 Conduct discussion on integration and interoperability.
3.3 Conduct discussion on operations management.
3.4 Conduct discussion on cloud portfolio management.
3.5 Conduct discussion on cloud vendor management.
3.6 Conduct discussion on finance management.
3.7 Conduct discussion on security.
3.8 Conduct discussion on data controls.
Documented cloud governance strategy.
Creation of a formal cloud strategy relating to technology around provisioning, monitoring, and migration.
Completed strategy sections of the document that cover technology areas.
4.1 Formalize organizational approach to monitoring.
4.2 Document provisioning process.
4.3 Outline migration processes and procedures.
Documented cloud technology strategy.
Moving to the cloud is a big, scary transition, like moving from gas-powered to electric cars, or from cable to streaming, or even from the office to working from home. There are some undeniable benefits, but we must reorient our lives a bit to accommodate those changes, and the results aren’t always one-for-one. A strategy helps you make decisions about your future direction and how you should respond to changes and challenges. In Document Your Cloud Strategy we hope to help you accomplish just that: clarifying your overall mission and vision (as it relates to the cloud) and helping you develop an approach to changes in technology, people management, and, of course, governance. The cloud is not a panacea. Taken on its own, it will not solve your problems. But it can be an important tool in your IT toolkit, and you should aim to make the best use of it – whatever “best” happens to mean for you.
Jeremy Roberts
Research Director, Infrastructure and Operations
Info-Tech Research Group
The cloud is multifaceted. It can be complicated. It can be expensive. Everyone has an opinion on the best way to proceed – and in many cases has already begun the process without bothering to get clearance from IT. The core challenge is creating a coherent strategy to facilitate your overall goals while making the best use of cloud technology, your financial resources, and your people.
Despite the universally agreed-upon benefit of formulating a coherent strategy, several obstacles make execution difficult:
A cloud strategy might seem like a big project, but it’s just a series of smaller conversations. The methodology presented here is designed to facilitate those conversations, using a curated list of topics, prompts, participant lists, and sample outcomes. We have divided the strategy into four key areas:
The answers might be different, but the questions are the same
Every organization will approach the cloud differently, but they all need to ask the same questions: When will we use the cloud? What forms will our cloud usage take? How will we manage governance? What will we do about people? How will we incorporate new technology into our environment? The answers to these questions are as numerous as there are people to answer them, but the questions must be asked.
Grappling with a cloud strategy is a top initiative: 43% of respondents report progressing on a cloud-first strategy as a top cloud initiative.
A document providing a systematic overview of cloud services, their appropriate use, and the steps that an organization will take to maximize value and minimize risk.
Define Your Cloud Vision |
→ |
Vision and alignment
|
→ | Technology
|
Governance
|
||||
People
|
Your cloud strategy will comprise the elements listed under “vision and alignment,” “technology,” “governance,” and “people.” The Info-Tech methodology involves breaking the strategy down into subcomponents and going through a three-step process for each one. Start by reviewing a standard set of questions and understanding the goal of the exercise: What do we need to know? What are some common considerations and best practices? Once you’ve had a chance to review, discuss your current state and any gaps: What has been done? What still needs to be done? Finally, outline how you plan to go forward: What are your next steps? Who needs to be involved?
1. Document your vision and alignment |
2. Record your people strategy |
3. Document governance principles |
4. Formalize your technology strategy |
|
---|---|---|---|---|
Phase Steps |
|
|
Document official organizational positions in these governance areas:
|
|
Phase Outcomes |
Documented strategy: vision and alignment |
Documented people strategy |
Documented cloud governance strategy |
Documented cloud technology strategy |
Separate strategy from tactics
Separate strategy from tactics! A strategy requires building out the framework for ongoing decision making. It is meant to be high level and achieve a large goal. The outcome of a strategy is often a sense of commitment to the goal and better communication on the topic.
The cloud does not exist in a vacuum
Your cloud strategy flows from your cloud vision and should align with the broader IT strategy. It is also part of a pantheon of strategies and should exist harmoniously with other strategies – data, security, etc.
People problems needn’t preponderate
The cloud doesn’t have to be a great disruptor. If you handle the transition well, you can focus your people on doing more valuable work – and this is generally engaging.
Governance is a means to an end
Governing your deployment for its own sake will only frustrate your end users. Articulate the benefits users and the organization can expect to see and you’re more likely to receive the necessary buy-in.
Technology isn’t a panacea
Technology won’t solve all your problems. Technology is a force multiplier, but you will still have to design processes and train your people to fully leverage it.
Cloud Strategy Document template
Inconsistency and informality are the enemies of efficiency. Capture the results of the cloud strategy generation exercises in the Cloud Strategy Document template.
IT benefits |
Business benefits |
---|---|
|
|
8.8/10 Average reported satisfaction
13 Days Average reported time savings
$46,499 Average cost savings
INDUSTRY: Pharmaceuticals
SOURCE: Info-Tech workshop
The unnamed pharmaceutical company that is the subject of this case study was looking to make the transition to the cloud. In the absence of a coherent strategy, the organization had a few cloud deployments with no easily discernable overall approach. Representatives of several distinct functions (legal, infrastructure, data, etc.) all had opinions on the uses and abuses of cloud services, but it had been difficult to round everyone up and have the necessary conversations. As a result, the strategy exercise had not proceeded in a speedy or well-governed way. This lack of strategic readiness presented a roadblock to moving forward with the cloud strategy and to work with the cloud implementation partner, tasked with execution.
Results
The company engaged Info-Tech for a four-day workshop on cloud strategy documentation. Over the course of four days, participants drawn from across the organization discussed the strategic components and generated consensus statements and next steps. The team was able to formalize the cloud strategy and described the experience as saving 10 days.
Example output: Document your cloud strategy workshop exercise
Anything in green, the team was reasonably sure they had good alignment and next steps. Those yellow flags warranted more discussion and were not ready for documentation.
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
Document your vision and alignment |
Record your people strategy |
Document governance principles |
Formalize your technology strategy |
---|---|---|---|
Call #1: Review existing vision/strategy documentation. |
Call #2: Review progress on skills, roles, and governance bodies. |
Call #3: Work through integration, architecture, finance management, etc. based on reqs. (May be more than one call.) |
Call #4: Discuss challenges with monitoring, provisioning, and migration as-needed. |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is 4 to 6 calls over the course of 1 to 3 months
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 |
Day 2 |
Day 3 |
Day 4 |
Day 5 |
|
---|---|---|---|---|---|
Answer |
Define the |
Assess the IT |
Bridge the gap and |
Next steps and |
|
Activities |
1.1 Introduction 1.2 Discuss cloud mission and vision 1.3 Discuss alignment with other strategic plans 1.4 Discuss guiding principles 1.5 Define success metrics |
2.1 Discuss skills and roles 2.2 Review culture and adoption 2.3 Discuss a cloud governing body 2.4 Review architecture position 2.5 Discuss integration and interoperability |
3.1 Discuss cloud operations management 3.2 Review cloud portfolio management 3.3 Discuss cloud vendor management 3.4 Discuss cloud finance management 3.5 Discuss cloud security |
4.1 Review and formalize data controls 4.2 Design a monitoring approach 4.3 Document the workload provisioning process 4.4 Outline migration processes and procedures |
5.1 Populate the Cloud Strategy Document |
Deliverables |
Formalized cloud mission and vision, along with alignment with strategic plans, guiding principles, and success metrics |
Position statement on skills and roles, culture and adoption, governing bodies, architecture, and integration/interoperability |
Position statements on cloud operations management, portfolio management, vendor management, finance management, and cloud security |
Position statements on data controls, monitoring, provisioning, and migration |
Completed Cloud Strategy Document |
Phase 1 |
Phase 2 |
Phase 3 |
Phase 4 |
---|---|---|---|
1.1 Document your mission and vision 1.2 Document alignment to other strategic plans 1.3 Document guiding principles 1.4 Document success metrics |
2.1 Define approach to skills and roles 2.2 Define approach to culture and adoption 2.3 Define cloud governing bodies |
3.1 Define architecture direction 3.2 Define integration approach 3.3 Define operations management process 3.4 Define portfolio management direction 3.5 Define vendor management direction 3.6 Document finance management tactics 3.7 Define approach to cloud security 3.8 Define data controls in the cloud |
4.1 Define cloud monitoring strategy 4.2 Define cloud provisioning strategy 4.3 Define cloud migration strategy |
This phase will walk you through the following activities:
This phase has the following outcome:
Before formally documenting your cloud strategy, you should ensure that you have a good understanding of your overall cloud vision. How do you plan to leverage the cloud? What goals are you looking to accomplish? How will you distribute your workloads between different cloud service models (SaaS, PaaS, IaaS)? What will your preferred delivery model be (public, private, hybrid)? Will you support your cloud deployment internally or use the services of various consultants or managed service providers?
The answers to these questions will inform the first section of your cloud strategy. If you haven’t put much thought into this or think you could use a deep dive on the fundamentals of your cloud vision and cloud archetypes, consider reviewing Define Your Cloud Vision, the companion blueprint to this one.
Once you understand your cloud vision and what you’re trying to accomplish with your cloud strategy, this phase will walk you through aligning the strategy with other strategic initiatives. What decisions have others made that will impact the cloud strategy (or that the cloud strategy will impact)? Who must be involved/informed? What callouts must be involved at what point? Do users have access to the appropriate strategic documentation (and would they understand it if they did)?
You must also capture some guiding principles. A strategy by its nature provides direction, helping readers understand the decisions they should make and why those decisions align with organizational interests. Creating some top-level principles is a useful exercise because those principles facilitate comprehension and ensure the strategy’s applicability.
Finally, this phase will walk you through the process of measuring success. Once you know where you’d like to go, the principles that underpin your direction, and how your cloud strategy figures into the broader strategic pantheon, you should record what success actually means. If you’re looking to save money, overall cost should be a metric you track. If the cloud is all about productivity, generate appropriate productivity metrics. If you’re looking to expand into new technology or close a datacenter, you will need to track output specific to those overall goals.
The overall organizational mission is a key foundational element of the cloud strategy. If you don’t understand where you’re going, how can you begin the journey to get there? This section of the strategy has four key parts that you should understand and incorporate into the beginning of the strategy document. If you haven’t already, review Define Your Cloud Vision for instructions on how to generate these elements.
1. Cloud vision statement: This is a succinct encapsulation of your overall perspective on the suitability of cloud services for your environment – what you hope to accomplish. The ideal statement includes a scope (who/what does the strategy impact?), a goal (what will it accomplish?), and a key differentiator (what will make it happen?). This is an example: “[Organization] will leverage public cloud solutions and retire existing datacenter and colocation facilities. This transition will simplify infrastructure administration, support and security, while modernizing legacy infrastructure and reducing the need for additional capital expenditure.” You might also consider reviewing your overall cloud archetype (next slide) and including the output of that exercise in the document |
2. Service model decision framework: Services can be provided as software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS), or they can be colocated or remain on premises. Not all cloud service models serve the same purpose or provide equal value in all circumstances. Understanding how you plan to take advantage of these distinct service models is an important component of the cloud strategy. In this section of the strategy, a rubric that captures the characteristics of the ideal workload for each of the named service models, along with some justification for the selection, is essential. This is a core component of Define Your Cloud Vision, and if you would like to analyze individual workloads, you can use the Cloud Vision Workbook for that purpose. |
3. Delivery model decision framework: Just as there are different cloud service models that have unique value propositions, there are several unique cloud delivery models as well, distinguished by ownership, operation, and customer base. Public clouds are the purview of third-party providers who make them available to paying customers. Private clouds are built for the exclusive use of a designated organization or group of organizations with internal clients to serve. Hybrid clouds involve the use of multiple, interoperable delivery models (interoperability is the key term here), while multi-cloud deployment models incorporate multiple delivery and service models into a single coherent strategy. What will your preferred delivery model be? Why? |
4. Support model decision framework: Once you have a service model nailed down and understand how you will execute on the delivery, the question then becomes about how you will support your cloud deployment going forward. Broadly speaking, you can choose to manage your deployment in house using internal resources (e.g. staff), to use managed service providers for ongoing support, or to hire consultants to handle specific projects/tasks. Each approach has its strengths and weaknesses, and many cloud customers will deploy multiple support models across time and different workloads. A foundational perspective on the support model is a key component of the cloud vision and should appear early in the strategy. |
Once you understand the value of the cloud, your workloads’ general suitability for the cloud, and your proposed risks and mitigations, the next step is to define your cloud archetype. Your organization’s cloud archetype is the strategic posture that IT adopts to best support the organization’s goals. Info-Tech’s model recognizes seven archetypes, divided into three high-level archetypes. After consultation with your stakeholders, and based on the results of the suitability and risk assessment activities, define your archetype. The archetype feeds into the overall cloud vision and provides simple insight into the cloud future state for all stakeholders. The cloud vision itself is captured in a “vision statement,” a short summary of the overall approach that includes the overall cloud archetype.
We can best support the organization’s goals by: |
||
Cloud-Focused |
Cloud-Centric |
Providing all workloads through cloud delivery. |
Cloud-First |
Using the cloud as our default deployment model. For each workload, we should ask “why NOT cloud?” |
|
Cloud-Opportunistic |
Hybrid |
Enabling the ability to transition seamlessly between on-premises and cloud resources for many workloads. |
Integrated |
Combining cloud and traditional infrastructure resources, integrating data and applications through APIs or middleware. |
|
Split |
Using the cloud for some workloads and traditional infrastructure resources for others. |
|
Cloud-Averse |
Cloud-Light |
Using traditional infrastructure resources and limiting our use of the cloud to when it is absolutely necessary. |
Anti-Cloud |
Using traditional infrastructure resources and avoiding the use of cloud wherever possible. |
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand the drivers for your product transformation.
Define the drivers for your transition to product-centric delivery.
1.1 What is driving your organization to become product focused?
List of challenges and drivers
Understand the product transformation journey and differences.
Identify the cultural, behavioral, and leadership changes needed for a successful transformation.
2.1 Define the differences between projects and product delivery
List of differences
Understand why smaller iterations increase value realization and decrease accumulated risk.
Leverage smaller iterations to reduce time to value and accumulated risk to core operations.
3.1 What is business agility?
Common understanding about the value of smaller iterations
Establish an organizational starting definition of products.
Tailor product management to meet the needs and vision of your organization.
4.1 What is a product? Who are your consumers?
4.2 Identify enablers and blockers of product ownership
4.3 Define a set of guiding principles for product management
Product definition
List of enablers and blockers of product ownership
Set of guiding principles for product management
Understand the relationship between product management and product delivery.
Optimize product management to prioritize the right changes for the right people at the right time.
5.1 Discussions
Common understanding
Personalize and commit to supporting product teams.
Embrace leadership and cultural changes needed to empower and support teams.
6.1 Your management culture
6.2 Personal Cultural Stop, Start, and Continue
6.3 Now, Next, Later to support product owners
Your management culture map
Personal Cultural Stop, Start, and Continue list
Now, Next, Later roadmap
To develop a common understanding and foundation for product management so we, as leaders, better understand how to lead product owners, product managers, and their teams.
Learn how enterprise agility can provide lasting value to the organization
Repeat workshops with different companies, operating units, departments, or teams as needed.
We WILL ENGAGE in discussions and activities:
This workshop will NOT be:
Facilitators
Participants
Your Challenge
Common Obstacles
Info-Tech's Approach
Info-Tech's approach will guide you through:
Capture in the Enable Product Delivery – Executive Leadership Workshop Outcomes and Next Steps.
Input
Output
Capture in the Enable Product Delivery – Executive Leadership Workshop Outcomes and Next Steps.
Output
Project Delivery | vs | Product Delivery |
---|---|---|
Point in time | What is changed | |
Method of funding changes | Needs an owner | |
Output
Capture in the Enable Product Delivery – Executive Leadership Workshop Outcomes and Next Steps.
Project | Product | ||
---|---|---|---|
Fund Projects | Funding | → | Fund Products or Teams |
Line of Business Sponsor | Prioritization | → | Product Owner |
Makes Specific Changes | Product Management | → | Improve Product Maturity |
Assign People to Work | Work Allocation | → | Assign Work |
Project Manager Manages | Capacity Management | → | Team Manages Capacity |
Product delivery requires significant shifts in the way you complete development work and deliver value to your users. Make the changes that support improving end user value and enterprise alignment.
Regardless of whether you recognize yourself as a "product-based" or "project-based" shop, the same basic principles should apply.
You go through a period or periods of project-like development to build a version of an application or product.
You also have parallel services along with your project development, which encompass the more product-based view. These may range from basic support and maintenance to full-fledged strategy teams or services like sales and marketing.
In Deliver on Your Digital Product Vision, we demonstrate how the product roadmap is core to value realization. The product roadmap is your communicated path, and as a product owner, you use it to align teams and changes to your defined goals while aligning your product to enterprise goals and strategy.
Adapted from: Pichler, "What Is Product Management?"
The quality of your product backlog – and your ability to realize business value from your delivery pipeline – is directly related to the input, content, and prioritization of items in your product roadmap.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Review previous communications to prepare for your first day.
Understand how the business operates and develop meaningful relationships with your sphere of influence.
Inventory company assets to know what to protect.
Evaluate the security posture of the organization by leveraging Info-Tech’s IT Security diagnostic program.
Communicate your security vision to business stakeholders.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Read our concise Executive Brief to find out how you can reduce your IT cost in the short term while establishing a foundation for long-term sustainment of IT cost containment.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand how the basic operational framework of CLM will ensure cost savings, improved collaboration, and constant CLM improvement.
Understand the two phases of CLM and the ten stages that make up the entire process.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Identify current CLM processes.
Learn the CLM operational framework.
Documented overview of current processes and stakeholders.
1.1 Review and capture your current process.
1.2 Identify current stakeholders.
1.3 Learn the operational framework of CLM.
1.4 Identify current process gaps.
Existing CLM Process Worksheet
Dive into the two phases of CLM and the ten stages of a robust system.
A deep understanding of the required components/stages of a CLM system.
2.1 Understand the two phases of CLM.
2.2 Learn the ten stages of CLM.
2.3 Assess your CLM maturity state.
2.4 Identify and assign stakeholders.
CLM Maturity Assessment
CLM RASCI Diagram
"Contract lifecycle management (CLM) is a vital process for small and enterprise organizations alike. Research shows that all organizations can benefit from a contract management process, whether they have as few as 25 contracts or especially if they have contracts numbering in the hundreds.
A CLM system will:
If you’re not managing your contracts, you aren’t capitalizing on your investment with your vendors and are potentially exposing your organization to contract and monetary risk."
- Ted Walker
Principal Research Advisor, Vendor Management Practice
Info-Tech Research Group
FIS’ business groups were isolated across the organization and used different agreements, making contract creation a long, difficult, and manual process.
The Solution: Automating and Streamlining the Contract Management Process
A robust CLM system solved FIS’ various contract management needs while also providing a solution that could expand into full quote-to cash in the future.
Dollars Saved |
Upfront dollars saved
|
---|---|
Time Saved |
Time saved, which can be done in several areas
|
Pitfalls Avoided |
Number of pitfalls found and avoided, such as
|
of companies can’t locate up to 10% of their contracts.
Source: TechnologyAdvice, 2019
of companies’ annual revenue is lost because of poor contract management practices.
Source: IACCM, 2019
still track contracts in shared drives or email folders.
Source: “State of Contract Management,” SpringCM, 2018
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
1. Master the Operational Framework |
2. Understand the Ten Stages of CLM |
|
---|---|---|
Best-Practice Toolkit |
1.1 Understand the operational framework components. 1.2 Review your current framework. 1.3 Create a plan to implement or enhance existing processes. |
2.1 Understand the ten stages of CLM. 2.2 Review and document your current processes. 2.3 Review RASCI chart and assign internal ownership. 2.4 Create an improvement plan. 2.5 Track changes for measurable ROI. |
Guided Implementations |
|
|
Onsite Workshop | Module 1: Review and Learn the Basics
|
Module 2 Results:
|
Phase 1 Outcome:
|
Phase 2 Outcome:
|
Contact your account representative or email Workshops@InfoTech.com for more information.
Workshop Day 1 | Workshop Day 2 | |
---|---|---|
Activities | Task – Review and Learn the Basics |
Task – Learn More and Plan |
1.1 Review and capture your current process. 1.2 Identify current stakeholders. 1.3 Learn the operational framework of contract lifecycle management. 1.4 Identify current process gaps. |
2.1 Understand the two phases of CLM. 2.2 Learn the ten stages of CLM. 2.3 Assess your CLM maturity. 2.4 Identify and assign stakeholders. 2.5 Discuss ROI. 2.6 Summarize and next steps. |
|
Deliverables |
|
|
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of
2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Guided Implementation 1: Master the Operational Framework of Contract Lifecycle Management |
||
---|---|---|
Step 1.1: Document your Current CLM Process |
Step 1.2: Read and Understand the Operational Framework |
Step 1.3: Review Solution Options |
Start with an analyst kick-off call:
|
Review findings with analyst:
|
Finalize phase deliverable:
|
Then complete these activities…
|
||
With these tools & templates:
|
||
Phase 1 Results:
|
That’s where contract lifecycle management (CLM) comes in.
Putting a contract manager in place to manage the CLM project will accelerate the improvements and provide faster returns to the organizations. Reference Info-Tech’s Contract Manager Job Description template as needed.
Paper is still alive and doing very well at slowing down the many stages of the contract process.
Most organizations analyze their contracts in two ways:
This is the ultimate goal of a robust contract management system!
Goal: Document your existing CLM processes (if any) and who owns them, who manages them, etc.
Interview internal business unit decision makers, stakeholders, Finance, Legal, CIO, VMO, Sales, and/or Procurement to understand what’s currently in place.
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of
2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Guided Implementation 2: Understand the Ten Stages of Contract Lifecycle Management Proposed Time to Completion: 1-10 weeks | |
---|---|
Step 2.1: Assess CLM Maturity | Step 2.2: Complete a RASCI Diagram |
Start with an analyst kick-off call:
| Review findings with analyst:
|
Then complete these activities…
| Then complete these activities…
|
With these tools & templates:
| With these tools & templates:
|
Phase 2 Results & Insights:
|
The steps are divided into two phases, pre-execution and post-execution.
Contract lifecycle management begins with the contract requesting process, where one party requests for or initiates the contracting process and subsequently uses that information for drafting or authoring the contract document. This is usually the first step in CLM.
Requests for contracts can come from various sources:
At this stage, you need to validate if a non-disclosure agreement (NDA) is currently in place with the other party or is required before moving forward. At times, adequate NDA components could be included within the contract or agreement to satisfy corporate confidentiality requirements.
For a comprehensive list of terms and conditions, see our Software Terms & Conditions Evaluation Tool within Master Contract Review and Negotiation for Software Agreements.
The importance of risk review can not be understated. The contract or agreement must be reviewed by several stakeholders who can identify risks to the organization within the contract.
Collectively, this is known as contract visibility.
The approval stage can be a short process if policies and procedures are already in place. Most organizations will have defined delegation of authority or approval authority depending on risk, value of the contract, and other corporate considerations.
Saving the different versions of a contract during negotiations will save time, provide reassurance of agreed terms as you move through the process, and provide reference for future negotiations with the vendor.
Process flow provisions should made for potential rejection of the contract by signatories, looping the contract back to the appropriate stage for rework or revision.
Most repositories are some type of database:
Several important features of an electronic repository should be considered:
Establishing an effective repository will be key to providing measurable value to the organization and saving large amounts of time for the business unit.
Planning for future needs by investing a little more money into a better, more robust repository could pay bigger dividends to the VMO and organization while providing a higher ROI over time as advanced functionality is deployed.
Additional optimization tactics:
Use the CLM Maturity Assessment Tool to outline where your organization is at each stage of the process.
Goal: Identify and measure your existing CLM processes, if any, and provide a maturity value to each stage. The resulting scores will provide a maturity assessment of your CLM.
Goal: Identify who in your organization is primarily accountable and involved in each stage of the CLM process.
Engage internal business unit decision makers, stakeholders, Finance, Legal, CIO, VMO, Sales, and Procurement as required to validate who should be involved in each stage.
Decision-maker concerns arise from a common misunderstanding – that is, a fundamental failure to appreciate the true source of contract management value. This misunderstanding goes back many years to the time when analysts first started to take an interest in contract management and its automation. Their limited experience (primarily in retail and manufacturing sectors) led them to think of contract management as essentially an administrative function, primarily focused on procurement of goods. In such environments, the purpose of automation is focused on internal efficiency, augmented by the possibility of savings from reduced errors (e.g. failing to spot a renewal or expiry date) or compliance (ensuring use of standard terms).
Today’s CLM systems and processes can provide ROI in several areas in the business.
Research on ROI of CLM software shows significant hard cost savings to an organization. For example, a $10 million company with 300 contracts valued at $3 million could realize savings of $83,400 and avoid up to $460,000 in lost revenues. (Derived from: ACCDocket, 2018)
This is an often-discussed question. Research suggests that there is no definitive answer, as there are several variables.
Organizations needs to review what makes the best business sense for them based on several considerations and then decide where CLM belongs.
35% of law professionals feel contract management is a legal responsibility, while 45% feel it’s a business responsibility and a final 20% are unsure where it belongs. (Source: “10 Eye-Popping Contract Management Statistics,” Apttus, 2018)
This too is a difficult question to answer definitively. Again, there are several variables to consider. As well, several solutions are available, and this is not a one-size-fits-all scenario.
As with who should own the CLM process, organizations must review the various CLM software solutions available that will meet their current and future needs and then ask, “What do we need the system to do?”
When considering what type of solution to choose, prioritize what needs to been done or improved. Sometimes solutions can be deployed in phases as an “add-on” type modules.
This project can fit your organization’s schedule:
Master Contract Review and Negotiation
Optimize spend with significant cost savings and negotiate from a position of strength.
Manage Your Vendors Before They Manage You
Maximize the value of vendor relationships.
Burla, Daniel. “The Must Know Of Transition to Dynamics 365 on Premise.” Sherweb, 14 April 2017. Web.
Anand, Vishal, “Strategic Considerations in Implementing an End-to-End Contract Lifecycle Management Solution.” DWF Mindcrest, 20 Aug. 2016. Web.
Alspaugh, Zach. “10 Eye-Popping Contract Management Statistics from the General Counsel’s Technology Report.” Apttus, 23 Nov. 2018. Web.
Bishop, Randy. “Contract Management is not just a cost center.” ContractSafe, 9 Sept. 2019. Web.
Bryce, Ian. “Contract Management KPIs - Measuring What Matters.” Gatekeeper, 2 May 2019. Web.
Busch, Jason. “Contract Lifecycle Management 101.” Determine. 4 Jan. 2018. Web.
“Contract Management Software Buyer's Guide.” TechnologyAdvice, 5 Aug. 2019. Web.
Dunne, Michael. “Analysts Predict that 2019 will be a Big Year for Contract Lifecycle Management.” Apttus, 19 Nov. 2018. Web.
“FIS Case Study.” Apttus, n.d. Web.
Gutwein, Katie. “3 Takeaways from the 2018 State of Contract Management Report.” SpringCM, 2018. Web.
“IACCM 2019 Benchmark Report.” IAACM, 4 Sept. 2019. Web.
Linsley, Rod. “How Proverbial Wisdom Can Help Improve Contract Risk Mitigation.” Gatekeeper, 2 Aug. 2019. Web.
Mars, Scott. “Contract Management Data Extraction.” Exari, 20 June 2017. Web.
Rodriquez, Elizabeth. “Global Contract Life-Cycle Management Market Statistics and Trends 2019.” Business Tech Hub, 17 June 2017. Web.
“State of Contract Management Report.” SpringCM, 2018. Web.
Teninbaum, Gabriel, and Arthur Raguette. “Realizing ROI from Contract Management Technology.” ACCDocket.com, 29 Jan. 2018. Web.
Wagner, Thomas. “Strategic Report on Contract Life cycle Management Software Market with Top Key Players- IBM Emptoris, Icertis, SAP, Apttus, CLM Matrix, Oracle, Infor, Newgen Software, Zycus, Symfact, Contract Logix, Coupa Software.” Market Research, 21 June 2019. Web.
“What is Your Contract Lifecycle Management (CLM) Persona?” Spend Matters, 19 Oct. 2017. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand the concepts of ESM, determine the scope of the ESM program, and get buy-in.
Determine the current state for ESM and identify the gaps.
Create customer journey maps, identify an ESM pilot, and finalize the action plan for the pilot.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand what ESM is and how it can improve customer service.
Determine the scope of your ESM initiative and identify who the stakeholders are for this program.
Understanding of ESM concepts.
Understanding of the scope and stakeholders for your ESM initiative.
Plan for getting buy-in for the ESM program.
1.1 Understand the concepts and benefits of ESM.
1.2 Determine the scope of your ESM program.
1.3 Identify your stakeholders.
1.4 Develop an executive buy-in presentation.
1.5 Develop a general communications presentation.
Executive buy-in presentation
General communications presentation
Assess your current state with respect to culture, governance, skills, and tools.
Identify your strengths and weaknesses from the ESM assessment scores.
Understanding of your organization’s current enablers and constraints for ESM.
Determination and analysis of data needed to identify strengths or weaknesses in culture, governance, skills, and tools.
2.1 Understand your organization’s mission and vision.
2.2 Assess your organization’s culture, governance, skills, and tools.
2.3 Identify the gaps and determine the necessary foundational action items.
ESM assessment score
Foundational action items
Define and choose the top services at the organization.
Create customer journey maps for the chosen services.
List of prioritized services.
Customer journey maps for the prioritized services.
3.1 Make a list of your services.
3.2 Prioritize your services.
3.3 Build customer journey maps.
List of services
Customer journey maps
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Identify, analyze, and prioritized potential crises based on risk to the organization. Set crisis management team roles and responsibilities. Adopt a crisis management framework.
Document workflows for notification, situational assessment, emergency response, and crisis response.
Develop and document guidelines that support the creation and distribution of crisis communications.
Summarize your crisis management and response plans, create a roadmap to implement potential improvement projects, develop training and awareness initiatives, and schedule maintenance to keep the plan evergreen.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Identify and prioritize relevant potential crises.
Enable crisis management pre-planning and identify gaps in current crisis management plans.
1.1 Identify high-risk crises.
1.2 Assign roles and responsibilities on the crisis management team.
1.3 Review Info-Tech’s crisis management framework.
List of high-risk crises.
CMT membership and responsibilities.
Adopt the crisis management framework and identify current strengths and gaps.
Outline emergency response and crisis response plans.
Develop and document procedures that enable rapid, effective, and reliable crisis and emergency response.
2.1 Develop crisis notification and assessment procedures.
2.2 Document your emergency response plans.
2.3 Document crisis response plans for potential high-risk crises.
Documented notification and assessment workflows.
Emergency response plans and checklists.
Documented crisis response workflows.
Define crisis communication guidelines aligned with an actionable crisis communications framework.
Document workflows and guidelines support crisis communications.
3.1 Establish the elements of baseline crisis communications.
3.2 Identify audiences for the crisis message.
3.3 Modify baseline communication guidelines based on audience and organizational responsibility.
3.4 Create a vetting process.
3.5 Identify communications channels.
Baseline communications guidelines.
Situational modifications to crisis communications guidelines.
Documented vetting process.
Documented communications channels
Summarize the crisis management plan, establish an organizational learning process, and identify potential training and awareness activities.
Plan ahead to keep your crisis management practice evergreen.
4.1 Review the CMP Summary Template.
4.2 Create a project roadmap to close gaps in the crisis management plan.
4.3 Outline an organizational learning process.
4.4 Schedule plan reviews, testing, and updates.
Long-term roadmap to improve crisis management capabilities.
Crisis management plan maintenance process and awareness program.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand your current state and determine the need for a deeper audit.
Audit your selected projects and portfolios. Understand the gaps in portfolio practices.
Document the steps you are going to take to address any issues that were uncovered in phase 2.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
An audit of your portfolio management practices.
Analysis of audit results.
1.1 Info-Tech’s Audit Standard/Engagement Context
1.2 Portfolio Audit
1.3 Input Validation
1.4 Portfolio Audit Analysis
1.5 Start/Stop/Continue
Audit Standard and Audit Glossary of Terms
Portfolio and Project Audit Tool
Start/Stop/Continue
An audit of your project management practices.
Analysis of audit results.
2.1 Project Audit
2.2 Input Validation
2.3 Project Audit Analysis
2.4 Start/Stop/Continue
Portfolio and Project Audit Tool
Start/Stop/Continue
Create a plan to start addressing any vulnerabilities.
A plan to move forward.
3.1 Action Plan
3.2 Key Takeaways
Audit Timeline Template
Implementing exponential IT will require businesses to work with external vendors to facilitate the rapid adoption of cutting-edge technologies such as generative artificial intelligence. IT leaders must:
These challenges require new skills which build trust and collaboration among vendors.
Outcome-based relationships require a higher degree of trust than traditional vendor relationships. Build trust by sharing risks and rewards.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This research walks you through how to assess your capabilities to undertake a new model of vendor relationships and drive exponential IT.
This tool will facilitate your readiness assessment.
![]() |
Exponential IT brings with it an exciting new world of cutting-edge technology and increasingly accelerated growth of business and IT. But adopting and driving change through this paradigm requires new capabilities to grow impactful and meaningful partnerships with external vendors who can help implement technologies like artificial intelligence and virtual reality. Building outcome-based partnerships involves working very closely with vendors who, in many cases, will have just as much to lose as the organizations implementing these new technologies. This requires a greater degree of trust between parties than a standard vendor relationship. It also drastically increases the risks to both organizations; as each loses some control over data and outcomes, they must trust that the other organization will follow through on commitments and obligations. Outcome-based partnerships build upon traditional vendor management practices and create the potential for organizations to embrace emerging technology in new ways. Kim Osborne Rodriguez |
Exponential IT drives change |
Vendor relationships must evolve |
To deliver exponential value |
---|---|---|
Implementing exponential IT will require businesses to work with external vendors to facilitate the rapid adoption of cutting-edge technologies such as generative artificial intelligence. IT leaders must:
These challenges require new skills which build trust and collaboration with vendors. |
Traditional vendor management approaches are still important for organizations to develop and maintain. But exponential relationships bring new challenges:
IT leaders must adapt traditional vendor management capabilities to successfully lead this change. |
Outcome-based relationships should not be undertaken lightly as they can significantly impact the risk profile of the organization. Use this research to:
Exponential value relationships will help drive exponential IT and autonomization of the enterprise. |
Info-Tech Insight
Outcome-based partnerships require a higher degree of trust than traditional vendor relationships. Build trust by sharing risks and rewards.
An outcome-based relationship requires a higher level of mutual trust than traditional vendor relationships. This requires shared reward and shared risk.
Don’t forget about traditional vendor management relationships! Not all vendor relationships can (or should) be outcome-based.
INDUSTRY: Technology
SOURCE: Press Release
Microsoft and OpenAI partner on Azure, Teams, and Microsoft Office suite
In January 2023, Microsoft announced a $10 billion investment in OpenAI, allowing OpenAI to continue scaling its flagship large language model, ChatGPT, and giving Microsoft first access to deploy OpenAI’s products in services like GitHub, Microsoft Office, and Microsoft Teams.
Shared risk
Issues with OpenAI’s platforms could have a debilitating effect on Microsoft’s own reputation – much like Google’s $100 billion stock loss following a blunder by its AI platform Bard – not to mention the financial loss if the platform does not live up to the hype.
Shared reward
This was a particularly important strategic move by Microsoft, as its main competitors develop their own AI models in a race to the top. This investment also gave OpenAI the resources to continue scaling and evolving its services much faster than it would be capable of on its own. If OpenAI’s products succeed, there is a significant upside for both companies.
Traditional procurement |
Vendor management |
Exponential vendor relationships |
---|---|---|
|
|
Use this research to successfully |
Use Info-Tech’s research to Jump Start Your Vendor Management Initiative.
Eighty-seven percent of organizations are currently experiencing talent shortages or expect to within a few years.
Sixty-three percent of IT leaders plan to implement AI in their organizations by the end of 2023.
Build trust |
Successfully managing exponential relationships requires increased trust and the ability to share both risks and rewards. Outcome-based vendors typically have greater access to intellectual property, customer data, and proprietary methods, which can pose a risk to the organization if this information is used to benefit competitors. Build mutual trust by sharing both risks and rewards. |
---|---|
Manage risk |
Outcome-based relationships with external vendors can drastically affect an organization’s risk profile. Carefully consider third-party risk and shared risk, including ESG risk, as well as the business risk of losing control over capabilities and assets. Qualified risk specialists (such as legal, regulatory, contract, intellectual property law) should be consulted before entering outcome-based relationships. |
Drive outcomes |
Fostering strategic relationships can be instrumental in times of crisis, when being the customer of choice for key vendors can push your organization up the line from the vendor’s side – but be careful about relying on this too much. Vendor objectives may not align with yours, and in the end, everyone needs to protect themselves. |
Exponential Relationships Readiness Assessment
Determine your readiness to build exponential value relationships.
Our research indicates that most organizations would take months to prepare this type of assessment without using our research. That’s over 80 person-hours spent researching and gathering data to support due diligence, for a total cost of thousands of dollars. Doesn’t your staff have better things to do?
Start by answering a few brief questions, then return to this slide at the end to see how much your answers have changed.
Use Info-Tech’s research to Exponential Relationships Readiness Assessment.
Questions |
Before |
After |
---|---|---|
To what extent are you satisfied with your current vendor management approach? |
||
How many of your current vendors would you describe as being of strategic importance? |
||
How much do you spend on vendors annually? |
||
How much value do you derive from your vendor relationships annually? |
||
Do you have a vendor management strategy? |
||
What outcomes are you looking to achieve through your vendor relationships? |
||
How well do you understand the core capabilities needed to drive successful vendor management? |
||
How well do you understand your current readiness to engage in outcome-based vendor relationships? |
||
Do you feel comfortable managing the risks when working with organizations to implement artificial intelligence and other autonomous capabilities? |
Manage your budget and spending to stay on track throughout your relationship.
“Most organizations underestimate the amount of time, money, and skill required to build and maintain a successful relationship with another organization. The investment in exponential relationships is exponential in itself – as are the returns.”
This step involves the following participants:
Activities:
Why is this important?
Build it into your practice:
Budget procedures |
Financial alignment |
Adaptability |
Financial analysis |
Reporting & compliance |
---|---|---|---|---|
Clearly articulate and communicate budgets, with proactive analysis and reporting. |
There is a strong, direct alignment between financial outcomes and organizational strategy and goals. |
Financial structures can manage many different types of relationships and structures without major overhaul. |
Proactive financial analysis is conducted regularly, with actionable insights. |
This exceeds legal requirements and includes proactive and actionable reporting. |
Drive exponential value by becoming a customer of choice.
“The more complex the business environment becomes — for instance, as new technologies emerge or as innovation cycles get faster — the more such relationships make sense. And the better companies get at managing individual relationships, the more likely it is that they will become “partners of choice” and be able to build entire portfolios of practical and value-creating partnerships.”
This step involves the following participants:
Activities:
Why is this important?
Build it into your practice:
Strategic alignment |
Follow-through |
Information sharing |
Shared risk & rewards |
Communication |
---|---|---|---|---|
Work with vendors to create roadmaps and strategies to drive mutual success. |
Ensure demands are reasonable and consistently follow through on commitments. |
Proactively and freely share relevant information between parties. |
Equitably share responsibility for outcomes and benefits from success. |
Ensure clear, proactive, and frequent communication occurs between parties. |
Outcomes management focuses on results, not methods.
According to Jennifer Robinson, senior editor at Gallup, “This approach focuses people and teams on a concrete result, not the process required to achieve it. Leaders define outcomes and, along with managers, set parameters and guidelines. Employees, then, have a high degree of autonomy to use their own unique talents to reach goals their own way.” (Forbes, 2023)
In the context of exponential relationships, vendors can be given a high degree of autonomy provided they meet their objectives.
This step involves the following participants:
Activities:
Why is this important?
Build it into your practice:
Goal setting |
Negotiation |
Performance tracking |
Issue |
Scope management |
---|---|---|---|---|
Set specific, measurable and actionable goals, and communicate them with stakeholders. |
Clearly articulate and agree upon measurable outcomes between all parties. |
Proactively track progress toward goals/outcomes and discuss results with vendors regularly. |
Openly discuss potential issues and challenges on a regular basis. Find collaborative solutions to problems. |
Proactively manage scope and discuss with vendors on a regular basis. |
Exponential IT means exponential risk – and exponential rewards.
One of the key differentiators between traditional vendor relationships and exponential relationships is the degree to which risk is shared between parties. This is not possible in all industries, which may limit companies’ ability to participate in this type of exponential relationship.
This step involves the following participants:
Activities:
Why is this important?
Build it into your practice:
Info-Tech Insight
Some highly regulated industries (such as finance) are prevented from transferring certain types of risk. In these industries, it may be much more difficult to form vendor relationships.
Customers care about ESG. You should too.
Protect yourself against third-party ESG risks by considering the environmental and social impacts of your vendors.
Third-party ESG risks can include the following:
Working with vendors that have a poor record of ESG carries a very real reputational risk for organizations who do not undertake appropriate due diligence.
Seventy-seven percent of customers believe companies have a responsibility to manufacture sustainably.
Sixty-eight percent of customers believe businesses should ensure their suppliers meet high social and environmental standards.
Fifty-five percent of customers consider the environmental impact of production in their purchasing decisions.
Third-party risk |
Value chain |
Data management |
Regulatory & compliance |
Monitoring & reporting |
---|---|---|---|---|
Understand and assess third-party risk, including ESG risk, in potential relationships. |
Assess risk throughout the value chain for all parties and balance risk among parties. |
Proactively assess and manage potential data risks, including intellectual property and strategic data. |
Manage regulatory and compliance risks, including understanding risk transfer and ultimate risk holder. |
Proactive and open monitoring and reporting of risks, including regular communication among stakeholders. |
Contract management is a critical part of vendor management.
Well-managed contracts include clearly defined pricing, performance-based outcomes, clear roles and responsibilities, and appropriate remedies for failure to meet requirements. In outcome-based relationships, contracts are generally used as a secondary method of enforcing performance, with relationship management being the primary method of addressing challenges and ensuring performance.
This step involves the following participants:
Activities:
Pricing |
Performance outcomes |
Roles and responsibilities |
Remedies |
Payment |
---|---|---|---|---|
Pricing is clearly defined in contracts so that the total cost is understood including all fees, optional pricing, and set caps on increases. |
Contracts are performance-based whenever possible, including deliverables, milestones, service levels, due dates, and outcomes. |
Each party's roles and responsibilities are clearly defined in the contract documents with adequate detail. |
Contracts contain appropriate remedies for a vendor's failure to meet SLAs, due dates, and other obligations. |
Payment is made after performance targets are met, approved, or accepted. |
1-3 hours
Download the Exponential Relationships Readiness Assessment tool.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
This step involves the following participants:
Activities:
Consider the following recommendations based on your readiness assessment scores:
1 hour
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Jump Start Your Vendor Management Initiative
Create and implement a vendor management framework to begin obtaining measurable results in 90 days.
Elevate Your Vendor Management Initiative
Transform your VMI from tactical to strategic to maximize its impact and value
Evaluate Your Vendor Account Team to Optimize Vendor Relations
Understand the value of knowing your account team’s influence in the organization, and your influence, to drive results.
Build an IT Risk Management Program
Mitigate the IT risks that could negatively impact your organization.
Build an IT Budget
Effective IT budgets are more than a spreadsheet. They tell a story.
Adopt an Exponential IT Mindset
Thrive through the next paradigm shift..
![]() |
Kim Osborne Rodriguez |
Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach, with a track record of supporting successful projects. Kim holds a Bachelor’s degree in Honours Mechatronics Engineering and an option in Management Sciences from the University of Waterloo. |
![]() |
Jack Hakimian Jack has more than 25 years of technology and management consulting experience. He has served multibillion-dollar organizations in multiple industries including financial services and telecommunications. Jack also served several large public sector institutions. He is a frequent speaker and panelist at technology and innovation conferences and events and holds a Master’s degree in Computer Engineering as well as an MBA from the ESCP-EAP European School of Management. |
![]() |
Michael Tweedie Mike Tweedie brings over 25 years as a technology executive. He’s led several large transformation projects across core infrastructure, application and IT services as the head of Technology at ADP Canada. He was also the Head of Engineering and Service Offerings for a large French IT services firm, focused on cloud adoption and complex ERP deployment and management. Mike holds a Bachelor’s degree in Architecture from Ryerson University. |
![]() |
Scott Bickley Scott Bickley is a Practice Lead & Principal Research Director at Info-Tech Research Group, focused on Vendor Management and Contract Review. He also has experience in the areas of IT Asset Management (ITAM), Software Asset Management (SAM), and technology procurement along with a deep background in operations, engineering, and quality systems management. Scott holds a B.S. in Justice Studies from Frostburg State University. He also holds active IAITAM certification designations of CSAM and CMAM and is a Certified Scrum Master (SCM). |
![]() |
Donna Bales Donna Bales is a Principal Research Director in the CIO Practice at Info-Tech Research Group, specializing in research and advisory services in IT risk, governance, and compliance. She brings over 25 years of experience in strategic consulting and product development and has a history of success in leading complex, multistakeholder industry initiatives. Donna has a bachelor’s degree in economics from the University of Western Ontario. |
![]() |
Jennifer Perrier Jennifer has 25 years of experience in the information technology and human resources research space, joining Info-Tech in 1998 as the first research analyst with the company. Over the years, she has served as a research analyst and research manager, as well as in a range of roles leading the development and delivery of offerings across Info-Tech’s product and service portfolio, including workshops and the launch of industry roundtables and benchmarking. She was also Research Lead for McLean & Company, the HR advisory division of Info-Tech, during its start-up years. Jennifer’s research expertise spans the areas of IT strategic planning, governance, policy and process management, people management, leadership, organizational change management, performance benchmarking, and cross-industry IT comparative analysis. She has produced and overseen the development of hundreds of publications across the full breadth of both the IT and HR domains in multiple industries. In 2022, Jennifer joined Info-Tech’s IT Financial Management Practice with a focus on developing financial transparency to foster meaningful dialogue between IT and its stakeholders and drive better technology investment decisions. |
![]() |
Phil Bode Phil has 30+ years of experience with IT procurement-related topics: contract drafting and review, negotiations, RFXs, procurement processes, and vendor management. Phil has been a frequent speaker at conferences, a contributor to magazine articles in CIO Magazine and ComputerWorld, and quoted in many other magazines. He is a co-author of the book The Art of Creating a Quality RFP. Phil has a Bachelor of Science in Business Administration with a double major of Finance and Entrepreneurship and a Bachelor of Science in Business Administration with a major of Accounting, both from the University of Arizona. |
![]() |
Erin Morgan |
![]() |
Renee Stanley |
Note: Additional contributors did not wish to be identified.
Andrea, Dave. “Plante Moran’s 2022 Working Relations Index® (WRI) Study shows supplier relations can improve amid industry crisis.” Plante Moran, 25 Aug 2022. Accessed 18 May 2023.
Andrea, Dave. “Trust between suppliers and OEMs can better prepare you for the next crisis.” Plante Moran, 9 Sept 2020. Accessed 17 May 2023.
Cleary, Shannon, and Carolan McLarney. “Organizational Benefits of an Effective Vendor Management Strategy.” IUP Journal of Supply Chain Management, Vol. 16, Issue 4, Dec 2019.
De Backer, Ruth, and Eileen Kelly Rinaudo. “Improving the management of complex business partnerships.” McKinsey, 21 March 2019. Accessed 9 May 2023 .
Dennean, Kevin et al. “Let's chat about ChatGPT.” UBS, 22 Feb 2023. Accessed 26 May 2023.
F&I Tools. “Nissan Worldwide Vehicle Sales Report.” Factory Warranty List, 2022. Accessed 18 May 2023.
Gomez, Robin. “Adopting ChatGPT and Generative AI in Retail Customer Service.” Radial, 235, April 2023. Accessed 10 May 2023.
Harms, Thomas and Kristina Rogers. “How collaboration can drive value for you, your partners and the planet.” EY, 26 Oct 2021. Accessed 10 May 2023.
Hedge & Co. “Toyota, Honda finish 1-2; General Motors finishes at 3rd in annual Supplier Working Relations Study.” PR Newswire, 23 May 2022. Accessed 17 May 2023.
Henke Jr, John W., and T. Thomas. "Lost supplier trust, lost profits." Supply Chain Management Review, May 2014. Accessed 17 May 2023.
Information Services Group, Inc. “Global Demand for IT and Business Services Continues Upward Surge in Q2, ISG Index™ Finds.” BusinessWire, 7 July 2021. Accessed 8 May 2023.
Kasanoff, Bruce. “New Study Reveals Costs Of Bad Supplier Relationships.” Forbes, 6 Aug 2014. Accessed 17 May 2023.
Macrotrends. “Nissan Motor Gross Profit 2010-2022.” Macrotrends. Accessed 18 May 2023.
Macrotrends. “Toyota Gross Profit 2010-2022.” Macrotrends. Accessed 18 May 2023.
McKinsey. “Mind the [skills] gap.” McKinsey, 27 Jan 2021. Accessed 18 May 2023.
Morgan, Blake. “7 Examples of How Digital Transformation Impacted Business Performance.” Forbes, 21 Jul 2019. Accessed 10 May 2023.
Nissan Motor Corporation. “Nissan reports strong financial results for fiscal year 2022.” Nissan Global Newsroom, 11 May 2023. Accessed 18 May 2023.
“OpenAI and Microsoft extend partnership.” Open AI, 23 Jan 2023. Accessed 26 May 2023.
Pearson, Bryan. “The Apple Of Its Aisles: How Best Buy Lured One Of The Biggest Brands.“ Forbes, 23 Apr 2015. Accessed 23 May 2023.
Perifanis, Nikolaos-Alexandros and Fotis Kitsios. “Investigating the Influence of Artificial Intelligence on Business Value in the Digital Era of Strategy: A Literature Review.” Information, 2 Feb 2023. Accessed 10 May 2023.
Scott, Tim and Nathan Spitse. “Third-party risk is becoming a first priority challenge.” Deloitte. Accessed 18 May 2023.
Stanley, Renee. Interview by Kim Osborne Rodriguez, 17 May 2023.
Statista. “Toyota's retail vehicle sales from 2017 to 2021.” Statista, 27 Jul 2022. Accessed 18 May 2023.
Tlili, Ahmed, et al. “What if the devil is my guardian angel: ChatGPT as a case study of using chatbots in education.” Smart Learning Environments, 22 Feb 2023. Accessed 9 May 2023.
Vitasek, Kate. “Outcome-Based Management: What It Is, Why It Matters And How To Make It Happen.” Forbes, 12 Jan 2023. Accessed 9 May 2023.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Identify IT infrastructure systems and establish dependency bundles for the current and target sites.
Build a strong business case for data center consolidation by leveraging a TCO analysis and incorporating business requirements.
Streamline the move-day process through effective communication and clear delegation of duties.
Close the loop on the data center consolidation project by conducting an effective project retrospective.
Sixty percent of marketers find it hard to produce high-quality content consistently. SaaS marketers have an even more difficult job due to the technical nature of content production. Without an easy content development strategy, marketers have an insurmountable task of continually creating interesting content for an audience they don’t understand.
Globally, B2B SaaS marketers without the ability to consistently produce and activate quality content will experience:
Marketing content that identifies the benefit of the product along with a deep understanding of the buyer pain points, desired value, and benefit proof points is a key driver in delivering value to a prospect, thereby increasing marketing metrics such as open rates, time on site, page views, and click-through rates.
Marketers that activate the SoftwareReviews message mapping architecture will be able to crack the code on the formula for improving open and click-through rates.
By applying the SoftwareReviews message mapping architecture, clients will be able to:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Through this blueprint marketers will learn how to shift content away from low-performing content that only focuses on the product and company to high-performing customer-focused content that answers the “What’s in it for me?” question for a buyer, increasing engagement and conversions.
Marketers only have seven seconds to capture a visitor's attention but often don't realize that the space between competitors and their company is that narrow. They often miss the mark on content and create reams of product and company-focused messaging that result in high bounce rates, low page views, low return visits, low conversions, and low click-through rates.
We wouldn't want to sit in a conversation with someone who only speaks about themselves, so why would it be any different when we buy something? Today's marketers must quickly hook their visitors with content that answers the critical question of "What's in it for me?"
Our research finds that leading content marketers craft messaging that lets their audience ”know they know them,” points out what’s in it for them, and includes proof points of promised value. This simple, yet often missed approach, we call Message Mapping, which helps marketers grab a visitor’s initial attention and when applied throughout the customer journey will turn prospects into customers, lifelong buyers, advocates, and referrals.
![]() |
Terra Higginson
|
Your Challenge
Globally, B2B SaaS marketers without the ability to consistently produce and activate quality content will experience:
|
Common Obstacles
Marketers struggle to create content that quickly engages the buyer because they lack:
|
SoftwareReviews’ Approach
By applying the SoftwareReviews’ message mapping architecture, clients will be able to:
|
Marketing content that identifies the benefit of the product, along with a deep understanding of the buyer pain points, desired value, and benefit proof-points, is a key driver in delivering value to a prospect, thereby increasing marketing metrics such as open rates, time on site, page views, and click-through rates.
65% of marketers find it challenging to produce engaging content. Globally, B2B SaaS marketers without the ability to consistently produce and activate quality content will experience:
A staggering 60% of marketers find it hard to produce high-quality content consistently and 62% don’t know how to measure the ROI of their campaigns according to OptinMonster. SaaS marketers have an even more difficult job due to the technical nature of content production. Without an easy content development strategy, marketers have an insurmountable task of continually creating interesting content for an audience they don’t understand. | ![]() Over 64% of marketers want to learn how to build a better content (Source: OptinMonster, 2021) |
![]() GrowRevenue, MarketingSherpa, Google Analytics, FirstPageSage, Google Analytics, HubSpot |
|
Mistake #1Myopic Focus on Company and ProductContent suffers a low ROI due to a myopic focus on the company and the product. This self-focused content fails to engage prospects and move them through the funnel. |
Mistake #2WIIFM Question UnansweredContent never answers the fundamental “What’s in it for me?” question due to a lack of true buyer understanding. This leads to an inability to communicate the value proposition to the prospect. |
Mistake #3Inability to Select the Right Content FormatMarketers often guess what kind of content their buyers prefer without any real understanding or research behind what buyers would actually want to consume. |
Leaders Will Avoid the “Big Three” Pitfalls
|
Without quality content, the sales and marketing cycles elongate and content marketing metrics suffer.
|
50% — Half of the content produced has no backlinks. (Source: Moz, 2015) Content matters more than ever since 67% of the buyer's journey is now done digitally. (Source: Worldwide Business Research, 2022) |
A content mapping approach lets content marketers:
|
Avoid value claiming. Leaders will use client testimonials as proof points because buyers believe peers more than they believe you.
“… Since 95 percent of the people are imitators and only 5 percent initiators, people are persuaded more by the actions of others than by any proof we can offer. (Robert Cialdini, Influence: The Psychology of Persuasion) |
What’s in It for Me?Most content has a focus on the product and the company. Content that lacks a true and deep understanding of the buyer suffers low engagement and low conversions. Our research shows that all content must answer ”What’s in it for me?” for a prospect. |
Social Proof & AuthorityBuyers that are faced with a new and unusual buying experience (such as purchasing SaaS) look at what others say about the product (social proof) and what experts say about the product (authority) to make buying decisions. |
Scarcity & Loss FramingResearch shows that scarcity is a strong principle of influence that can be used in marketing messages. Loss framing is a variation of scarcity and can be used by outlining what a buyer will lose instead of what will be gained. |
Unify the ExperienceUse your message map to structure all customer-facing content across Sales, Product, and Marketing and create a unified and consistent experience across all touchpoints. |
Close the GapSaaS marketers often find the gap between product and company-focused content and buyer-focused content to be so insurmountable that they never manage to overcome it without a framework like message mapping. |
![]() Create a Buyer Persona and JourneyMake it easier to market, sell, and achieve product-market fit with deeper buyer understanding.
|
![]() Diagnose Brand Health to Improve Business GrowthHave a significant and well-targeted impact on business success and growth by knowing how your brand performs, identifying areas of improvement, and making data-driven decisions to fix it.
|
![]() Build a More Effective Go-to-Market StrategyCreating a compelling Go-to-Market strategy, and keeping it current, is a critical software company function – as important as financial strategy, sales operations, and even corporate business development – given its huge impact on the many drivers of sustainable growth.
|
Arakelyan, Artash. “How SaaS Companies Increase Their ROI With Content Marketing.” Clutch.co, 27 July 2018. Accessed July 2022.
Bailyn, Evan. “Average Session Duration: Industry Benchmarks.” FirstPageSage, 16 March 2022. Accessed July 2022.
Burstein, Daniel. “Marketing Research Chart: Average clickthrough rates by industry.” MarketingSherpa, 1 April 2014. Accessed July 2022.
Cahoon, Sam. “Email Open Rates By Industry (& Other Top Email Benchmarks).” HubSpot, 10 June 2021. Accessed July 2022.
Cialdini, Robert. Influence: Science and Practice. 5th ed. Pearson, 29 July 2008. Print.
Cialdini, Robert. Influence: The Psychology of Persuasion. Revised ed. Harper Business, 26 Dec. 2006. Print.
Content Marketing—Statistics, Evidence and Trends.” 1827 Marketing, 7 Jan. 2022. Accessed July 2022.
Devaney, Erik. “Content Mapping 101: The Template You Need to Personalize Your Marketing.” HubSpot, 21 April 2022. Accessed July 2022.
Hiscox Business Insurance. “Growing Your Business--and Protecting It Every Step of the Way.” Inc.com. 25 April 2022. Accessed July 2022.
Hurley Hall, Sharon. “85 Content Marketing Statistics To Make You A Marketing Genius.” OptinMonster, 14 Jan. 2021. Accessed July 2022.
Patel, Neil. “38 Content Marketing Stats That Every Marketer Needs to Know.” NeilPatel.com, 21 Jan. 2016. Web.
Prater, Meg. “SaaS Sales: 7 Tips on Selling Software from a Top SaaS Company.” HubSpot, 9 June 2021. Web.
Polykoff, Dave. “20 SaaS Content Marketing Statistics That Lead to MRR Growth in 2022.” Zenpost blog, 22 July 2022. Web.
Rayson, Steve. “Content, Shares, and Links: Insights from Analyzing 1 Million Articles.” Moz, 8 Sept. 2015. Accessed July 2022.
“SaaS Content Marketing: How to Measure Your SaaS Content’s Performance.” Ken Moo, 9 June 2022. Accessed July 2022.
Taylor Gregory, Emily. “Content marketing challenges and how to overcome them.” Longitude, 14 June 2022. Accessed July 2022.
Visitors Benchmarking Channels. Google Analytics, 2022. Accessed July 2022.
WBR Insights. “Here's How the Relationship Between B2B Buying, Content, and Sales Reps Has Changed.” Worldwide Business Research, 2022. Accessed July 2022.
“What’s a good bounce rate? (Here’s the average bounce rate for websites).” GrowRevenue.io, 24 Feb. 2020. Accessed July 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Calculate the cost of the project backlog and assess the root causes of its unmanageability.
Increase the manageability of the backlog by updating stale requests and removing dead weight.
Develop and maintain a manageable backlog growth rate by establishing disciplined backlog management processes.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Gauge the manageability of your project backlog in its current state.
Calculate the total cost of your project backlog investments.
Determine the root causes that contribute to the unmanageability of your project backlog.
An understanding of the organizational need for more disciplined backlog management.
Visibility into the costs incurred by the project backlog.
An awareness of the sources that feed the growth of the project backlog and make it a challenge to maintain.
1.1 Calculate the sunk and marginal costs that have gone into your project backlog.
1.2 Estimate the throughput of backlog items.
1.3 Survey the root causes of your project backlog.
The total estimated cost of the project backlog.
A project backlog return-on-investment score.
A project backlog root cause analysis.
Identify the most organizationally appropriate goals for your backlog cleanse.
Pinpoint those items that warrant immediate removal from the backlog and establish a game plan for putting a bullet in them.
Communicate backlog decisions with stakeholders in a way that minimizes friction and resistance.
An effective, achievable, and organizationally right-sized approach to cleansing the backlog.
Criteria for cleanse outcomes and a protocol for carrying out the near-term cleanse.
A project sponsor outreach plan to help ensure that decisions made during your near-term cleanse stick.
2.1 Establish roles and responsibilities for the near-term cleanse.
2.2 Determine cleanse scope.
2.3 Develop backlog prioritization criteria.
2.4 Prepare a communication strategy.
Clear accountabilities to ensure the backlog is effectively minimized and outcomes are communicated effectively.
Clearly defined and achievable goals.
Effective criteria for cleansing the backlog of zombie projects and maintaining projects that are of strategic and operational value.
A communication strategy to minimize stakeholder friction and resistance.
Ensure ongoing backlog manageability.
Make sure the executive layer is aware of the ongoing status of the backlog when making project decisions.
Customize a best-practice toolkit to help keep the project backlog useful.
A list of pending projects that is minimal, maintainable, and of high value.
Executive engagement with the backlog to ensure intake and approval decisions are made with a view of the backlog in mind.
A backlog management tool and processes for ongoing manageability.
3.1 Develop a project backlog management operating model.
3.2 Configure a project backlog management solution.
3.3 Assign roles and responsibilities for your long-term project backlog management processes.
3.4 Customize a project backlog management operating plan.
An operating model to structure your long-term strategy around.
A right-sized management tool to help enable your processes and executive visibility into the backlog.
Defined accountabilities for executing project backlog management responsibilities.
Clearly established processes for how items get in and out of the backlog, as well as for ongoing backlog review.
To remain competitive enterprises must renew and refresh their business model strategies and design/develop digital platforms – this requires enterprises to:
Organizations that implement this project will gain benefits in five ways:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand the platform business model and strategies and then set your platform business model goals.
Define design goals for your digital platform. Align your DX strategy with digital platform capabilities and understand key components of the digital platform.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand existing business model, value proposition, and key assets.
Understand platform business model and strategies.
Understanding the current assets helps with knowing what can be leveraged in the new business model/transformation.
Understanding the platform strategies can help the enterprise renew/refresh their business model.
1.1 Document the current business model along with value proposition and key assets (that provide competitive advantage).
1.2 Transformation narrative.
1.3 Platform model canvas.
1.4 Document the platform strategies in the context of the enterprise.
Documentation of current business model along with value proposition and key assets (that provide competitive advantage).
Documentation of the selected platform strategies.
Understand transformation approaches.
Understand various layers of platforms.
Ask fundamental and evolutionary questions about the platform.
Understanding of the transformational model so that the enterprise can realize the differences.
Understanding of the organization’s strengths and weaknesses for a DX.
Extraction of strategic themes to plan and develop a digital platform roadmap.
2.1 Discuss and document decision about DX approach and next steps.
2.2 Discuss and document high-level strategic themes for platform business model and associated roadmap.
Documented decision about DX approach and next steps.
Documented high-level strategic themes for platform business model and associated roadmap.
Understand the design goals for the digital platform.
Understand gaps between the platform’s capabilities and the DX strategy.
Design goals set for the digital platform that are visible to all stakeholders.
Gap analysis performed between enterprise’s digital strategy and platform capabilities; this helps understand the current situation and thus informs strategies and roadmaps.
3.1 Discuss and document design goals for digital platform.
3.2 Discuss DX themes and platform capabilities – document the gaps.
3.3 Discuss gaps and strategies along with timelines.
Documented design goals for digital platform.
Documented DX themes and platform capabilities.
DX themes and platform capabilities map.
Understanding of key components of a digital platform, including technology and teams.
Understanding of the key components of a digital platform and designing the platform.
Understanding of the team structure, culture, and practices needed for successful platform engineering teams.
4.1 Confirmation and discussion on existing UX/UI and API strategies.
4.2 Understanding of microservices architecture and filling of microservices canvas.
4.3 Real-time stream processing data pipeline and tool map.
4.4 High-level architectural view.
4.5 Discussion on platform engineering teams, including culture, structure, principles, and practices.
Filled microservices canvas.
Documented real-time stream processing data pipeline and tool map.
Documented high-level architectural view.
1. Frame the conversation.
Understand the audience and forum for the business case to best frame the conversation.
2. Time-box the process of building the case.
More time should be spent on performing the action rather than building the case.
3. The business case is a living document.
The business case creates the basis for review of the realization of the proposed business benefits once the procurement is complete.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Complete the necessary preceding tasks to building the business case. Rationalize the initiative under consideration, determine the organizational decision flow following a stakeholder assessment, and conduct market research to understand the options.
Conduct a thorough assessment of the initiative in question. Define the alternatives under consideration, identify tangible and intangible benefits for each, aggregate the costs, and highlight any risks.
Finalize the recommendation based on the analysis and create a business case presentation to frame the conversation for key stakeholders.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Complete the necessary preceding tasks to building a strong business case.
Alignment with business objectives.
Stakeholder buy-in.
1.1 Map the decision flow in your organization.
1.2 Define the proposed initiative.
1.3 Define the problem/opportunity statement.
1.4 Clarify goals and objectives expected from the initiative.
Decision traceability
Initiative summary
Problem/opportunity statement
Business objectives
Put together the key elements of the business case including alternatives, benefits, and costs.
Rationalize the business case.
2.1 Design viable alternatives.
2.2 Identify the tangible and intangible benefits.
2.3 Assess current and future costs.
2.4 Create the financial business case model.
Shortlisted alternatives
Benefits tracking model
Total cost of ownership
Impact analysis
Determine more integral factors in the business case such as ramp-up time for benefits realization as well as risk assessment.
Complete a comprehensive case.
3.1 Determine ramp-up times for costs and benefits.
3.2 Identify performance measures and tracking.
3.3 Assess initiative risk.
Benefits realization schedule
Performance tracking framework
Risk register
Finalize the recommendation and formulate the business case summary and presentation.
Prepare the business case presentation.
4.1 Choose the alternative to be recommended.
4.2 Create the detailed and summary business case presentations.
4.3 Present and incorporate feedback.
4.4 Monitor and close out.
Final recommendation
Business case presentation
Final sign-off
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand the stakeholder priorities driving changes in your application maintenance practice.
Identify the appropriate level of governance and enforcement to ensure accountability and quality standards are upheld across maintenance practices.
Build a maintenance triage and prioritization scheme that accommodates business and IT risks and urgencies.
Define and enforce quality standards in maintenance activities and build a high degree of transparency to readily address delivery challenges.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand the business and IT stakeholder priorities driving the success of your application maintenance practice.
Understand any current issues that are affecting your maintenance practice.
Awareness of business and IT priorities.
An understanding of the maturity of your maintenance practices and identification of issues to alleviate.
1.1 Define priorities for enhanced maintenance practices.
1.2 Conduct a current state assessment of your application maintenance practices.
List of business and technical priorities
List of the root-cause issues, constraints, and opportunities of current maintenance practice
Define the processes, roles, and points of communication across all maintenance activities.
An in-depth understanding of all maintenance activities and what they require to function effectively.
2.1 Modify your maintenance process.
2.2 Define your maintenance roles and responsibilities.
Application maintenance process flow
List of metrics to gauge success
Maintenance roles and responsibilities
Maintenance communication flow
Understand in greater detail the process and people involved in receiving and triaging a request.
Define your criteria for value, impact, and urgency, and understand how these fit into a prioritization scheme.
Understand backlog management and release planning tactics to accommodate maintenance.
An understanding of the stakeholders needed to assess and approve requests.
The criteria used to build a tailored prioritization scheme.
Tactics for efficient use of resources and ideal timing of the delivery of changes.
A process that ensures maintenance teams are always working on tasks that are valuable to the business.
3.1 Review your maintenance intake process.
3.2 Define a request prioritization scheme.
3.3 Create a set of practices to manage your backlog and release plans.
Understanding of the maintenance request intake process
Approach to assess the impact, urgency, and severity of requests for prioritization
List of backlog management grooming and release planning practices
Understand how to apply development best practices and quality standards to application maintenance.
Learn the methods for monitoring and visualizing maintenance work.
An understanding of quality standards and the scenarios for where they apply.
The tactics to monitor and visualize maintenance work.
Streamlined maintenance delivery process with best practices.
4.1 Define approach to monitor maintenance work.
4.2 Define application quality attributes.
4.3 Discuss best practices to enhance maintenance development and deployment.
Taskboard structure and rules
Definition of application quality attributes with user scenarios
List of best practices to streamline maintenance development and deployment
Create a target state built from appropriate metrics and attainable goals.
Consider the required items and steps for the implementation of your optimization initiatives.
A realistic target state for your optimized application maintenance practice.
A well-defined and structured roadmap for the implementation of your optimization initiatives.
5.1 Refine your target state maintenance practices.
5.2 Develop a roadmap to achieve your target state.
Finalized application maintenance process document
Roadmap of initiatives to achieve your target state
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Analyze strategic CIO competencies and assess business stakeholder satisfaction with IT using Info-Tech's CIO Business Vision Diagnostic and CXO-CIO Alignment Program.
Evaluate strategic CIO competencies and business stakeholder relationships.
Create a personal development plan and stakeholder management strategy.
Develop a scorecard to track personal development initiatives.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Gather and review information from business stakeholders.
Assess strategic CIO competencies and business stakeholder relationships.
Gathered information to create a personal development plan and stakeholder management strategy.
Analyzed the information from diagnostics and determined the appropriate next steps.
Identified and prioritized strategic CIO competency gaps.
Evaluated the power, impact, and support of key business stakeholders.
1.1 Conduct CIO Business Vision diagnostic
1.2 Conduct CXO-CIO Alignment program
1.3 Assess CIO competencies
1.4 Assess business stakeholder relationships
CIO Business Vision results
CXO-CIO Alignment Program results
CIO competency gaps
Executive Stakeholder Power Map
Create a personal development plan and stakeholder management strategy.
Track your personal development and establish checkpoints to revise initiatives.
Identified personal development and stakeholder engagement initiatives to bridge high priority competency gaps.
Identified key performance indicators and benchmarks/targets to track competency development.
2.1 Create a personal development plan
2.2 Create a stakeholder management strategy
2.3 Establish key performance indicators and benchmarks/targets
Personal Development Plan
Stakeholder Management Strategy
Strategic CIO Competency Scorecard
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Prepare your environment for data architecture.
Revisit your SDLC to embed data architecture.
Create and maintain your Conceptual Data Model via an iterative process.
View the main deliverable with sample models.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand the context and goals of data architecture in your organization.
A foundation for your data architecture practice.
1.1 Review the business context.
1.2 Obtain business commitment and expectations for data architecture.
1.3 Define data architecture as a discipline, its role, and the deliverables.
1.4 Revisit your SDLC to embed data architecture.
1.5 Modeling tool acquisition if required.
Data Architecture vision and mission and governance.
Revised SDLC to include data architecture.
Staffing strategy.
Data Architecture engagement protocol.
Installed modeling tool.
Identify the concepts and domains that will inform your data models.
Defined concepts for your data models.
2.1 Revisit business architecture output.
2.2 Business domain selection.
2.3 Identify business concepts.
2.4 Organize and group of business concepts.
2.5 Build the Business Data Glossary.
List of defined and documented entities for the selected.
Practice in the use of capability and business process models to identify key data concepts.
Practice the domain modeling process of grouping and defining your bounded contexts.
Harvest reference models for your data architecture.
Reference models selected.
3.1 Reference model selection.
3.2 Exploring and searching the reference model.
3.3 Harvesting strategies and maintaining linkage.
3.4 Extending the conceptual and logical models.
Established and practiced steps to extend the conceptual or logical model from the reference model while maintaining lineage.
Gather more information to create your data models.
Remaining steps and materials to build your data models.
4.1 Use your data inventory to select source models.
4.2 Match semantics.
4.3 Maintain lineage between BDG and existing sources.
4.4 Select and harvest attributes.
4.5 Define modeling standards.
List of different methods to reverse engineer existing models.
Practiced steps to extend the logical model from existing models.
Report examples.
Wrap up the workshop and set your data models up for future success.
Understanding of functions and processes that will use the data models.
5.1 Institutionalize data architecture practices, standards, and procedures.
5.2 Exploit and extend the use of the Conceptual model in the organization.
Data governance policies, standards, and procedures for data architecture.
List of business function and processes that will utilize the Conceptual model.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Evaluate the current state, stakeholder capacity, and target audience of engagement actions.
Review impact to engagement drivers in order to prioritize and select tactics for addressing each.
Designate owners of tactics, select measurement tools and cadence, and communicate engagement actions.
SAFe’s popularity is largely due to its structural resemblance to enterprise portfolio and project planning with top-down prioritization and decision making. This directly conflicts with Agile’s purpose and principles of empowerment and agility.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This deck will guide you to define your primary drivers for SAFe, assess your Agile readiness, define enablers and blockers, estimate implementation risk, and start your SAFe implementation plan.
Start your journey with a clear understanding about the level of Agile and product maturity throughout the organization. Each area that lacks strength should be evaluated further and added to your journey map.
Define clear ownership for every critical step.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand what is driving your proposed SAFe transformation and if it is the right framework for your organization.
Better understanding of your scaled agile needs and drivers
1.1 Define your primary drivers for SAFe.
1.2 Create your own list of pros and cons of SAFe.
List of primary drivers for SAFe
List of pros and cons of SAFe
Identify factors influencing a SAFe implementation and ensure teams are aware and prepared.
Starting understanding of your organization’s readiness to implement a SAFe framework
2.1 Assess your Agile readiness.
2.2 Define enablers and blockers of scaling Agile delivery.
2.3 Estimate your SAFe implementation risk.
2.4 Start your SAFe implementation plan.
Agile readiness assessment results
List of enablers and blockers of scaling Agile delivery
Estimated SAFe implementation risk
High-level SAFe implementation plan template
Waterfall is dead. Or obsolete at the very least.
Organizations cannot wait months or years for product, service, application, and process changes. They need to embrace business agility to respond to opportunities more quickly and deliver value sooner. Agile established values and principles that have promoted smaller cycle times, greater connections between teams, improved return on investment (ROI) prioritization, and improved team empowerment.
Where organizations continue to struggle is matching localized Scrum teams with enterprise initiatives. This struggle is compounded by legacy executive planning cycles, which undermine Agile team authority. SAFe has provided a series of frameworks to help organizations deal with these issues. It combines enterprise planning and alignment with cross-team collaboration.
Don't rely on popularity or marketing to make your scaled Agile decision. SAFe is a highly disruptive transformation, and it requires extensive training, coaching, process changes, and time to implement. Without the culture shift to an Agile mindset at all levels, SAFe becomes a mirror of Waterfall processes dressed in SAFe names. Furthermore, SAFe itself will not fix problems with communication, requirements, development, testing, release, support, or governance. You will still need to fix these problems within the SAFe framework to be successful.
Hans Eckman
Principal Research Director, Applications Delivery and Management
Info-Tech Research Group
Your Challenge | Common Obstacles | Info-Tech's Approach |
|
|
Start with a clear understanding of your needs, constraints, goals, and culture.
|
Info-Tech Insight
SAFe is a highly disruptive enterprise transformation, and it won't solve your organizational delivery challenges by itself. Start with an open mind, and understand what is needed to support a multi-year cultural transition. Decide how far and how fast you are willing to transform, and make sure that you have the right transformation and coaching partner in place. There is no right software development lifecycle (SDLC) or methodology. Find or create the methodology that best aligns to your needs and goals.
"...while there is value in the items on the right, we value the items on the left more."
- The Agile Manifesto
STOP! If you're not Agile, don't start with SAFe.
Successful SAFe requires an Agile mindset at all levels.
1...solve development and communication issues.
2...ensure that you will finish requirements faster.
3...mean that you do not need planning and documentation.
"Without proper planning, organizations can start throwing more resources at the work, which spirals into the classic Waterfall issues of managing by schedule."
– Kristen Morton, Associate Implementation Architect,
OneShield Inc. (Info-Tech Interview)
Info-Tech Insight
Poor culture, processes, governance, and leadership will disrupt any methodology. Many drivers for SAFe could be solved by improving and standardizing development and release management within current methodologies.
Functional groups have their own drivers to adopt Agile development processes, practices, and techniques (e.g. to improve collaboration, decrease churn, or increase automation). Their buy-in to scaling Agile is just as important as the buy-in of stakeholders.
If a group's specific needs and drivers are not addressed, its members may develop negative sentiments toward Agile development. These negative sentiments can affect their ability to see the benefits of Agile, and they may return to their old habits once the opportunity arises.
It is important to find opportunities in which both business objectives and functional group drivers can be achieved by scaling Agile development. This can motivate teams to continuously improve and adhere to the new environment, and it will maintain business buy-in. It can also be used to justify activities that specifically address functional group drivers.
Examples of Motivating Drivers for Scaling Agile
Scaling Agile is a way to optimize product management and product delivery in application lifecycle management practices. Do not try to start with SAFe when the components are not yet in place.
Top Business Concerns When Scaling Agile
1 Organizational Culture: The current culture may not support team empowerment, learning from failure, and other Agile principles. SAFe also allows top-down decisions to persist.
2 Executive Support: Executives may not dedicate resources, time, and effort into removing obstacles to scaling Agile because of lack of business buy-in.
3 Team Coordination: Current collaboration structures may not enable teams and stakeholders to share information freely and integrate workflows easily.
4 Business Misalignment: Business vision and objectives may be miscommunicated early in development, risking poorly planned and designed initiatives and low-quality products.
Extending collaboration is the key to success.
Uniting stakeholders and development into a single body is the key to success. Assess the internal and external communication flow and define processes for planning and tracking work so that everyone is aware of how to integrate, communicate, and collaborate.
The goal is to enable faster reaction to customer needs, shorter release cycles, and improved visibility of the project's progress with cross-functional and diverse conversations.
Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023;
"Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.
Source: "Benefits," Scaled Agile, 2023
Develop Your Agile Approach for a Successful Transformation
Source: Scaled Agile, Inc.
Info-Tech Insight
SAFe is an enterprise, culture, and process transformation that impacts all IT services. Some areas of Info-Tech's IT Management & Governance Framework have higher impacts and require special attention. Plan to include transformation support for each of these topics during your SAFe implementation. SAFe will not fix broken processes on its own.
Source: Scaled Agile, Inc.
Info-Tech Insight
When first implementing SAFe, organizations reproduce their organizational design and Waterfall delivery structures with SAFe terms:
Risks and Causes of Failed SAFe Transformations
Challenges
Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023;
"Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.
Before undertaking an enterprise transformation, consider improving the underlying processes that will need to be fixed anyway. Fixing these areas while implementing SAFe compounds the effort and disruption.
Product Delivery
Product Management
"But big-bang transitions are hard. They require total leadership commitment, a receptive culture, enough talented and experienced agile practitioners to staff hundreds of teams without depleting other capabilities, and highly prescriptive instruction manuals to align everyone's approach."
– "Agile at Scale," Harvard Business Review
Overarching insight
SAFe is a highly disruptive enterprise transformation, and it will not solve your organizational delivery challenges by itself. Start with an open mind, and understand what is needed to support a multi-year cultural transition. Decide how far and fast you are willing to transform and make sure that you have the right transformation and coaching partner in place.
SAFe conflicts with core Agile principles.
The popularity of SAFe is largely due to its structural resemblance to enterprise portfolio and project planning with top-down prioritization and decision-making. This directly conflicts with Agile's purpose and principles of empowerment and agility.
SAFe and Agile will not solve enterprise delivery challenges.
Poor culture, processes, governance, and leadership will disrupt any methodology. Many issues with drivers for SAFe could be solved by improving development and release management within current methodologies.
Most organizations should not be using a pure SAFe framework
Few organizations are capable of, or should be, applying a pure SAFe framework. Successful organizations have adopted and modified SAFe frameworks to best fit their needs, teams, value streams, and maturity.
Without an Agile mindset, SAFe will be executed as Waterfall stages using SAFe terminology.
Groups that "Do Agile" are not likely to embrace the behavioral changes needed to make any scaled framework effective. SAFe becomes a series of Waterfall PIs using SAFe terminology.
Your transformation does not start with SAFe.
Start your transition to scaled Agile with a maturity assessment for current delivery practices. Fixing broken process, tools, and teams must be at the heart of your initiative.
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Key Deliverable
Build a transformation and organizational change management plan to guide your transition. Define clear ownership for every critical step.
Scaled Agile Readiness Assessment
Conduct the Agile readiness survey. Without an Agile mindset, SAFe will follow Waterfall or WaterScrumFall practices.
INDUSTRY: Digital Media
SOURCE: Unified Communications and Collaborations
With rapid user adoption growth (over 15 million active users in under six years), Spotify had to find a way to maintain an Agile mindset across 30+ teams in three different cities, while maintaining the benefits of cross-functional collaboration and flexibility for future growth.
Spotify found a fit-for-purpose way for the organization to increase team autonomy without losing the benefits of cross-team communication from economics of scale. Spotify focused on identifying dependencies that block or slow down work through a mix of reprioritization, reorganization, architectural changes, and technical solutions. The organization embraced dependencies that led to cross-team communication and built in the necessary flexibility to allow Agile to grow with the organization.
Spotify's scaling Agile initiative used interview processes to identify what each team depended on and how those dependencies blocked or slowed the team.
Squad refers to an autonomous Agile release team in this case study.
INDUSTRY: Insurance
SOURCE: Agile India, International Conference on Agile and Lean Software Development, 2014
Challenge | Solution | Results |
|
|
|
INDUSTRY: Insurance
SOURCE: Agile India, International Conference on Agile and Lean Software Development, 2014
Challenge | Solution | Results |
|
|
|
DIY Toolkit | Guided Implementation | Workshop | Consulting |
---|---|---|---|
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Diagnostics and consistent frameworks are used throughout all four options.
Phase 1 | |||
---|---|---|---|
Call #1: Scope your requirements, objectives, and specific challenges. |
Call #2: 1.1.1 Define your primary drivers for SAFe. 1.1.2 Create your own list of pros and cons of SAFe. |
Call #3: 1.2.1 Assess your Agile readiness. 1.2.2 Define enablers and blockers for scaling Agile delivery. 1.2.3 Estimate your SAFe implementation risk. |
Call #4: 1.2.4 Start your SAFe implementation plan. Summarize your results and plan your next steps. |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is one to four calls over the course of one to six weeks.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Pre-Planning | Step 1.1 | Step 1.2 | |
---|---|---|---|
Identify your stakeholders. | Step 1.1 Understand where SAFe fits into your delivery methodologies and SDLCs. | Step 1.2 Determine if you are ready for SAFe. | |
Activities | 1. Determine stakeholders and subject matter experts. 2. Coordinate timing and participation. 3. Set goals and expectations for the workshop. |
1.1.1 Define your primary drivers for SAFe. 1.1.2 Create your own list of pros and cons of SAFe |
1.2.1 Assess your Agile readiness. 1.2.2 Define enablers and blockers for scaling Agile delivery. 1.2.3 Estimate your SAFe implementation risk. 1.2.4 Start your SAFe implementation plan. |
Deliverables |
|
|
|
Enable Product Agile Delivery Executive Workshop | Develop Your Agile Approach | Spread Best Practices with an Agile Center of Excellence | Implement DevOps Practices That Work | Enable Organization-Wide Collaboration by Scaling Agile |
---|---|---|---|---|
![]() |
![]() |
![]() |
![]() |
![]() |
Align and prepare your IT leadership teams. Audience: Senior and IT delivery leadership Size: 8-16 people Time: 7 hours |
Tune Agile team practices to fit your organization culture. Audience: Agile pilot teams and subject matter experts (SMEs) Size: 10-20 people Time: 4 days |
Leverage Agile thought leadership to expand your best practices. Audience: Agile SMEs and thought leaders Size: 10-20 people Time: 4 days |
Build a continuous integration and continuous delivery pipeline. Audience: Product owners (POs) and delivery team leads Size: 10-20 people Time: 4 days |
Execute a disciplined approach to rolling out Agile methods. Audience: Agile steering team and SMEs Size: 3-8 people Time: 3 hours |
Sample agendas are included in the following sections for each of these topics.
1. Make the Case for Product Delivery | 2. Enable Product Delivery - Executive Workshop | 3. Deliver on Your Digital Product Vision | 4. Deliver Digital Products at Scale | 5. Mature and Scale Product Ownership |
---|---|---|---|---|
Align your organization with the practices to deliver what matters most. | Participate in a one-day executive workshop to help you align and prepare your leadership. | Enhance product backlogs, roadmapping, and strategic alignment. | Scale product families to align with your organization's goals. | Align and mature your product owners. |
Audience: Senior executives and IT leadership Size: 8-16 people Time: 6 hours
| Audience: Product owners/managers Size: 10-20 people Time: 3-4 days
| Audience: Product owners/managers Size: 10-20 people Time: 3-4 days | Audience: Product owners/managers Size: 8-16 people Time: 2-4 days
|
Phase 1
1.1 Understand where SAFe fits into your delivery methodologies and SDLCs
1.2 Determine if you are ready for SAFe (fit for purpose)
This phase will walk you through the following activities:
This phase involves the following participants:
Activities
1.1.1 Define your primary drivers for SAFe
1.1.2 Create your own list of pros and cons of SAFe
This step involves the following participants:
Outcomes of this step:
"...while there is value in the items on the right, we value the items on the left more."
– The Agile Manifesto
STOP! If you're not Agile, don't start with SAFe.
Successful SAFe requires an Agile mindset at all levels.
1...solve development and communication issues.
2...ensure that you will finish requirements faster.
3...mean that you do not need planning and documentation.
"Without proper planning, organizations can start throwing more resources at the work, which spirals into the classic Waterfall issues of managing by schedule."
– Kristen Morton, Associate Implementation Architect,
OneShield Inc. (Info-Tech Interview)
Info-Tech Insight
SAFe only provides a framework and steps where these issues can be resolved.
Modern development practices (such as Agile, Lean, and DevOps) are based on values and principles. This supports the move away from command-and-control management to self-organizing teams.
Values
Principles
Teams may have their own perspectives on how they deliver value and their own practices for how they do this. These perspectives can help you develop guiding principles for your own team to explain your core values and cement your team's culture. Guiding principles can help you:
Info-Tech Insight
Following methodologies by the book can be detrimental if they do not fit your organization's needs, constraints, and culture. The ultimate goal of all teams is to deliver value. Any practices or activities that drive teams away from this goal should be removed or modified.
Functional groups have their own drivers to adopt Agile development processes, practices, and techniques (e.g. to improve collaboration, decrease churn, or increase automation). Their buy-in to scaling Agile is just as important as the buy-in of stakeholders.
By not addressing a group's specific needs and drivers, the resulting negative sentiments of its members toward Agile development can affect their ability to see the benefits of Agile and they may return to old habits once the opportunity arises.
Find opportunities in which both business objectives and functional group drivers can be achieved with scaling Agile development. This alignment can motivate teams to continuously improve and adhere to the new environment, and it will maintain business buy-in. This assessment can also be used to justify activities that specifically address functional group drivers.
Examples of Motivating Drivers for Scaling Agile
30 minutes
Enter the results in your SAFe Transformation Playbook.
Input |
---|
|
Output |
|
INDUSTRY: Public Utilities
SOURCE: Info-Tech Expert Interview
Challenge
Results
Info-Tech Insight
When first implementing SAFe, organizations reproduce their organizational design and Waterfall delivery structures with SAFe terms:
Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023;
"Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.
Source: "Benefits," Scaled Agile, 2023
Risks and Causes of Failed SAFe Transformations
Challenges
Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023; "Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.
1 hour
Pros | Cons |
Enter the results in your SAFe Transformation Playbook
Input |
---|
|
Output |
|
Before undertaking an enterprise transformation, consider improving the underlying processes that will need to be fixed anyway. Fixing these areas while implementing SAFe compounds the effort and disruption.
Product Delivery
Product Management
"But big-bang transitions are hard. They require total leadership commitment, a receptive culture, enough talented and experienced agile practitioners to staff hundreds of teams without depleting other capabilities, and highly prescriptive instruction manuals to align everyone's approach."
- "Agile at Scale," Harvard Business Review
Activities
1.2.1 Assess your Agile readiness
1.2.2 Define enablers and blockers for scaling Agile delivery
1.2.3 Estimate your SAFe implementation risk
1.2.4 Start your SAFe implementation plan
This step involves the following participants:
Outcomes of this step:
1 hour
Enter the results in Scaled Agile Readiness Assessment.
Input |
---|
|
Output |
|
1 hour
Enablers | Blockers | Mitigation |
Enter the results in your SAFe Transformation Playbook
Input |
---|
|
Output |
|
Poor Fit | High Risk | Scaling Potential | |
Team size | <50 | >150 or non-dedicated | 50-150 dedicated |
Agile maturity | Waterfall and project delivery | Individual Scrum DevOps teams | Scrum DevOps teams coordinating dependencies |
Product management maturity | Project-driver changes from stakeholders | Proxy product owners within delivery teams | Defined product families and products |
Strategic goals | Localized decisions | Enterprise goals implemented at the app level | Translation and refinement of enterprise goals through product families |
Enterprise architecture | Siloed architecture standards | Common architectures | Future enterprise architecture and employee review board (ERB) reviews |
Release management | Independent release schedules | Formal release calendar | Continuous integration/development (CI/CD) with organizational change management (OCM) scheduled cross-functional releases |
Requirements management and quality assurance | Project based | Partial requirements and test case coverage | Requirements as an asset and test automation |
30 minutes
Enter the results in SAFe Transformation Playbook.
Input |
---|
|
Output |
|
Plan your transformation.
Build your SAFe framework.
Implement SAFe practices.
For additional help with OCM, please download Master Organizational Change Management Practices.
30 minutes
Enter the results in your SAFe Transformation Playbook
Input |
---|
|
Output |
|
Implementing SAFe is a long, expensive, and difficult process. For some organizations, SAFe provides the balance of leadership-driven prioritization and control with shorter release cycles and time to value. The key is making sure that SAFe is right for you and you are ready for SAFe. Few organizations fit perfectly into one of the SAFe frameworks. Instead, consider fine-tuning and customizing SAFe to meet your needs and gradual transformation.
If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.
Contact your account representative for more information.
workshops@infotech.com
1-888-670-8889
If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.
To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
Below are sample activities that will be conducted by Info-Tech analysts with your team:
Scaled Agile Delivery Readiness Assessment
This assessment will help identify enablers and blockers in your organizational culture using our CLAIM+G organization transformation model.
SAFE Value Canvas
Use a value campus to define jobs, pains, gains, pain relievers, gain creators, and needed deliverables to help inform and guide your SAFe transformation.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
"6 Biggest SAFe Agile Implementation Mistakes to Avoid." Triumph Strategic Consulting, 27 July 2017.
"The 7 Must-Haves for Achieving Scaling Agile Success." The 7 Must-Haves for Achieving Scaling Agile Success.
Ageling, Willem-Jan. "11 Most Common Reasons to Use Scaled Agile Framework (SAFE) and How to Do This With Unscaled Scrum." Medium, Serious Scrum, 26 Jan. 2020.
Agile India, International Conference on Agile and Lean Software Development, 2014.
"Air France - KLM - Agile Adoption with SAFe." Scaled Agile, 28 Nov. 2022.
"Application Development Trends 2019 - Global Survey Report." OutSystems.
"Benefits of SAFe: How It Benefits Organizations." Scaled Agile, 13 Mar. 2023.
Berkowitz, Emma. "The Cost of a SAFe(r) Implementation: CPRIME Blog." Cprime, 30 Jan. 2023.
"Chevron - Adopting SAFe with Remote Workforce." Scaled Agile, 28 Nov. 2022.
"Cisco It - Adopting Agile Development with SAFe." Scaled Agile, 13 Sept. 2022.
"CMS - Business Agility Transformation Using SAFe." Scaled Agile, 13 Sept. 2022.
Crain, Anthony. "4 Biggest Challenges in Moving to Scaled Agile Framework (SAFe)." TechBeacon, 25 Jan. 2019.
"The Essential Role of Communications ." Project Management Institute .
Gardiner, Phil. "SAFe Implementation: 4 Tips for Getting Started." Applied Frameworks, 20 Jan. 2022.
"How Do I Start Implementing SAFe?" Agility in Mind, 29 July 2022.
"How to Masterfully Screw Up Your SAFe Implementation." Wibas Artikel-Bibliothek, 6 Sept. 2022.
"Implementation Roadmap." Scaled Agile Framework, 14 Mar. 2023.
Islam, Ayvi. "SAFe Implementation 101 - The Complete Guide for Your Company." //Seibert/Media, 22 Dec. 2020.
"Johnson Controls - SAFe Implementation Case Study." Scaled Agile, 28 Nov. 2022.
"The New Rules and Opportunities of Business Transformation." KPMG.
"Nokia Software - SAFe Agile Transformation." Scaled Agile, 28 Nov. 2022.
Pichler, Roman. "What Is Product Management?" Romanpichler, 2014.
"Product Documentation." ServiceNow.
"Pros and Cons of Scaled Agile Framework." PremierAgile.
"Pulse of the Profession Beyond Agility." Project Management Institute.
R, Ramki. "Pros and Cons of Scaled Agile Framework (SAFe)." Medium, 3 Mar. 2019.
R, Ramki. "When Should You Consider Implementing SAFe (Scaled Agile Framework)?" Medium, Medium, 3 Mar. 2019.
Rigby, Darrell, Jeff Sutherland, and Andy Noble. "Agile at Scale: How to go from a few teams to hundreds." Harvard Business Review, 2018.
"SAFe Implementation Roadmap." Scaled Agile Framework, Scaled Agile, Inc., 14 Mar. 2023.
"SAFe Partner Cprime: SAFe Implementation Roadmap: Scaled Agile." Cprime, 5 Apr. 2023.
"SAFe: The Good, the Bad, and the Ugly." Project Management Institute.
"Scaled Agile Framework." Wikipedia, Wikimedia Foundation, 29 Mar. 2023.
"Scaling Agile Challenges and How to Overcome Them." PremierAgile.
"SproutLoud - a Case Study of SAFe Agile Planning." Scaled Agile, 29 Nov. 2022.
"Story." Scaled Agile Framework, 13 Apr. 2023.
Sutherland , Jeff. "Scrum: How to Do Twice as Much in Half the Time." Tedxaix, YouTube, 7 July 2014.
Venema, Marjan. "6 Scaled Agile Frameworks - Which One Is Right for You?" NimbleWork, 23 Dec. 2022.
Warner, Rick. "Scaled Agile: What It Is and Why You Need It." High-Performance Low-Code for App Development, OutSystems, 25 Oct. 2019.
Watts, Stephen, and Kirstie Magowan. "The Scaled Agile Framework (SAFE): What to Know and How to Start." BMC Blogs, 9 Sept. 2020.
"What Is SAFe? The Scaled Agile Framework Explained." CIO, 9 Feb. 2021.
"Why Agile Transformations Fail: Four Common Culprits." Planview.
"Why You Should Use SAFe (and How to Find SAFe Training to Help)." Easy Agile.
Y., H. "Story Points vs. 'Ideal Days.'" Cargo Cultism, 19 Aug. 2010.
Enable Organization-Wide Collaboration by Scaling Agile
Ambler, Scott W. "Agile Architecture: Strategies for Scaling Agile Development." Agile Modeling, 2012.
- - -. "Comparing Approaches to Budgeting and Estimating Software Development Projects." AmbySoft.
- - -. "Agile and Large Teams." Dr. Dobb's, 17 Jun 2008.
Ambler, Scott W. and Mark Lines. Disciplined Agile Delivery: A Practitioner's Guide to Agile Software Delivery in the Enterprise. IBM Press, 2012.
Ambler, Scott W., and Mark Lines. "Scaling Agile Software Development: Disciplined Agility at Scale." Disciplined Agile Consortium White Paper Series, 2014.
AmbySoft. "2014 Agile Adoption Survey Results." Scott W. Ambler + Associates, 2014.
Bersin, Josh. "Time to Scrap Performance Appraisals?" Forbes Magazine, 5 June 2013. Accessed 30 Oct. 2013..
Cheese, Peter, et al. " Creating an Agile Organization." Accenture, Oct. 2009. Accessed Nov. 2013..
Croxon, Bruce, et al. "Dinner Series: Performance Management with Bruce Croxon from CBC's 'Dragon's Den.'" HRPA Toronto Chapter. Sheraton Hotel, Toronto, ON, 12 Nov. 2013. Panel discussion.
Culbert, Samuel. "10 Reasons to Get Rid of Performance Reviews." Huffington Post Business, 18 Dec. 2012. Accessed 28 Oct. 2013.
Denning, Steve. "The Case Against Agile: Ten Perennial Management Objections." Forbes Magazine, 17 Apr. 2012. Accessed Nov. 2013.
Estis, Ryan. "Blowing up the Performance Review: Interview with Adobe's Donna Morris." Ryan Estis & Associates, 17 June 2013. Accessed Oct. 2013.
Heikkila et al. "A Revelatory Case Study on Scaling Agile Release Planning." EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA), 2010.
Holler, Robert, and Ian Culling. "From Agile Pilot Project to Enterprise-Wide Deployment: Five Sure-Fire Ways To Fail When You Scale." VersionOne, 2010.
Kniberg, Henrik, and Anders Ivarsson, "Scaling Agile @ Spotify," Unified Communications and Collaborations, 2012.
Narayan, Sriram. "Agile IT Organization Design: For Digital Transformation and Continuous Delivery." Addison-Wesley Professional, 2015.
Shrivastava, NK, and Phillip George. "Scaling Agile." RefineM, 2015.
Sirkia, Rami, and Maarit Laanti. "Lean and Agile Financial Planning." Scaled Agile Framework Blog, 2014.
Scaled Agile Framework (SAFe). "Agile Architecture." Scaled Agile Inc., 2015.
VersionOne. 9th Annual: State of Agile Survey. VersionOne, LLC, 2015.
Build a Business-Aligned IT Strategy
Success depends on IT initiatives clearly aligned to business goals, IT excellence, and driving technology innovation.
Make Your IT Governance Adaptable
Governance isn't optional, so keep it simple and make it flexible.
Create an IT View of the Service Catalog
Unlock the full value of your service catalog with technical components.
Application Portfolio Management Foundations
Ensure your application portfolio delivers the best possible return on investment.
Agile/DevOps Research Center
Access the tools and advice you need to be successful with Agile.
Develop Your Agile Approach for a Successful Transformation
Understand Agile fundamentals, principles, and practices so you can apply them effectively in your organization.
Implement DevOps Practices That Work
Streamline business value delivery through the strategic adoption of DevOps practices.
Perform an Agile Skills Assessment
Being Agile isn't about processes, it's about people.
Define the Role of Project Management in Agile and Product-Centric Delivery
Projects and products are not mutually exclusive.
Make the Case for Product Delivery
Align your organization on the practices to deliver what matters most.
Deliver on Your Digital Product Vision
Build a product vision your organization can take from strategy through execution.
Deliver Digital Products at Scale
Deliver value at the scale of your organization through defining enterprise product families.
Mature and Scale Product Ownership
Strengthen the product owner role in your organization by focusing on core capabilities and proper alignment.
Build a Value Measurement Framework
Focus product delivery on business value- driven outcomes.
Build a Value Measurement Framework
Focus product delivery on business value-driven outcomes.
Create a Holistic IT Dashboard
Mature your IT department by measuring what matters.
Select and Use SDLC Metrics Effectively
Be careful what you ask for, because you will probably get it.
Reduce Time to Consensus With an Accelerated Business Case
Expand on the financial model to give your initiative momentum.
Make Your IT Governance Adaptable
Governance isn't optional, so keep it simple and make it flexible.
Maximize Business Value From IT Through Benefits Realization
Embed benefits realization into your governance process to prioritize IT spending and confirm the value of IT.
Drive Digital Transformation With Platform Strategies
Innovate and transform your business models with digital platforms.
Succeed With Digital Strategy Execution
Building a digital strategy is only half the battle: create a systematic roadmap of technology initiatives to execute the strategy and drive digital transformation.
Build a Value Measurement Framework
Focus product delivery on business value-driven outcomes.
Create a Holistic IT Dashboard
Mature your IT department by measuring what matters.
Requirements Gathering for Small Enterprises
Right-size the guidelines of your requirements gathering process.
Improve Requirements Gathering
Back to basics: great products are built on great requirements.
Build a Software Quality Assurance Program
Build quality into every step of your SDLC.
Automate Testing to Get More Done
Drive software delivery throughput and quality confidence by extending your automation test coverage.
Manage Your Technical Debt
Make the case to manage technical debt in terms of business impact.
Create a Business Process Management Strategy
Avoid project failure by keeping the "B" in BPM.
Build a Winning Business Process Automation Playbook
Optimize and automate your business processes with a user-centric approach.
Optimize Applications Release Management
Build trust by right-sizing your process using appropriate governance.
Streamline Application Maintenance
Effective maintenance ensures the long-term value of your applications.
Streamline Application Management
Move beyond maintenance to ensure exceptional value from your apps.
Optimize IT Change Management
Right-size IT change management to protect the live environment.
Manage Your Technical Debt
Make the case to manage technical debt in terms of business impact.
Improve Application Development Throughput
Drive down your delivery time by eliminating development inefficiencies and bottlenecks while maintaining high quality.
Embed Business Relationship Management in IT
Show that IT is worthy of Trusted Partner status.
Mature and Scale Product Ownership
Strengthen the product owner role in your organization by focusing on core capabilities and proper alignment.
Build an Information Security Strategy
Create value by aligning your strategy to business goals and business risks.
Develop and Deploy Security Policies
Enhance your overall security posture with a defensible and prescriptive policy suite.
Simplify Identity and Access Management
Leverage risk- and role-based access control to quantify and simplify the identity and access management (IAM) process.
Embrace Business-Managed Applications
Empower the business to implement their own applications with a trusted business-IT relationship.
Enhance Your Solution Architecture Practices
Ensure your software systems solution is architected to reflect stakeholders' short- and long-term needs.
Satisfy Digital End Users With Low- and No-Code
Extend IT, automation, and digital capabilities to the business with the right tools, good governance, and trusted organizational relationships.
Build Your First RPA Bot
Support RPA delivery with strong collaboration and management foundations.
Automate Work Faster and More Easily With Robotic Process Automation
Embrace the symbiotic relationship between the human and digital workforce.
Modernize Data Architecture for Measurable Business Results
Enable the business to achieve operational excellence, client intimacy, and product leadership with an innovative, agile, and fit-for-purpose data architecture practice.
Build a Reporting and Analytics Strategy
Deliver actionable business insights by creating a business-aligned reporting and analytics strategy.
Build Your Data Quality Program
Quality data drives quality business decisions.
Design Data-as-a-Service
Journey to the data marketplace ecosystems.
Build a Robust and Comprehensive Data Strategy
Learn about the key to building and fostering a data-driven culture.
Build an Application Integration Strategy
Level the table before assembling the application integration puzzle or risk losing pieces.
Key Elements of the Agile SDLC
* There are many Agile methodologies to choose from, but Scrum is by far the most widely used (and is shown above).
Scrum
Related or grouped changes are delivered in fixed time intervals.
Use when:
Kanban
Independent items are delivered as soon as each is ready.
Use when:
Info-Tech Best Practice
Product management is not just about managing the product backlog and development cycles.
Teams need to manage key milestones, such as learning milestones, test releases, product releases, phase gates, and other organizational checkpoints.
A well-formed backlog can be thought of as a DEEP backlog:
Detailed Appropriately: PBIs are broken down and refined as necessary.
Emergent: The backlog grows and evolves over time as PBIs are added and removed.
Estimated: The effort that a PBI requires is estimated at each tier.
Prioritized: A PBI's value and priority are determined at each tier.
Source: Perforce, 2018
Each activity is a variation of measuring value and estimating effort in order to validate and prioritize a PBI.
A PBI successfully completes an activity and moves to the next backlog tier when it meets the appropriate criteria. Quality filters should exist between each tier.
Info-Tech Best Practice
A quality filter ensures that quality is met and the appropriate teams are armed with the correct information to work more efficiently and improve throughput.
In "Deliver on Your Digital Product Vision," we demonstrate how a product roadmap is core to value realization. The product roadmap is your communicated path. As a product owner, you use it to align teams and changes to your defined goals, as well as your product to enterprise goals and strategy.
Info-Tech Insight
The quality of your product backlog - and your ability to realize business value from your delivery pipeline - is directly related to the input, content, and prioritization of items in your product roadmap.
The Info-Tech Difference
Create a common definition of what a product is and identify the products in your inventory.
Use scaling patterns to build operationally aligned product families.
Develop a roadmap strategy to align families and products to enterprise goals and priorities.
Use products and families to assess value realization.
Organizations consider application oversight a low priority and app portfolio knowledge is poor:
Build an APM program that is actionable and fit for size:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Enterprises have more applications than they need and rarely apply oversight to monitor the health, cost, and relative value of applications to ensure efficiency and minimal risk. This blueprint will help you build a streamlined application portfolio management process.
Visibility into your application portfolio and APM practices will help inform and guide your next steps.
Capture your APM roles and responsibilities and build a repeatable process.
This tool is the central hub for the activities within Application Portfolio Management Foundations.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Work with key corporate stakeholders to come to a shared understanding of the benefits and aspects of application portfolio management.
Establish the goals of APM.
Set the scope of APM responsibilities.
Establish business priorities for the application portfolio.
1.1 Define goals and metrics.
1.2 Define application categories.
1.3 Determine steps and roles.
1.4 Weight value drivers.
Set short- and long-term goals and metrics.
Set the scope for applications.
Set the scope for the APM process.
Defined business value drivers.
Gather information on your applications to build a detailed inventory and identify areas of redundancy.
Populated inventory based on your and your team’s current knowledge.
Understanding of outstanding data and a plan to collect it.
2.1 Populate inventory.
2.2 Assign business capabilities.
2.3 Review outstanding data.
Initial application inventory
List of areas of redundancy
Plan to collect outstanding data
Work with the application subject matter experts to collect and compile data points and determine the appropriate disposition for your apps.
Dispositions for individual applications
Application rationalization framework
3.1 Assess business value.
3.2 Assess end-user perspective.
3.3 Assess TCO.
3.4 Assess technical health.
3.5 Assess redundancies.
3.6 Determine dispositions.
Business value score for individual applications
End-user satisfaction scores for individual applications
TCO score for individual applications
Technical health scores for individual applications
Feature-level assessment of redundant applications
Assigned dispositions for individual applications
Work with application delivery specialists to determine the strategic plans for your apps and place these in your portfolio roadmap.
Prioritized initiatives
Initial application portfolio roadmap
Ongoing structure of APM
4.1 Prioritize initiatives
4.2 Populate roadmap.
4.3 Determine ongoing APM cadence.
4.4 Build APM action plan.
Prioritized new potential initiatives.
Built an initial portfolio roadmap.
Established an ongoing cadence of APM activities.
Built an action plan to complete APM activities.
Many lack visibility into their overall application portfolio, focusing instead on individual projects or application development. Inevitably, application sprawl creates process and data disparities, redundant applications, and duplication of resources and stands as a significant barrier to business agility and responsiveness. The shift from strategic investment to application maintenance creates an unnecessary constraint on innovation and value delivery.
With the rise and convenience of SAAS solutions, IT has an increasing need to discover and support all applications in the organization. Unmanaged and unsanctioned applications can lead to increased reputational risk. What you don’t know WILL hurt you.
You can outsource development, you can even outsource maintenance, but you cannot outsource accountability for the portfolio. Organizations need a holistic dashboard of application performance and dispositions to help guide and inform planning and investment discussions. Application portfolio management (APM) can’t tell you why something is broken or how to fix it, but it is an important tool to determine if an application’s value and performance are up to your standards and can help meet your future goals.
Hans Eckman
Principal Research Director
Info-Tech Research Group
Research Navigation
Managing your application portfolio is essential regardless of its size or whether your software is purchased or developed in house. Each organization must have some degree of application portfolio management to ensure that applications deliver value efficiently and that their risk or gradual decline in technical health is appropriately limited.
Your APM goals |
If this describes your primary goal(s) |
|
|
|
|
|
|
|
|
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
|
|
|
Modern software options have decreased the need for organizations to have robust in-house application management capabilities. Your applications’ future and governance of the portfolio still require a centralized IT oversight to ensure the best return on investment.
Source: National Small Business Association, 2019 |
Having more applications than an organization needs means unnecessarily high costs and additional burden on the teams who support the applications. Especially in the case of small enterprises, this is added pressure the IT team cannot afford. A poorly maintained portfolio will eventually hurt the business more than it hurts IT. Legacy systems, complex environments, or anything that leads to a portfolio that can’t adapt to changing business needs will eventually become a barrier to business growth and accomplishing objectives. Often the blame is put on the IT department. |
56%
of small businesses cited inflexible technology as a barrier to growth Source: Salesforce as quoted by Tech Republic, 2019 |
A hidden and inefficient application portfolio is the root cause of so many pains experienced by both IT and the business.
The benefits of APM
APM identifies areas where you can reduce core spending and reinvest in innovation initiatives.
Other benefits can include:
Application Inventory
The artifact that documents and informs the business of your application portfolio.
Application Rationalization
The process of collecting information and assessing your applications to determine recommended dispositions.
Application Alignment
The process of revealing application information through interviewing stakeholders and aligning to business capabilities.
Application Roadmap
The artifact that showcases the strategic directions for your applications over a given timeline.
The ongoing practice of:
Product Lifecycle Management
Align your product and service improvement and execution to enterprise strategy and value realization in three key areas: defining your products and services, aligning product/service owners, and developing your product vision.
Product Delivery Lifecycle (Agile DevOps)
Enhance business agility by leveraging an Agile mindset and continuously improving your delivery throughput, quality, value realization, and adaptive governance.
Application Portfolio Management
Transform your application portfolio into a cohesive service catalog aligned to your business capabilities by discovering, rationalizing, and modernizing your applications while improving application maintenance, management, and reuse.
Inefficiencies within your application portfolio are created by the gradual and non-strategic accumulation of applications.
You have more apps than you need.
Only 34% of software is rated as both IMPORTANT and EFFECTIVE by users.
Directionless portfolio of applications |
Info-Tech’s Five Lens Model |
Assigned dispositions for individual apps |
||||
![]() |
Application Alignment |
Business Value |
Technical Health |
End-User Perspective |
Total Cost of Ownership (TCO) |
Maintain: Keep the application but adjust its support structure. Modernize: Create a new initiative to address an inadequacy. Consolidate: Create a new initiative to reduce duplicate functionality. Retire: Phase out the application. Disposition: The intended strategic direction or implied course of action for an application. |
How well do your apps support your core functions and teams? |
How well are your apps aligned to value delivery? |
Do your apps meet all IT quality standards and policies? |
How well do your apps meet your end users’ needs? |
What is the relative cost of ownership and operation of your apps? |
||
Application rationalization requires the collection of several data points that represent these perspectives and act as the criteria for determining a disposition for each of your applications. |
Determine Scope and categories | Build your list of applications and capabilities | Score each application based on your values | Determine outcomes based on app scoring and support for capabilities | |||
---|---|---|---|---|---|---|
1. Lay Your Foundations 1.1 Assess the state of your current application portfolio. 1.2 Determine narrative. 1.3 Define goals and metrics. 1.4 Define application categories. 1.5 Determine APM steps and roles (SIPOC). |
⇒ |
2. Improve Your Inventory 2.1 Populate your inventory. 2.2 Align to business capabilities. *Repeat |
⇒ |
3. Rationalize Your Apps 3.1 Assess business value. 3.2 Assess technical health. 3.3 Assess end-user perspective. 3.4 Assess total cost of ownership. *Repeat |
⇒ |
4. Populate Your Roadmap 4.1 Review APM Snapshot results. 4.2 Review APM Foundations results. 4.3 Determine dispositions. 4.4 Assess redundancies (optional). 4.5 Determine dispositions for redundant applications (optional). 4.6 Prioritize initiatives. 4.7 Determine ongoing cadence. *Repeat |
INDUSTRY: Retail
SOURCE: Deloitte, 2017
Supermarket Company The grocer was a smaller organization for the supermarket industry with a relatively low IT budget. While its portfolio consisted of a dozen applications, the organization still found it difficult to react to an evolving industry due to inflexible and overly complex legacy systems. The IT manager found himself in a scenario where he knew the applications well but had little awareness of the business processes they supported. Application maintenance was purely in keeping things operational, with little consideration for a future business strategy. As the business demanded more responsiveness to changes, the IT team needed to be able to react more efficiently and effectively while still securing the continuity of the business. The IT manager found success by introducing APM and gaining a better understanding of the business use and future needs for the applications. The organization started small but then increased the scope over time to produce and develop techniques to aid the business in meeting strategic goals with applications. Results The IT manager gained credibility and trust within the organization. The organization was able to build a plan to move away from the legacy systems and create a portfolio more responsive to the dynamic needs of an evolving marketplace. |
The application portfolio management initiative included the following components: Train teams and stakeholders on APM Model the core business processes Collect application inventory Assign APM responsibilities Start small, then grow |
1. Lay Your Foundations |
2. Improve Your Inventory |
3. Rationalize Your Apps |
4. Populate Your Roadmap |
|
---|---|---|---|---|
Phase Activities |
1.1 Assess your current application portfolio 1.2 Determine narrative 1.3 Define goals and metrics 1.4 Define application categories 1.5 Determine APM steps and roles |
2.1 Populate your inventory 2.2 Align to business capabilities |
3.1 Assess business value 3.2 Assess technical health 3.3 Assess end-user perspective 3.4 Assess total cost of ownership |
4.1 Review APM Snapshot results 4.2 Review APM Foundations results 4.3 Determine dispositions 4.4 Assess redundancies (optional) 4.5 Determine dispositions for redundant applications (optional) 4.6 Prioritize initiatives 4.7 Determine ongoing APM cadence |
Phase Outcomes |
Work with the appropriate management stakeholders to:
|
Gather information on your own understanding of your applications to build a detailed inventory and identify areas of redundancy. |
Work with application subject matter experts to collect and compile data points and determine the appropriate disposition for your apps. |
Work with application delivery specialists to determine the strategic plans for your apps and place these in your portfolio roadmap. |
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals.
Application Portfolio Management Foundations Playbook |
Application Portfolio Management Snapshot and Foundations Tool |
This template allows you to capture your APM roles and responsibilities and build a repeatable process. |
This tool stores all relevant application information and allows you to assess your capability support, execute rationalization, and build a portfolio roadmap. |
![]() |
![]() |
Key deliverable:
Blueprint Storyboard
This is the PowerPoint document you are viewing now. Follow this guide to understand APM, learn how to use the tools, and build a repeatable APM process that will be captured in your playbook.
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” | “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” | “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” | “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.” |
Diagnostics and consistent frameworks used throughout all four options
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
---|---|---|---|
Call #1: Establish goals and foundations for your APM practice. |
Call #2: Initiate inventory and determine data requirements. |
Call #3: Initiate rationalization with group of applications. Call #4: Review result of first iteration and perform retrospective. |
Call #5: Initiate your roadmap and determine your ongoing APM practice. |
Note: The Guided Implementation will focus on a subset or group of applications depending on the state of your current APM inventory and available time. The goal is to use this first group to build your APM process and models to support your ongoing discovery, rationalization, and modernization efforts.
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our right-sized best practices in your organization. A typical GI, using our materials, is 3 to 6 calls over the course of 1 to 3 months.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
1. Lay Your Foundations | 2. Improve Your Inventory | 3. Rationalize Your Apps | 4. Populate Your Roadmap | Post Workshop Steps | |
---|---|---|---|---|---|
Activities | 1.1 Assess your current 1.2 Determine narrative 1.3 Define goals and metrics 1.4 Define application categories 1.5 Determine APM steps and roles | 2.1 Populate your inventory 2.2 Align to business capabilities | 3.1 Assess business value 3.2 Assess technical health 3.3 Assess end-user perspective 3.4 Assess total cost of ownership | 4.1 Review APM Snapshot results 4.2 Review APM Foundations results 4.3 Determine dispositions 4.4 Assess redundancies (optional) 4.5 Determine dispositions for redundant applications (optional) 4.6 Prioritize initiatives 4.7 Determine ongoing APM cadence |
|
Outcomes | Work with the appropriate management stakeholders to:
| Work with your applications team to:
| Work with the SMEs for a subset of applications to:
| Work with application delivery specialists to:
| Info-Tech analysts complete:
|
Note: The workshop will focus on a subset or group of applications depending on the state of your current APM inventory and available time. The goal is to use this first group to build your APM process and models to support your ongoing discovery, rationalization, and modernization efforts.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Outcomes |
1-Day Snapshot |
3-Day Snapshot and Foundations (Key Apps) |
4-Day Snapshot and Foundations (Pilot Area) |
---|---|---|---|
APM Snapshot
|
✓ | ✓ | ✓ |
APM Foundations
|
✓ Establish APM practice with a small sample set of apps and capabilities. |
✓ Establish APM practice with a pilot group of apps and capabilities. |
APM Lead/Owner (Recommended) ☐ Applications Lead or the individual responsible for application portfolio management, along with any applications team members, if available Key Corporate Stakeholders Depending on size and structure, participants could include: ☐ Head of IT (CIO, CTO, IT Director, or IT Manager) ☐ Head of shared services (CFO, COO, VP HR, etc.) ☐ Compliance Officer, Steering Committee ☐ Company owner or CEO Application Subject Matter Experts Individuals who have familiarity with a specific subset of applications ☐ Business owners (product owners, Head of Business Function, power users) ☐ Support owners (Operations Manager, IT Technician) Delivery Leads ☐ Development Managers ☐ Solution Architects ☐ Project Managers |
1.Diagnostic ![]() |
5. Foundations: Chart
|
2. Data Journey
|
6. App Comparison
|
3. Snapshot
|
7. Roadmap
|
4. Foundations: Results
|
Examples and explanations of these tools are located on the following slides and within the phases where they occur.
One of the primary purposes of application portfolio management is to get what we know and need to know on paper so we can share a common vision and understanding of our portfolio. This enables better discussions and decisions with your application owners and stakeholders.
![]() |
|
TCO, compared relatively to business value, helps determine the practicality of a disposition and the urgency of any call to action. Application alignment is factored in when assessing redundancies and has a separate set of dispositions.
Phase 1 1.1 Assess Your Current Application Portfolio 1.2 Determine Narrative 1.3 Define Goals and Metrics 1.4 Define Application Categories 1.5 Determine APM Steps and Roles |
Phase 2 2.1 Populate Your Inventory 2.2 Align to Business Capabilities |
Phase 3 3.1 Assess Business Value 3.2 Assess Technical Health 3.3 Assess End-User Perspective 3.4 Assess Total Cost of Ownership |
Phase 4 4.1 Review APM Snapshot Results 4.2 Review APM Foundations Results 4.3 Determine Dispositions 4.4 Assess Redundancies (Optional) 4.5 Determine Dispositions for Redundant Applications (Optional) 4.6 Prioritize Initiatives 4.7 Determine Ongoing APM Cadence |
This phase involves the following participants:
Applications Lead
Key Corporate Stakeholders
Additional Resources
Building an APM process requires a proper understanding of the underlying business goals and objectives of your organization’s strategy. Effectively identifying these drivers is paramount to gaining buy-in and the approval for any changes you plan to make to your application portfolio.
After identifying these goals, you will need to ensure they are built into the foundations of your APM process.
“What is most critical?” but also “What must come first?”
Discover |
Improve |
Transform |
---|---|---|
Collect Inventory Uncover Shadow IT Uncover Redundancies Anticipate Upgrades Predict Retirement |
Reduce Cost Increase Efficiency Reduce Applications Eliminate Redundancy Limit Risk |
Improve Architecture Modernize Enable Scalability Drive Business Growth Improve UX |
One of the primary purposes of application portfolio management is to get what we know and need to know on paper so we can share a common vision and understanding of our portfolio. This enables better discussions and decisions with your application owners and stakeholders.
Estimated time: 1 hour
Download the Application Portfolio Management Diagnostic Tool
Input | Output |
|
|
Materials | Participants |
|
|
|
![]() |
|
|
|
Portfolio Governance |
Transformative Initiatives |
Event-Driven Rationalization |
Improves:
Impact on your rationalization framework:
|
Enables:
Impact on your rationalization framework:
|
Responds to:
Impact on your rationalization framework:
|
Different motivations will influence the appropriate approach to and urgency of APM or, specifically, rationalizing the portfolio. When rationalizing is directly related to enabling or in response to a broader initiative, you will need to create a more structured approach with a formal budget and resources.
Estimated time: 30 minutes-2 hours
Record the results in the APM Snapshot and Foundations Tool
Input | Output |
|
|
Materials | Participants |
|
|
Root Cause |
IT Pain Points |
Business Pain Points |
Business Goals |
Narrative |
Technical Objectives |
---|---|---|---|---|---|
Sprawl Shadow IT/decentralized oversight Neglect over time Poor delivery processes |
Back-End Complexity Disparate Data/Apps Poor Architectural Fit Redundancy Maintenance Demand/ Low Maintainability Technical Debt Legacy, Aging, or Expiring Apps Security Vulnerabilities Unsatisfied Customers |
Hurdles to Growth/Change Poor Business Analytics Process Inefficiency Software Costs Business Continuity Risk Data Privacy Risk Data/IP Theft Risk Poor User Experience Low-Value Apps |
Scalability Flexibility/Agility Data-Driven Insights M&A Transition Business Unit Consolidation/ Centralization Process Improvement Process Modernization Cost Reduction Stability Customer Protection Security Employee Enablement Business Enablement Innovation |
Create Strategic Alignment Identify specific business capabilities that are incompatible with strategic initiatives. Reduce Application Intensity Highlight the capabilities that are encumbered due to functional overlaps and complexity. Reduce Software Costs Specific business capabilities come at an unnecessarily or disproportionately high cost. Mitigate Business Continuity Risk Specific business capabilities are at risk of interruption or stoppages due to unresolved back-end issues. Mitigate Security Risk Specific business capabilities are at risk due to unmitigated security vulnerabilities or breaches. Increase Satisfaction Applications Specific business capabilities are not achieving their optimal business value. |
Platform Standardization Platform Standardization Consolidation Data Harmonization Removal/Consolidation of Redundant Applications Legacy Modernization Application Upgrades Removal of Low-Value Applications |
Estimated time: 1 hour
Record the results in the APM Snapshot and Foundations Tool
Input | Output |
|
|
Materials | Participants |
|
|
Goals |
Metric |
Target |
||
---|---|---|---|---|
Short Term |
Improve ability to inform the business |
Leading Indicators |
|
|
Improve ownership of applications |
|
|
||
Reduce costs of portfolio |
|
|
||
Long Term |
Migrate platform |
Lagging Indicators |
|
|
Improve overall satisfaction with portfolio |
|
|
||
Become more customer-centric |
|
|
![]() |
Code: A body of code that's seen by developers as a single unit. |
Functionality: A group of functionality that business customers see as a single unit. |
|
Funding: An initiative that those with the money see as a single budget. |
|
?: What else? |
“Essentially applications are social constructions.”
Source: Martin Fowler
APM focuses on business applications.
“Software used by business users to perform a business function.”
Unfortunately, that definition is still quite vague.
1. Many individual items can be considered applications on their own or components within or associated with an application. |
2. Different categories of applications may be out of scope or handled differently within the activities and artifacts of APM. |
Different categories of applications may be out of scope or handled differently within the activities and artifacts of APM.
|
Apps can be categorized by generic categories
|
Apps can be categorized by bought vs. built or install types
|
|
Apps can be categorized by the application family
|
Apps can be categorized by the group managing them
|
Apps can be categorized by tiers
|
Set boundaries on what is an application or the individual unit that you’re making business decisions on. Also, determine which categories of applications are in scope and how they will be included in the activities and artifacts of APM. Use your product families defined in Deliver Digital Products at Scale to help define your application categories, groups, and boundaries.
Estimated time: 1 hour
Record the results in the APM Snapshot and Foundations Tool
Input | Output |
|
|
Materials | Participants |
|
|
Category |
Definition/Description |
Examples |
Documented in your application inventory? |
Included in application rationalization? |
Listed in your application portfolio roadmap? |
Business Application |
End-user facing applications that directly enable specific business functions. This includes enterprise-wide and business-function-specific applications. Separate modules will be considered a business application when appropriate. |
ERP system, CRM software, accounting software |
Yes |
Yes. Unless currently in dev. TCO of the parent application will be divided among child apps. |
Yes |
Software Components |
Back-end solutions are self-contained units that support business functions. |
ETL, middleware, operating systems |
No. Documentation in CMDB. These will be listed as a dependency in the application inventory. |
No. These will be linked to a business app and included in TCO estimates and tech health assessments. |
No |
Productivity Tools |
End-user-facing applications that enable standard communication of general document creation. |
MS Word, MS Excel, corporate email |
Yes |
No |
Yes |
End-User- Built Microsoft Tools |
Single instances of a Microsoft tool that the business has grown dependent on. |
Payroll Excel tool, Access databases |
No. Documentation in Business Tool Glossary. |
No | No |
Partner Applications |
Partners or third-party applications that the business has grown dependent on but are internally owned or managed. |
Supplier’s ERP portal, government portal |
No | No |
Yes |
Shadow IT |
Business-managed applications. |
Downloaded tools |
Yes |
Yes. However, just from a redundancy perspective. |
Yes |
Application Portfolio Manager
|
Business Owner
|
Support Owner
|
Project Portfolio Manager
|
Corner-of-the-Desk Approach
Dedicated Approach
Create the full list of applications and capture all necessary attributes.
Engage with appropriate SMEs and collect necessary data points for rationalization.
Apply rationalization framework and toolset to determine dispositions.
Present dispositions for validation and communicate any decisions or direction for applications.
Estimated time: 1-2 hours
Record the results in the APM Snapshot and Foundations Tool
Input | Output |
|
|
Materials | Participants |
|
|
Suppliers |
Inputs |
Process |
Outputs |
Customers |
---|---|---|---|---|
|
|
Build Inventory Create the full list of applications and capture all necessary attributes. Resp: Applications Manager & IT team member |
|
|
|
|
Collect & Compile Engage with appropriate SMEs and collect necessary data points for rationalization. Resp: IT team member |
|
|
|
|
Assess & Recommend Apply rationalization framework and toolset to determine dispositions. Resp: Applications Manager |
|
|
|
|
Validate & Roadmap Present dispositions for validation and communicate any decisions or direction for applications. Resp: Applications Manager |
|
|
|
|
Project Intake Build business case for project request. Resp: Project Manager |
|
|
Discovery | Rationalization | Disposition | Roadmap |
---|---|---|---|
Enter your pilot inventory.
|
Score your pilot apps to refine your rationalization criteria and scoring.
|
Determine recommended disposition for each application.
|
Populate your application roadmap.
|
Phase 1 1.1 Assess Your Current Application Portfolio 1.2 Determine Narrative 1.3 Define Goals and Metrics 1.4 Define Application Categories 1.5 Determine APM Steps and Roles | Phase 2 2.1 Populate Your Inventory 2.2 Align to Business Capabilities | Phase 3 3.1 Assess Business Value 3.2 Assess Technical Health 3.3 Assess End-User Perspective 3.4 Assess Total Cost of Ownership | Phase 4 4.1 Review APM Snapshot Results 4.2 Review APM Foundations Results 4.3 Determine Dispositions 4.4 Assess Redundancies (Optional) 4.5 Determine Dispositions for Redundant Applications (Optional) 4.6 Prioritize Initiatives 4.7 Determine Ongoing APM Cadence |
This phase involves the following participants:
Additional Resources
Document Your Business Architecture
The more information you plan to capture, the larger the time and effort, especially as you move along toward advanced and strategic items. Capture the information most aligned to your objectives to make the most of your investment.
If you completed Deliver Digital Products at Scale, use your product families and products to help define your applications.
Learn more about automated application discovery:
High Application Satisfaction Starts With Discovering Your Application Inventory
Estimated time: 1-4 hours per group
Record the results in the APM Snapshot and Foundations Tool
Input | Output |
|
|
Materials | Participants |
|
|
For the purposes of an inventory, business capabilities help all stakeholders gain a sense of the functionality the application provides.
However, the true value of business capability comes with rationalization.
Upon linking all the organization’s applications to a standardized and consistent set of business capabilities, you can then group your applications based on similar, complementary, or overlapping functionality. In other words, find your redundancies and consolidation opportunities.
Important Consideration
Defining business capabilities and determining the full extent of redundancy is a challenging undertaking and often is a larger effort than APM all together.
Business capabilities should be defined according to the unique functions and language of your organization, at varying levels of granularity, and ideally including target-state capabilities that identify gaps in the future strategy.
This blueprint provides a simplified and generic list for the purpose of categorizing similar functionality. We strongly encourage exploring Document Your Business Architecture to help in the business capability defining process, especially when visibility into your portfolio and knowledge of redundancies is poor.
For a more detailed capability mapping, use the Application Portfolio Snapshot and the worksheets in your current workbook.
A business capability map (BCM) is an abstraction of business operations that helps describe what the enterprise does to achieve its vision, mission, and goals. Business capabilities are the building blocks of the enterprise. They are typically defined at varying levels of granularity and include target-state capabilities that identify gaps in the future strategy. These are the people, process, and tool units that deliver value to your teams and customers.
Info-Tech’s Industry Coverage and Reference Architectures give you a head start on producing a BCM fit for your organization. The visual to the left is an example of a reference architecture for the retail industry.
These are the foundational piece for our Application Portfolio Snapshot. By linking capabilities to your supporting applications, you can better visualize how the portfolio supports the organization at a single glance. More specifically, you can highlight how issues with the portfolio are impacting capability delivery.
Reminder: Best practices imply that business capabilities are methodologically defined by business stakeholders and business architects to capture the unique functions and language of your organization.
The approach laid out in this service is about applying minimal time and effort to make the case for proper investment into the best practices, which can include creating a tailored BCM. Start with a good enough example to produce a useful visual and generate a positive conversation toward resourcing and analyses.
We strongly encourage exploring Document Your Business Architecture and the Application Portfolio Snapshot to understand the thorough methods and tactics for BCM.
Having to address redundancy complicates the application rationalization process. There is no doubt that assessing applications in isolation is much easier and allows you to arrive at dispositions for your applications in a timelier manner.
Rationalization has two basic steps: first, collect and compile information, and second, analyze that information and determine a disposition for each application. When you don’t have redundancy, you can analyze an application and determine a disposition in isolation. When you do have redundancies, you need to collect information for multiple applications, likely across departments or lines of business, then perform a comparative analysis.
Most likely your approach will fall somewhere between the examples below and require a hybrid approach.
Benefits of a high-level application alignment:
Estimated time: 1-4 hours per grouping
The APM tool provides up to three different grouping comparisons to assess how well your applications are supporting your enterprise. Although business capabilities are important, identify your organizational perspectives to determine how well your portfolio supports these functions, departments, or value streams. Each grouping should be a consistent category, type, or arrangement of applications.
Record the results in the APM Snapshot and Foundations Tool
Input | Output |
|
|
Materials | Participants |
|
|
Capability, Department, or Function 1 |
Capability, Department, or Function 2 |
Capability, Department, or Function 3 |
Capability, Department, or Function 4 |
Capability, Department, or Function 5 |
Capability, Department, or Function 6 |
|
---|---|---|---|---|---|---|
Application A |
x | |||||
Application B |
x | |||||
Application C |
x | |||||
Application D |
x | |||||
Application E |
x | x | ||||
Application F |
x | |||||
Application G |
x | |||||
Application H |
x | |||||
Application I |
x | |||||
Application J |
x |
In this example:
BC 1 is supported by App A
BC 2 is supported by App B
BC 3 is supported by Apps C & D
BCs 4 & 5 are supported by App E
BC 6 is supported by Apps F-G. BC 6 shows an example of potential redundancy and portfolio complexity.
The APM tool supports three different Snapshot groupings. Repeat this exercise for each grouping.
Phase 1 1.1 Assess Your Current Application Portfolio 1.2 Determine Narrative 1.3 Define Goals and Metrics 1.4 Define Application Categories 1.5 Determine APM Steps and Roles | Phase 2 2.1 Populate Your Inventory 2.2 Align to Business Capabilities | Phase 3 3.1 Assess Business Value 3.2 Assess Technical Health 3.3 Assess End-User Perspective 3.4 Assess Total Cost of Ownership | Phase 4 4.1 Review APM Snapshot Results 4.2 Review APM Foundations Results 4.3 Determine Dispositions 4.4 Assess Redundancies (Optional) 4.5 Determine Dispositions for Redundant Applications (Optional) 4.6 Prioritize Initiatives 4.7 Determine Ongoing APM Cadence |
This phase involves the following participants:
Additional Resources
Application Rationalization | Additional Information Sources | Ideal Stakeholders |
---|---|---|
| Business Value
| |
| End User
| |
| TCO
| |
| Technical Health
| |
| Application Alignment
|
Disposition: The intended strategic direction or course of action for an application.
Directionless portfolio of applications |
Assigned dispositions for individual apps High-level examples: |
---|---|
![]() |
Maintain: Keep the application but adjust its support structure.
Modernize: Create a new project to address an inadequacy.
Consolidate: Create a new project to reduce duplicate functionality.
Retire: Phase out the application.
|
Directionless portfolio of applications | Info-Tech’s Five Lens Model | Assigned dispositions for individual apps | ||||
![]() | Application Alignment | Business Value | Technical Health | End-User Perspective | Total Cost of Ownership (TCO) | Maintain: Keep the application but adjust its support structure. Modernize: Create a new initiative to address an inadequacy. Consolidate: Create a new initiative to reduce duplicate functionality. Retire: Phase out the application. Disposition: The intended strategic direction or implied course of action for an application. |
How well do your apps support your core functions and teams? | How well are your apps aligned to value delivery? | Do your apps meet all IT quality standards and policies? | How well do your apps meet your end users’ needs? | What is the relative cost of ownership and operation of your apps? | ||
Application rationalization requires the collection of several data points that represent these perspectives and act as the criteria for determining a disposition for each of your applications. Disposition: The intended strategic direction or implied course of action for an application. |
The Business | Business Value of Applications | IT |
---|---|---|
Keepers of the organization’s mission, vision, and value statements that define IT success. The business maintains the overall ownership and evaluation of the applications. | Technical subject matter experts of the applications they deliver and maintain. Each IT function works together to ensure quality applications are delivered to stakeholder expectations. |
First, the authorities on business value need to define and weigh their value drivers that describe the priorities of the organization.
This will then allow the applications team to apply a consistent, objective, and strategically aligned evaluation of applications across the organization.
In this context…business value is the value of the business outcome that the application produces and how effective the application is at producing that outcome.
Business value IS NOT the user’s experience or satisfaction with the application.
![]() |
Financial vs. Human Benefits Financial benefits refer to the degree to which the value source can be measured through monetary metrics and are often quite tangible. Human benefits refer to how an application can deliver value through a user’s experience. Inward vs. Outward Orientation Inward orientation refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations. Outward orientation refers to value sources that come from your interaction with external factors, such as the market or your customers. |
![]() |
---|
Increased Revenue |
Reduced Costs |
Enhanced Services |
Reach Customers |
---|---|---|---|
Application functions that are specifically related to the impact on your organization’s ability to generate revenue and deliver value to your customers. |
Reduction of overhead. The ways in which an application limits the operational costs of business functions. |
Functions that enable business capabilities that improve the organization’s ability to perform its internal operations. |
Application functions that enable and improve the interaction with customers or produce market information and insights. |
Record the results in the APM Snapshot and Foundations Tool
Input | Output |
|
|
Materials | Participants |
|
|
For additional support in implementing a balanced value framework, refer to Build a Value Measurement Framework.
MAINTAINABILITY (RAS)
RAS refers to an app’s reliability, availability, and serviceability. How often, how long, and how difficult is it for your resources to keep an app functioning, and what are the resulting continuity risks? This can include root causes of maintenance challenges.
SECURITY
Applications should be aligned and compliant with ALL security policies. Are there vulnerabilities or is there a history of security incidents? Remember that threats are often internal and non-malicious.
ADAPTABILITY
How easily can the app be enhanced or scaled to meet changes in business needs? Does the app fit within the business strategy?
INTEROPERABILITY
The degree to which an app is integrated with current systems. Apps require comprehensive technical planning and oversight to ensure they connect within the greater application architecture. Does the app fit within your enterprise architecture strategy?
BUSINESS CONTINUITY/DISASTER RECOVERY
The degree to which the application is compatible with business continuity/disaster recovery (BC/DR) policies and plans that are routinely tested and verified.
Unfortunately, the business only cares about what they can see or experience. Rationalization is your opportunity to get risk on the business’ radar and gain buy-in for the necessary action.
Estimated time: 1-4 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
Data Quality
To what degree do the end users find the data quality sufficient to perform their role and achieve their desired outcome?
Effectiveness
To what degree do the end users find the application effective for performing their role and desired outcome?
Usability
To what degree do the end users find the application reliable and easy to use to achieve their desired outcome?
Satisfaction
To what degree are end users satisfied with the features of this application?
What else matters to you?
Tune your criteria to match your values and priorities.
When facing large user groups, do not make assumptions or use lengthy methods of collecting information. Use Info-Tech’s Application Portfolio Assessment to collect data by surveying your end users’ perspectives.
Estimated time: 1-4 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
LICENSING AND SUBSCRIPTIONS: Your recurring payments to a vendor.
Many commercial off-the-shelf applications require a license on a per-user basis. Review contracts and determine costs by looking at per-user or fixed rates charged by the vendor.
MAINTENANCE COSTS: Your internal spending to maintain an app.
These are the additional costs to maintain an application such as support agreements, annual maintenance fees, or additional software or hosting expenses.
INDIRECT COSTS: Miscellaneous expenses necessary for an app’s continued use.
Expenses like end-user training, developer education, and admin are often neglected, but they are very real costs organizations pay regularly.
RETURN ON INVESTMENT: Perceived value of the application related to its TCO.
Some of our most valuable applications are the most expensive. ROI is an optional criterion to account for the value and importance of the application.
The TCO assessment is one area where what you are considering the ”application” matters quite a bit. An application’s peripherals or software components need to be considered in your estimates. For additional help calculating TCO, use the Application TCO Calculator from Build a Rationalization Framework.
Estimated time: 1-4 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
Phase 1 1.1 Assess Your Current Application Portfolio 1.2 Determine Narrative 1.3 Define Goals and Metrics 1.4 Define Application Categories 1.5 Determine APM Steps and Roles | Phase 2 2.1 Populate Your Inventory 2.2 Align to Business Capabilities | Phase 3 3.1 Assess Business Value 3.2 Assess Technical Health 3.3 Assess End-User Perspective 3.4 Assess Total Cost of Ownership | Phase 4 4.1 Review APM Snapshot Results 4.2 Review APM Foundations Results 4.3 Determine Dispositions 4.4 Assess Redundancies (Optional) 4.5 Determine Dispositions for Redundant Applications (Optional) 4.6 Prioritize Initiatives 4.7 Determine Ongoing APM Cadence |
his phase involves the following participants:
Additional Resources
Estimated time: 1-2 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
Estimated time: 1-2 hours
The APM Foundations Results dashboard (“App Rationalization Results” worksheet) provides a detailed summary of your relative app scoring to serve as input to demand planning.
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
![]() |
|
TCO, compared relatively to business value, helps determine the practicality of a disposition and the urgency of any call to action. Application alignment is factored in when assessing redundancies and has a separate set of dispositions.
Estimated time: 1-4 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
Solving application redundancy is a lot more complicated than simply keeping one application and eliminating the others.
First, you need to understand the extent of the redundancy. The applications may support the same capability, but do they offer the same functions? Determine which apps offer which functions within a capability. This means you cannot accurately arrive at a disposition until you have evaluated all applications.
Next, you need to isolate the preferred system. This is completed by comparing the same data points collected for rationalization and the application alignment analysis. Cost and coverage of all necessary functions become the more important factors in this decision-making process.
Lastly, for the non-preferred redundant applications you need to determine: What will you do with the users? What will you do with the data? And what can you do with the functionality (can the actual coding be merged onto a common platform)?
Disposition |
Description & Additional Analysis |
Call to Action (Priority) |
---|---|---|
Keep & Absorb Higher value, health satisfaction, and cost than alternatives |
These are the preferred apps to be kept. However, additional efforts are still required to migrate new users and data and potentially configure the app to new processes. |
Application or Process Initiative (Moderate) |
Shift & Retire Lower value, health satisfaction, and cost than alternatives |
These apps will be decommissioned alongside efforts to migrate users and data to the preferred system. *Confirm there are no unique and necessary features. |
Process Initiative & Decommission (Moderate) |
Merge Lower value, health satisfaction, and cost than alternatives but still has some necessary unique features |
These apps will be merged with the preferred system onto a common platform. *Determine the unique and necessary features. *Determine if the multiple applications are compatible for consolidation. |
Application Initiative (Moderate) |
Estimated rime: 1 hour per group
This exercise is best performed after aligning business capabilities to applications across the portfolio and identifying your areas of redundancy. At this stage, this is still an information collection exercise, and it will not yield a consolidation-based disposition until applied to all relevant applications. Lastly, this exercise may still be at too high a level to outline the full details of redundancy, but it is still vital information to collect and a starting point to determine which areas require more concentrated analysis.
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
Account Management |
Call Management |
Order/Transaction Processing |
Contract Management |
Lead/Opportunity Management |
Forecasting/Planning |
Customer Surveying |
Email Synchronization |
|
---|---|---|---|---|---|---|---|---|
M | M | M | M | S | S | C | W | |
CRM 1 |
✓ |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
CRM 2 |
✓ | ✓ | ✓ | ✓ | ||||
CRM 3 |
✓ | ✓ | ✓ |
Estimated time: 1 hour per group
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
Roadmaps are used for different communication purposes and at varying points in your application delivery practice. Some use a roadmap to showcase strategy and act as a feedback mechanism that allows stakeholders to validate any changes (process 1). Others may use it to illustrate and communicate approved and granular elements of a change to an application to inform appropriate stakeholders of what to anticipate (process 2).
Select Dispositions & Identify New Initiatives |
Add to Roadmap |
Validate Direction |
Plan Project |
Execute Project |
Select Dispositions & Identify New Initiatives |
|
Approve Project |
Add to Roadmap |
Execute Project |
The steps between selecting a disposition and executing on any resulting project will vary based on the organization’s project intake standards (or lack thereof).
This blueprint focuses on building a strategic portfolio roadmap prior to any in-depth assessments related to initiative/project intake, approval, and prioritization. For in-depth support related to intake, approval, prioritization, or planning, review the following resources.
![]() |
![]() |
A roadmap should not be limited to what is approved or committed to. A roadmap should be used to present the items that need to happen and begin the discussion of how or if this can be put into place. However, not every idea should make the cut and end up in front of key stakeholders.
Estimated time: 1-4 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
Info-Tech’s Build an Application Rationalization Framework provides additional TCO and value tools to help build out your portfolio strategy.
Determine scope and categories | Build your list of applications and capabilities | Score each application based on your values | Determine outcomes based on app scoring and support for capabilities |
---|---|---|---|
1. Lay Your Foundations
|
2. Improve Your Inventory
|
3. Rationalize Your Apps
|
4. Populate Your Roadmap
|
Repeat according to APM cadence and application changes
Estimated time: 1-2 hours
Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
Artifact | Owner | Update Cadence | Update Scope | Audience | Presentation Cadence |
---|---|---|---|---|---|
Inventory | Greg Dawson |
|
|
|
|
Rationalization Tool | Judy Ng |
|
|
|
|
Portfolio Roadmap | Judy Ng |
|
|
|
|
Worksheet Data Mapping | Application and Capability List | Group Alignment Matrix (1-3) | Rationalization Inputs | Group 1-3 Results | Application Inventory Details | App Rationalization Results | Roadmap | App Redundancy Comparison |
---|---|---|---|---|---|---|---|---|
Application and Capability List | App list, Groupings | App list | App list, Groupings | App list, Categories | App list, Categories | App list | App list | |
Groups 1-3 Alignment Matrix | App to Group Tracing | |||||||
Application Categories | Category | Category | Category | |||||
Rationalization Inputs | Lens Scores (weighted input to Group score) | Lens Scores (weighted input) | ||||||
Disposition Options | Disposition list, Priorities list, Recommended Disposition and Priority | Lens Scores (weighted input) | ||||||
App Rationalization Results | Disposition |
Attribute | Description | Common Collection Method |
---|---|---|
Name | Organization’s terminology used for the application. | Auto-discovery tools will provide names for the applications they reveal. However, this may not be the organizational nomenclature. You may adapt the names by leveraging pre-existing documentation and internal knowledge or by consulting business users. |
ID | Unique identifiers assigned to the application (e.g. app number). | Typically an identification system developed by the application portfolio manager. |
Description | A brief description of the application, often referencing core capabilities. | Typically completed by leveraging pre-existing documentation and internal knowledge or by consulting business users. |
Business Units | A list of all business units, departments, or user groups. | Consultation, surveys, or interviews with business unit representatives. However, this doesn’t always expose hidden applications. Application-capability mapping is the most effective way to determine all the business units/user groups of an app. |
Business Capabilities | A list of business capabilities the application is intended to enable. | Application capability mapping completed via interviews with business unit representatives. |
Criticality | A high-level grading of the importance of the application to the business, typically used for support prioritization purposes (i.e. critical, high, medium, low). | Typically the criticality rating is determined by a committee representing IT and business leaders. |
Ownership | The individual accountable for various aspect of the application (e.g. product owner, product manager, application support, data owner); typically includes contact information and alternatives. | If application ownership is an established accountability in your organization, typically consulting appropriate business stakeholders will reveal this information. Otherwise, application capability mapping can be an effective means of identifying who that owner should be. |
Application SMEs | Any relevant subject matter experts who can speak to various aspects of the application (e.g. business process owners, development managers, data architects, data stewards, application architects, enterprise architects). | Technical SMEs should be known within an IT department, but shadow IT apps may require interviews with the business unit. Application capability mapping will determine the identity of those key users/business process SMEs. |
Type | An indication of whether the application was developed in-house, commercial off-the-shelf, or a hybrid option. | Consultation, surveys, or interviews with product owners or development managers. |
Active Status | An indication of whether the application is currently active, out of commission, in repair, etc. | Consultation, surveys, or interviews with product owners or operation managers. |
Attribute | Description | Common Collection Method |
---|---|---|
Vendor Information | Identification of the vendor from whom the software was procured. May include additional items such as the vendor’s contact information. | Consultation with business SMEs, end users, or procurement teams, or review of vendor contracts or license agreements. |
Links to Other Documentation | Pertinent information regarding the other relevant documentation of the application (e.g. SLA, vendor contracts, data use policies, disaster recovery plan). Typically includes links to documents. | Consultation with product owners, service providers, or SMEs, or review of vendor contracts or license agreements. |
Number of Users | The current number of users for the application. This can be based on license information but will often require some estimation. Can include additional items of quantities at different levels of access (e.g. admin, key users, power users). | Consultation, surveys, or interviews with product owners or appropriate business SMEs or review of vendor contracts or license agreements. Auto-discovery tools can reveal this information. |
Software Dependencies | List of other applications or operating components required to run the application. | Consultation with application architects and any architectural tools or documentation. This information can begin to reveal itself through application capability mapping. |
Hardware Dependencies | Identification of any hardware or infrastructure components required to run the application (i.e. databases, platform). | Consultation with infrastructure or enterprise architects and any architectural tools or documentation. This information can begin to reveal itself through application capability mapping. |
Development Language | Coding language used for the application. | Consultation, surveys, or interviews with development managers or appropriate technical SMEs. |
Platform | A framework of services that application programs rely on for standard operations. | Consultation, surveys, or interviews with infrastructure or development managers. |
Lifecycle Stage | Where an application is within the birth, growth, mature, end-of-life lifecycle. | Consultation with business owners and technical SMEs. |
Scheduled Updates | Any major or minor updates related to the application, including the release date. | Consultation with business owners and vendor managers. |
Planned or In-Flight Projects | Any projects related to the application, including estimated project timeline. | Consultation with business owners and project managers. |
”2019 Technology & Small Business Survey.” National Small Business Association (NSBA), n.d. Accessed 1 April 2020.
“Application Rationalization – Essential Part of the Process for Modernization and Operational Efficiency.” Flexera, 2015. Web.
“Applications Rationalization during M&A: Standardize, Streamline, Simplify.” Deloitte Consulting, 2016. Web.
Bowling, Alan. “Clearer Visibility of Product Roadmaps Improves IT Planning.” ComputerWeekly.com, 1 Nov. 2010. Web.
Brown, Alex. “Calculating Business Value.” Agile 2014 Orlando, 13 July 2014. Scrum Inc. 2014. Web.
Brown, Roger. “Defining Business Value.” Scrum Gathering San Diego 2017. Agile Coach Journal. Web.
“Business Application Definition.” Microsoft Docs, 18 July 2012. Web.
“Connecting Small Businesses in the US.” Deloitte Consulting, 2017. Accessed 1 April. 2020.
Craveiro, João. “Marty meets Martin: connecting the two triads of Product Management.” Product Coalition, 18 Nov. 2017. Web.
Curtis, Bill. “The Business Value of Application Internal Quality.” CAST, 6 April 2009. Web.
Fleet, Neville, Joan Lasselle, and Paul Zimmerman. “Using a Balance Scorecard to Measure the Productivity and Value of Technical Documentation Organizations.” CIDM, April 2008. Web.
Fowler, Martin. “Application Boundary.” MartinFowler.com, 11 Sept. 2003. Web.
Harris, Michael. “Measuring the Business Value of IT.” David Consulting Group, 2007. Web.
“How Application Rationalization Contributes to the Bottom Line.” LeanIX, 2017. Web.
Jayanthi, Aruna. “Application Landscape Report 2014.” Capgemini, 4 March 2014. Web.
Lankhorst, Marc., et al. “Architecture-Based IT Valuation.” Via Nova Architectura, 31 March 2010. Web.
“Management of business application.” ServiceNow, Jan.2020. Accessed 1 April 2020.
Mauboussin, Michael J. “The True Measures of Success.” HBR, Oct. 2012. Web.
Neogi, Sombit., et al. “Next Generation Application Portfolio Rationalization.” TATA, 2011. Web.
Riverbed. “Measuring the Business Impact of IT Through Application Performance.” CIO Summits, 2015. Web.
Rouse, Margaret. “Application Rationalization.” TechTarget, March 2016. Web.
Van Ramshorst, E.A. “Application Portfolio Management from an Enterprise Architecture Perspective.” Universiteit Utrecht, July 2013.
“What is a Balanced Scorecard?” Intrafocus, n.d. Web.
Whitney, Lance. “SMBs share their biggest constraints and great challenges.” Tech Republic, 6 May 2019. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Define the business’s M&A goals, assemble an IT Integration Program, and select an IT integration posture that aligns with business M&A strategy.
Refine the current state of each IT domain in both organizations, and then design the end-state of each domain.
Generate tactical operational imperatives and quick-wins, and then develop an interim action plan to maintain business function and capture synergies.
Generate initiatives and put together a long-term action plan to achieve the planned technology end-state.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Identification of staffing and skill set needed to manage the IT integration.
Generation of an integration communication plan to highlight communication schedule during major integration events.
Identification of business goals and objectives to select an IT Integration Posture that aligns with business strategy.
Defined IT integration roles & responsibilities.
Structured communication plan for key IT integration milestones.
Creation of the IT Integration Program.
Generation of an IT Integration Posture.
1.1 Define IT Integration Program responsibilities.
1.2 Build an integration communication plan.
1.3 Host interviews with senior management.
1.4 Select a technology end-state and IT integration posture.
Define IT Integration Program responsibilities and goals
Structured communication plan
Customized interview guide for each major stakeholder
Selected technology end-state and IT integration posture
Identification of information sources to begin conducting discovery.
Definition of scope of information that must be collected about target organization.
Definition of scope of information that must be collected about your own organization.
Refinement of the technology end-state for each IT domain of the new entity.
A collection of necessary information to design the technology end-state of each IT domain.
Adequate information to make accurate cost estimates.
A designed end-state for each IT domain.
A collection of necessary, available information to make accurate cost estimates.
2.1 Define discovery scope.
2.2 Review the data room and conduct onsite discovery.
2.3 Design the technology end-state for each IT domain.
2.4 Select the integration strategy for each IT domain.
Tone set for discovery
Key information collected for each IT domain
Refined end-state for each IT domain
Refined integration strategy for each IT domain
Generation of tactical initiatives that are operationally imperative and will help build business credibility.
Prioritization and execution of tactical initiatives.
Confirmation of integration strategy for each IT domain and generation of initiatives to achieve technology end-states.
Prioritization and execution of integration roadmap.
Tactical initiatives generated and executed.
Confirmed integration posture for each IT domain.
Initiatives generated and executed upon to achieve the technology end-state of each IT domain.
3.1 Build quick-win and operational imperatives.
3.2 Build a tactical action plan and execute.
3.3 Build initiatives to close gaps and redundancies.
3.4 Finalize your roadmap and kick-start integration.
Tactical roadmap to fulfill short-term M&A objectives and synergies
Confirmed IT integration strategies
Finalized integration roadmap
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Begin the project by creating a vulnerability management team and determine how vulnerabilities will be identified through scanners, penetration tests, third-party sources, and incidents.
Determine how vulnerabilities will be triaged and evaluated based on intrinsic qualities and how they may compromise business functions and data sensitivity.
Address the vulnerabilities based on
their level of risk. Patching isn't the only risk mitigation action; some
systems simply cannot be patched, but other options are available.
Reduce the risk down to medium/low levels and
engage your regular operational processes to deal with the latter.
Evolve the program continually by developing metrics and formalizing a policy.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Establish a common understanding of vulnerability management, and define the roles, scope, and information sources of vulnerability detection.
Attain visibility on all of the vulnerability information sources, and a common understanding of vulnerability management and its scope.
1.1 Define the scope & boundary of your organization’s security program.
1.2 Assign responsibility for vulnerability identification and remediation.
1.3 Develop a monitoring and review process of third-party vulnerability sources.
1.4 Review incident management and vulnerability management
Defined scope and boundaries of the IT security program
Roles and responsibilities defined for member groups
Process for review of third-party vulnerability sources
Alignment of vulnerability management program with existing incident management processes
We will examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach and prepare for remediation options.
A consistent, documented process for the evaluation of vulnerabilities in your environment.
2.1 Evaluate your identified vulnerabilities.
2.2 Determine high-level business criticality.
2.3 Determine your high-level data classifications.
2.4 Document your defense-in-depth controls.
2.5 Build a classification scheme to consistently assess impact.
2.6 Build a classification scheme to consistently assess likelihood.
Adjusted workflow to reflect your current processes
List of business operations and their criticality and impact to the business
Adjusted workflow to reflect your current processes
List of defense-in-depth controls
Vulnerability Management Risk Assessment tool formatted to your organization
Vulnerability Management Risk Assessment tool formatted to your organization
Identifying potential remediation options.
Developing criteria for each option in regard to when to use and when to avoid.
Establishing exception procedure for testing and remediation.
Documenting the implementation of remediation and verification.
Identifying and selecting the remediation option to be used
Determining what to do when a patch or update is not available
Scheduling and executing the remediation activity
Planning continuous improvement
3.1 Develop risk and remediation action.
List of remediation options sorted into “when to use” and “when to avoid” lists
You will determine what ought to be measured to track the success of your vulnerability management program.
If you lack a scanning tool this phase will help you determine tool selection.
Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.
Outline of metrics that you can then configure your vulnerability scanning tool to report on.
Development of an inaugural policy covering vulnerability management.
The provisions needed for you to create and deploy an RFP for a vulnerability management tool.
An understanding of penetration testing, and guidance on how to get started if there is interest to do so.
4.1 Measure your program with metrics, KPIs, and CSFs.
4.2 Update the vulnerability management policy.
4.3 Create an RFP for vulnerability scanning tools.
4.4 Create an RFP for penetration tests.
List of relevant metrics to track, and the KPIs, CSFs, and business goals for.
Completed Vulnerability Management Policy
Completed Request for Proposal (RFP) document that can be distributed to vendor proponents
Completed Request for Proposal (RFP) document that can be distributed to vendor proponents
4 Analyst Perspective 5 Executive Summary 6 Common Obstacles 8 Risk-based approach to vulnerability management 16 Step 1.1: Vulnerability management defined 24 Step 1.2: Defining scope and roles 34 Step 1.3: Cloud considerations for vulnerability management | 33 Step 1.4: Vulnerability detection 46 Step 2.1: Triage vulnerabilities 51 Step 2.2: Determine high-level business criticality 56 Step 2.3: Consider current security posture 61 Step 2.4: Risk assessment of vulnerabilities 71 Step 3.1: Assessing remediation options |
80 Step 3.2: Scheduling and executing remediation 85 Step 3.3: Continuous improvement 89 Step 4.1: Metrics, KPIs, and CSFs 94 Step 4.2: Vulnerability management policy 97 Step 4.3: Select & implement a scanning tool 107 Step 4.4: Penetration testing 118 Summary of accomplishment | 119 Additional Support 120 Bibliography |
In this age of discovery, technology changes at such a rapid pace. New things are discovered, both in new technology and in old. The pace of change can often be very confusing as to where to start and what to do.
The ever-changing nature of technology means that vulnerabilities will always be present. Taking measures to address these completely will consume all your department’s time and resources. That, and your efforts will quickly become stale as new vulnerabilities are uncovered. Besides, what about the systems that simply can’t be patched? The key is to understand the vulnerabilities and the levels of risk they pose to your organization, to prioritize effectively and to look beyond patching.
A risk-based approach to vulnerability management will ensure you are prioritizing appropriately and protecting the business. Reduce the risk surface!
Vulnerability management is more than just systems and application patching. It is a full process that includes patching, compensating controls, segmentation, segregation, and heightened diligence in security monitoring.
![]() | Jimmy Tom Research Advisor – Security, Privacy, Risk, and Compliance Info-Tech Research Group |
Your Challenge Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them. Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option. | Common Obstacles Patches are often seen as the answer to vulnerabilities, but these are not always the most suitable solution. Some systems deemed vulnerable simply cannot be patched or easily replaced. Companies are unaware of the risk implications that come from leaving the vulnerability open and from the remediation option itself. | Info-Tech’s Approach Design and implement a vulnerability management program that identifies, prioritizes, and remediates vulnerabilities. Understand what needs to be considered when implementing remediation options, including patches, configuration changes, and defense-in-depth controls. Build a process that is easy to understand and allows vulnerabilities to be remediated proactively, instead of in an ad hoc fashion. |
Vulnerability management does not always equal patch management. There is more than one way to tackle the problem, particularly if a system cannot be easily patched or replaced. If a vulnerability cannot be completely remediated, steps to reduce the risk to a tolerable level must be taken.
These barriers make vulnerability management difficult to address for many organizations:
| CVSS Score Distribution From the National Vulnerability Database: ![]() (Source: NIST National Vulnerability Database Dashboard) |
Reduce the critical and high vulnerabilities below the risk threshold and operationalize the remediation of medium/low vulnerabilities by following your effective vulnerability management program cycles.
An inventory of your scanning tool and vulnerability threat intelligence data sources will help you determine a viable strategy for addressing vulnerabilities. Defining roles and responsibilities ahead of time will ensure you are not left scrambling when dealing with vulnerabilities.
Bring the vulnerabilities into context by assessing vulnerabilities based on your security posture and mechanisms and not just what your data sources report. This will allow you to gauge the true urgency of the vulnerabilities based on risk and determine an effective mitigation plan.
Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available.
Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.
Upon implementation of the program, measure with metrics to ensure that the program is successful. Improve the program with each iteration of vulnerability mitigation to ensure continuous improvement.
All actions to address vulnerabilities should be based on risk and the organization’s established risk tolerance.
Reduce the risk surface down below the risk threshold.
“For those of us in the vulnerability management space, ensuring that money, resources, and time are strategically spent is both imperative and difficult. Resources are dwindling fast, but the vulnerability problem sure isn’t.” (Kenna Security)
“Using vulnerability scanners to identify unpatched software is no longer enough. Keeping devices, networks, and digital assets safe takes a much broader, risk-based vulnerability management strategy – one that includes vulnerability assessment and mitigation actions that touch the entire ecosystem.” (Balbix)
“Unlike legacy vulnerability management, risk-based vulnerability management goes beyond just discovering vulnerabilities. It helps you understand vulnerability risks with threat context and insight into potential business impact.” (Tenable)
“A common mistake when prioritizing patching is equating a vulnerability’s Common Vulnerability Scoring System (CVSS) score with risk. Although CVSS scores can provide useful insight into the anatomy of a vulnerability and how it might behave if weaponized, they are standardized and thus don’t reflect either of the highly situational variables — namely, weaponization likelihood and potential impact — that factor into the risk the vulnerability poses to an organization.” (SecurityWeek)
60% — In 2019, 60% of breaches were due to unpatched vulnerabilities.
74% — In the same survey, 74% of survey responses said they cannot take down critical applications and systems to patch them quickly. (Source: SecurityBoulevard, 2019)
Taking a risk-based approach will allow you to focus on mitigating risk, rather than “just patching” your environment.
The average cost of a breach in 2020 is $3.86 million, and “…the price tag was much less for mature companies and industries and far higher for firms that had lackluster security automation and incident response processes.” (Dark Reading)
Vulnerability ManagementA risk-based approach | Reduce the risk surface to avoid cost to your business, everything else is table stakes | ![]() ![]() |
1 | Identify |
| ||||||||||||||||
Identify vulnerability management scanning tools & external threat intel sources (Mitre CVE, US-CERT, vendor alerts, etc.) | Vulnerability information feeds:
| |||||||||||||||||
2 | Analyze | |||||||||||||||||
Assign actual risk (impact x urgency) to the organization based on current security posture
Triage based on risk › Your organization's risk tolerance threshold | ![]() | |||||||||||||||||
3 | Assess | |||||||||||||||||
Plan risk mitigation strategy › | Consider:
|
Focus on developing the most efficient processes.
The vulnerability management market is relatively mature; however, vulnerability management remains a very relevant and challenging topic.
Security practitioners are inundated with the advice they need to prioritize their vulnerabilities. Every vulnerability scanning vendor will proclaim their ability to prioritize the identified vulnerabilities.
Third-party prioritization methodology can’t be effectively applied across all organizations. Each organization is too unique with different constraints. No tool or service can account for these variables.
When patching is not possible, other options exist: configuration changes (hardening), defense-in-depth, compensating controls, and even elevated security monitoring are possible options.
Vulnerability management is not only patch management. Patching is only one aspect.
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Key deliverable:Vulnerability Management SOPThe Standard operating procedure (SOP) will comprise the end-to-end description of the program: roles & responsibilities, data flow, and expected outcomes of the program. ![]() | Vulnerability Management Policy Template for your vulnerability management policy. | ![]() | Vulnerability Tracking Tool This tool offers a template to track vulnerabilities and how they are remedied. | ![]() |
Vulnerability Scanning RFP Template Request for proposal template for the selection of a vulnerability scanning tool. | ![]() | Vulnerability Risk Assessment Tool Methodology to assess vulnerability risk by determining impact and likelihood. | ![]() |
IT Benefits
| Business Benefits
|
Phase | Measured Value |
Phase 1: Identify vulnerability sources |
|
Phase 2: Triage vulnerabilities and assign urgencies |
|
Phase 3: Remediate vulnerabilities |
|
Phase 4: Continually improve the vulnerability management process |
|
Potential financial savings from using Info-Tech resources | Phase 1 ($1,600) + Phase 2 ($6,400) + Phase 3 ($10,400) + Phase 4 ($10,400) = $28,800 |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 8 to 12 calls over the course of 4 to 6 months.
What does a typical GI on this topic look like?
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
Call #1: Scope requirements, objectives, and your specific challenges. Call #2: Discuss current state and vulnerability sources. | Call #3: Identify triage methods and business criticality. Call #4:Review current defense-in-depth and discuss risk assessment. | Call #5: Discuss remediation options and scheduling. Call #6: Review release and change management and continuous improvement. | Call #7: Identify metrics, KPIs, and CSFs. Call #8: Review vulnerability management policy. |
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
Activities | Identify vulnerability sources1.1 What is vulnerability management? 1.2 Define scope and roles 1.3 Cloud considerations for vulnerability management 1.4 Vulnerability detection | Triage and prioritize2.1 Triage vulnerabilities 2.2 Determine high-level business criticality 2.3 Consider current security posture 2.4 Risk assessment of vulnerabilities | Remediate vulnerabilities3.1 Assess remediation options 3.2 Schedule and execute remediation 3.3 Drive continuous improvement | Measure and formalize4.1 Metrics, KPIs & CSFs 4.2 Vulnerability Management Policy 4.3 Select & implement a scanning tool 4.4 Penetration testing | Next Steps and Wrap-Up (offsite)5.1 Complete in-progress deliverables from previous four days 5.2 Set up review time for workshop deliverables and to discuss next steps |
Deliverables |
|
|
|
|
|
Phase 11.1 What is vulnerability management? | Phase 22.1 Triage vulnerabilities | ||
Phase 33.1 Assessing remediation options | Phase 44.1 Metrics, KPIs & CSFs |
Establish a common understanding of vulnerability management, define the roles, scope, and information sources of vulnerability detection.
None for this section
Establish a common understanding of vulnerability management and its place in the IT organization.
Foundational knowledge of vulnerability management in your organization.
Identify vulnerability sourcesStep 1.1 | Step 1.2 | Step 1.3 | Step 1.4 |
| “Most organizations do not have a formal process for vulnerability management.” (Morey Haber, VP of Technology, BeyondTrust, 2016) |
It’s not easy, but it’s much harder without a process in place.
| ![]() You’re not just doing this for yourself. It’s also for your auditors.Many compliance and regulatory obligations require organizations to have thorough documentation of their vulnerability management practices. |
![]() | Vulnerabilities can be found primarily within your assets but also connect to your information risk management. These must be effectively managed as part of a holistic security program. Without management, vulnerabilities left unattended can be easy for attackers to exploit. It becomes difficult to identify the correct remediation option to mitigate against the vulnerabilities. |
Vulnerability Management Process Inputs/Outputs:![]() Arrows denote direction of information feed | Vulnerability management serves as the input into a number of processes for remediation, including:
A two-way data flow exists between vulnerability management and:
|
|
|
Vulnerability management is a component of the Infrastructure Security section of Security Management
![]() | For more information, review our Build an Information Security Strategy blueprint, or speak to one of our analysts.Info-Tech InsightVulnerability management is but one piece of the information security puzzle. Ensure that you have all the pieces! |
Case Study | ![]() | INDUSTRY: Manufacturing |
One organization is seeing immediate benefits by formalizing its vulnerability management program.
Challenge Cimpress was dealing with many challenges in regards to vulnerability management. Vulnerability scanning tools were used, but the reports that were generated often gave multiple vulnerabilities that were seen as critical or high and required many resources to help address them. Scanning was done primarily in an attempt to adhere to PCI compliance rather than to effectively enable security. After re-running some scans, Cimpress saw that some vulnerabilities had existed for an extended time period but were deemed acceptable. | Solution The Director of Information Security realized that there was a need to greatly improve this current process. Guidelines and policies were formalized that communicated when scans should occur and what the expectations for remediations should be. Cimpress also built a tiered approach to prioritize vulnerabilities for remediation that is specific to Cimpress instead of relying on scanning tool reports. | Results Cimpress found better management of the vulnerabilities within its system. There was no pushback to the adoption of the policies, and across the worldwide offices, business units have been proactively trying to understand if there are vulnerabilities. Vulnerability management has been expanded to vendors and is taken into consideration when doing any mergers and acquisitions. Cimpress continues to expand its program for vulnerability management to include application development and vulnerabilities within any existing legacy systems. |
Define and understand the scope and boundary of the security program. For example, does it include OT? Define roles and responsibilities for vulnerability identification and remediation
Understand how far vulnerability management extends and what role each person in IT plays in the remediation of vulnerabilities
Identify vulnerability sourcesStep 1.1 | Step 1.2 | Step 1.3 | Step 1.4 |
This will help you adjust the depth and breadth of your vulnerability management program.
| ![]() |
Input: List of Data Scope, Physical Scope, Organization Scope, and IT Scope
Output: Defined scope and boundaries of the IT security program
Materials: Whiteboard/Flip Charts, Sticky Notes, Markers, Vulnerability Management SOP Template
Participants: Business stakeholders, IT leaders, Security team members
The goal is to identify what your vulnerability management program is responsible for and document it.
Consider the following:
How is data being categorized and classified? How are business units engaged with security initiatives? How are IT systems connected to each other? How are physical locations functioning in terms of information security management?
Download the Vulnerability Management SOP Template
| If you need assistance building your asset inventory, review Info-Tech’s Implement Hardware Asset Management and Implement Software Asset Management blueprints.Info-Tech InsightCreate a formal IT asset inventory before continuing with the rest of this project. Otherwise, you risk being at the mercy of a weak vulnerability management program. |
Determine who is critical to effectively detecting and managing vulnerabilities.
| ![]() |
Input: Sample list of vulnerabilities and requisite actions from each group, High-level organizational chart with area functions
Output: Defined set of roles and responsibilities for member groups
Materials: Vulnerability Management SOP Template
Participants: CIO, CISO, IT Management representatives for each area of IT
If your organization does not have a dedicated IT security team, you can perform this exercise by mapping the relevant IT staff to the different positions shown on the right.
Download the Vulnerability Management SOP Template | ![]() |
None for this section.
Review cloud considerations for vulnerability management
Understand the various types of cloud offerings and the implications (and limitations) of vulnerability management in a cloud environment.
Identify vulnerability sourcesStep 1.1 | Step 1.2 | Step 1.3 | Step 1.4 |
Cloud will change your approach to vulnerability management.
| ![]() For more information, see Info-Tech Research Group’s Document Your Cloud Strategy blueprint. |
Cloud scanning is becoming a more common necessity but still requires special consideration.
Private Cloud | |
If your organization owns a private cloud, these environments can be tested normally. | |
Public Cloud | |
Performing vulnerability testing against public, third-party cloud environments is an area experiencing rapid growth and general acceptance, although customer visibility will still be limited. In many cases, a customer must rely on the vendor’s assurance that vulnerabilities are being addressed in a sufficient manner. Security standards’ compliance requirements are driving the need for cloud suppliers to validate and assure that they are appropriately scanning for and remediating vulnerabilities. | Infrastructure- or Platform-as-a-Service (IaaS or PaaS) Environments
Certain testing (e.g. DoS or load testing) will be very limited by your cloud vendor. Cloud vendors won’t open themselves to testing that would possibly impact their operations. |
Create an inventory of your vulnerability monitoring capability and third-party vulnerability information sources.
Determine how incident management and vulnerability management interoperate.
Catalog of vulnerability information data sources. Understanding of the intersection of incident management and vulnerability management.
Identify vulnerability sourcesStep 1.1 | Step 1.2 | Step 1.3 | Step 1.4 |
Vulnerabilities can be identified through numerous mediums.
Vulnerability Assessment and Scanning Tools
| Penetration Tests
|
Open Source Monitoring
| Security Incidents
|
Vulnerabilities are too numerous for manual scanning and detection.
| Automation requires oversight.
For guidance on tool selectionRefer to section 4.3 Selecting and Implement a Scanning Tool in this blueprint. |
Select a vulnerability scanning tool with the features you need to be effective.
| ![]() For guidance on tool vendorsVisit SoftwareReviews for information on vulnerability management tools and vendors. |
One-off scans provide snapshots in time. Repeated scans over time provide tracking for how systems are changing and how well patches are being applied and software is being updated.
The results of a scan (asset inventory, configuration data, and vulnerability data) are basic information needed to understand your security posture. This data needs to be as up to date as possible.
Continuous scanning is the concept of providing continual scanning of your systems so any asset, configuration, or vulnerability information is up to date. Most vendors will advertise continuous scanning but you need to be skeptical of how this feature is met.
Continuous agent scanning Real-time scanning that is completed through agent-based scanning. Provides real-time understanding of system changes. | On-demand scanning Cyclical scanning is the method where once you’re done scanning an area, you start it again. This is usually done because doing some scans on some areas of your network take time. How long the scan takes depends on the scan itself. How often you perform a scan depends on how long a scan takes. For example, if a scan takes a day, you perform a daily scan. | Cloud-based scanning Cloud-scanning-as-a-Service can provide hands-free continuous monitoring of your systems. This is usually priced as a subscription model. |
What should be scanned | How to point a scanner |
The general idea is that you want to scan pretty much everything. Here are considerations for three environments:Mobile DevicesYou need to scan mobile devices for vulnerabilities, but the problem is these can be hard to scan and often come and go on your network. There are always going to be some devices that aren’t on the network when scanning occurs. Several ways to scan mobile devices:
Virtualization
Cloud Environments
|
|
IT security forums and mailing lists are another source of vulnerability information.
By monitoring for vulnerabilities as they are announced through industry alerts and open-source mechanisms, it is possible to identify vulnerabilities beyond your scanning tool’s penetration tests.
Common sources:
| ![]() |
IT security forums and mailing lists are another source of vulnerability information.
Input: Third-party resources list
Output: Process for review of third-party vulnerability sources
Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template
Participants: IT Security Manager, SecOps team members, ITOps team members, CISO
Download the Vulnerability Management SOP Template | ![]() |
Incidents can also be a sources of vulnerabilities.
When any incident occurs, for example:
There can be underlying vulnerabilities that need to be processed.
Three Types of IT Incidents exist:
Note: You need to have developed your various incident response plans to develop information feeds to the vulnerability mitigation process. | Info-Tech Related Resources: | |
If you do not have a formalized information security incident management program, take a look at Info-Tech’s blueprint Develop and Implement a Security Incident Management Program. If you do not have a formalized problem management process, take a look at Info-Tech’s blueprint Incident and Problem Management. | If you do not have a formalized IT incident management process, take a look at Info-Tech’s blueprint Develop and Implement a Security Incident Management Program. If you do not have formalized crisis management, take a look at Info-Tech’s blueprint Implement Crisis Management Best Practices. |
Input: Existing incident response processes, Existing crisis communications plans
Output: Alignment of vulnerability management program with existing incident management processes
Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template
Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO
Note: Most incident processes will cover some sort of root cause analysis and investigation of the incident. If a vulnerability of any kind is detected within this analysis it needs to be reported on and treated as a detected vulnerability, thus warranting the full vulnerability mitigation process.
Download the Vulnerability Management SOP Template
Phase 11.1 What is vulnerability management? | Phase 22.1 Triage vulnerabilities | ||
Phase 33.1 Assessing remediation options | Phase 44.1 Metrics, KPIs & CSFs |
Examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach, and prepare for remediation options.
Review your vulnerability information sources and determine a methodology that will be used to consistently evaluate vulnerabilities as your scanning tool alerts you to them.
A consistent, documented process for the evaluation of vulnerabilities in your environment.
Triage & prioritizeStep 2.1 | Step 2.2 | Step 2.3 | Step 2.4 |
When evaluating numerous vulnerabilities, use the following three factors to help determine the urgency of vulnerabilities:
Intrinsic qualities of the vulnerability — Vulnerabilities need to be examined for the inherent risk they pose specifically to the organization, which includes if an exploit has been identified or if the industry views this as a serious and likely threat.
Business criticality of the affected asset — Assets with vulnerabilities need to be assessed for their criticality to the business. Vulnerabilities on systems that are critical to business operations or customer interactions are usually top of mind.
Sensitivity of the data of the affected asset — Beyond just the criticality of the business, there must be consideration of the sensitivity of the data that may be compromised or modified as a result of any vulnerabilities.
This methodology allows you to determine urgency of vulnerabilities, but your remediation approach needs to be risk-based, within the context of your organization.
Triaging enables your vulnerability management program to focus on what it should focus on. Use the Info-Tech Vulnerability Mitigation Process Template to define how to triage vulnerabilities as they first appear. Triaging is an important step in vulnerability management, whether you are facing ten to tens of thousands of vulnerability notifications.
| The Info-Tech methodology for initial triaging of vulnerabilities:![]() Even if neither of these use cases apply to your organization, triaging still addresses the issues of false positives. Triaging provides a quick way to determine if vulnerabilities are relevant. |
Input: Visio workflow of Info-Tech’s vulnerability management process
Output: Adjusted workflow to reflect your current processes, Vulnerability Tracking Tool
Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template
Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO
Using the criteria from the previous slide, Info-Tech has created a methodology to evaluate your vulnerabilities by examining their intrinsic qualities.
The methodology categorizes the vulnerabilities into high, medium, and low risk importance categorizations, before assigning final urgency scores in the later steps.
Download the Vulnerability Management SOP Template
Determining high-level business criticality and data classifications will help ensure that IT security is aligned with what is critical to the business. This will be very important when decisions are made around vulnerability risk and the urgency of remediation action.
Understanding and consistency in how business criticality and business data is assessed by IT in the vulnerability management process.
Triage & prioritizeStep 2.1 | Step 2.2 | Step 2.3 | Step 2.4 |
Use the questions below to help assess which operations are critical for the business to continue functioning. For example, email is often thought of as a business-critical operation when this is not always the case. It is important to the business, but as regular operations can continue for some time without it, it would not be considered extremely business critical.
| Don’t start from scratch – your disaster recovery plan (DRP) may have a business impact analysis (BIA) that can provide insight into which applications and operations are considered business critical.Analyst PerspectiveWhen assessing the criticality of business operations, most core business applications may be deemed business critical over the long term. Consider instead what the impact is over the first 24 or 48 hours of downtime. |
Input: List of business operations, Insight into business operations impacts to the business
Output: List of business operations and their criticality and impact to the business
Materials: Vulnerability Management SOP Template
Participants: Participants from the business, IT Security Manager, CISO, CIO
Example prioritization of business operations for a manufacturing company: | ![]() | Questions to ask:
|
Download the Vulnerability Management SOP Template
To properly classify your data, consider how the confidentiality, integrity, and availability of that data would be affected if it were to be exploited by a vulnerability. Review the table below for an explanation for each objective.
If you wish to build a whole data classification methodology, refer to our Discover and Classify Your Data blueprint. | How to determine data classification when CIA differs: The overall ranking of the data will be impacted by the highest objective’s ranking. For example, if confidentiality and availability are low, but integrity is high, the overall impact is high. This process was developed in part by Federal Information Processing Standards Publication 199. |
Input: Knowledge of data use and sensitivity
Output: Adjusted workflow to reflect your current processes, Vulnerability Tracking Tool
Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template
Participants: IT Security Manager, CISO, CIO
If your organization has formal data classification in place, it should be leveraged to determine the high, medium, and low rankings necessary for the process flows. However, if there is no formal data classification in place, the process below can be followed:
Download the Vulnerability Management SOP Template
This process should be part of your larger data classification program. If you need assistance in building this out, review the Info-Tech research, Discover and Classify Your Data.
Your defense-in-depth controls are the existing layers of security technology that protects your environment. These are relevant when considering the urgency and risk of vulnerabilities in your environment, as they will mitigate some of the risk.
Understanding and documentation of your current defense-in-depth controls.
Triage & prioritizeStep 2.1 | Step 2.2 | Step 2.3 | Step 2.4 |
What you have today matters.
| ![]() |
What does your network look like?
| What’s the relevance to vulnerability management? For a vulnerability to be exploited, a malicious actor must find a way to access the vulnerable system to make use of the vulnerability in question. Any enterprise architecture characteristics that you have in place may lessen the probability of a successful vulnerability exploit. This may potentially “buy time” for SecOps to address and remediate the vulnerability. |
Note: Defense-in-depth controls do not entirely mitigate vulnerability risk. They provide a way in which the vulnerability cannot be exploited, but it continues to exist on the application. This must be kept in mind as the controls or applications themselves change, as it can re-open the vulnerability and cause potential problems. | Examples of defense-in-depth controls can consist of any of the following:
|
Input: List of technologies within your environment, List of IT security controls that are in place
Output: List of defense-in-depth controls
Materials: Whiteboard/flip charts, Vulnerability Management SOP Template
Participants: IT Security Manager, Infrastructure Manager, IT Director, CISO
Download the Vulnerability Management SOP Template | ![]() |
Assessing risk will be the cornerstone of how you evaluate vulnerabilities and what priority you place on remediation. This is actual risk to the organization and not simply what the tool reports without the context of your defense-in-depth controls.
A risk matrix tailored to your organization, based on impact and likelihood. This will provide a consistent, unambiguous way to assess risk across the vulnerability types that is reported by your scanning tool.
Triage & prioritizeStep 2.1 | Step 2.2 | Step 2.3 | Step 2.4 |
Vulnerabilities must be addressed to mitigate risk to the business.
| ![]() Info-Tech InsightRisk to the organization is business language that everyone can understand. This is particularly true when the risk is to productivity or to the company’s bottom line. |
CVSS scores are just the starting point!
Vulnerabilities are constant.
| Info-Tech InsightVulnerability scanning is a valuable function, but it does not tell the full picture. You must determine how urgent a vulnerability truly is, based on your specific environment. |
| Mitigate the risk surface by reducing the time across the phases![]() |
Risk = Impact x Likelihood
Info-Tech InsightRisk determination should be done within the context of your current environment and not simply based on what your vulnerability tool is reporting. | A risk matrix is useful in calculating a risk rating for vulnerabilities. ![]() |
Input: Knowledge of IT environment, Knowledge of business impact for each IT component or service
Output: Vulnerability Management Risk Assessment Tool formatted to your organization
Materials: Vulnerability Management Risk Assessment Tool
Participants: Functional Area Managers, IT Security Manager, CISO
Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and the severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.
Note that you are looking to baseline vulnerability types, rather than categorizing every single vulnerability your scanning tool reports. The volume of vulnerabilities will be high, but vulnerabilities can be categorized into types on a regular basis.
Download the Vulnerability Management Risk Assessment Tool | ![]() |
Input: Knowledge of IT environment, Knowledge of business impact for each IT component or service
Output: Vulnerability Management Risk Assessment Tool formatted to your organization
Materials: Vulnerability Management Risk Assessment Tool
Participants: Functional Area Managers, IT Security Manager, CISO
Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and the severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.
Note that you are looking to baseline vulnerability types, rather than categorizing every single vulnerability that your scanning tool reports. The volume of vulnerabilities will be high, but vulnerabilities can be categorized into types on a regular basis.
Download the Vulnerability Management Risk Assessment Tool | ![]() |
Select the best remediation option to minimize risk. Through the combination of the identified risk and remediation steps in this phase, the prioritization for vulnerabilities will become clear. Vulnerabilities will be assigned a priority once their intrinsic qualities and threat potential to business function and data have been identified.
| Prioritization
Remediation plays an incredibly important role in the entire program. It plays a large part in wider risk management when you must consider the risk of the vulnerability, the risk of the remediation option, and the risk associated with the overall process. |
Phase 11.1 What is vulnerability management? | Phase 22.1 Triage vulnerabilities | ||
Phase 33.1 Assessing remediation options | Phase 44.1 Metrics, KPIs & CSFs |
This phase will allow organizations to build out the specific processes for remediating vulnerabilities. The overall process will be the same but what will be critical is the identification of the correct material. This includes building the processes around:
Each remediation option carries a different level of risk that the organization needs to consider and accept by building out this program. | It is necessary to be prepared to do this in real time. Careful documentation is needed when dealing with vulnerabilities. Use the Vulnerability Tracking Tool to assist with documentation in real time. This is separate from using the process template but can assist in the documentation of vulnerabilities. |
With the risk assessment from the previous activity, we can now examine remediation options and make a decision. This activity will guide us through that.
List of remediation options and criteria on when to consider each.
Remediate vulnerabilitiesStep 3.1 | Step 3.2 | Step 3.3 |
There are four options when it comes to vulnerability remediation.
Patches and Updates Patches are software or pieces of code that are meant to close vulnerabilities or provide fixes to any bugs within existing software. These are typically provided by the vendor to ensure that any deployed software is properly protected after vulnerabilities have been detected. | Configuration Changes Configuration changes involve administrators making significant changes to the system or network to remediate against the vulnerability. This can include disabling the vulnerable application or specific element and can even extend to removing the application altogether. |
Remediation | |
Compensating Controls By leveraging security controls, such as your IDS/IPS, firewalls, or access control, organizations can have an added layer of protection against vulnerabilities beyond the typical patches and configuration changes. This can be used as a measure while waiting to implement another option (if one exists) to reduce the risk of the vulnerability in the short or long term. | Risk Acceptance Whenever a vulnerability is not remediated, either indefinitely or for a short period of time, the organization is accepting the associated risk. Segregation of the vulnerable system can occur in this instance. This can occur in cases where a system or application cannot be updated without detrimental effect to the business. |
When to use
| When to avoid
|
When to consider other remediation options
|
| Examples of compensating controls
|
When to use
| When to avoid
|
When to consider other remediation options
| Info-Tech InsightRemember your existing processes: configuration changes may need to be approved and orchestrated through your organization’s configuration and change management processes. |
Case StudyRemediation options do not have to be used separately. Use the Shellshock 2014 case as an example. | INDUSTRY: All |
Challenge Bashdoor, more commonly known as Shellshock, was announced on September 24, 2014. This bug involved the Bash shell, which normally executes user commands, but this vulnerability meant that malicious attackers could exploit it. This was rated a 10/10 by CVSS – the highest possible score. Within hours of the announcement, hackers began to exploit this vulnerability across many organizations. | Solution Organizations had to react quickly and multiple remediation options were identified:
| Results Companies began to protect themselves against these vulnerabilities. While many organizations installed patches as quickly as possible, some also wished to test the patch and leveraged defense-in-depth controls in the interim. However, even today, many still have the Shellshock vulnerability and exploits continue to occur. |
Every time that a vulnerability is not remediated, it continues to pose a risk to the organization. While it may seem that every vulnerability needs to be remediated, this is simply not possible due to limited resources. Further, it can take away resources from other security initiatives as opposed to low-priority vulnerabilities that are extremely unlikely to be exploited.
Common criteria for vulnerabilities that are not remediated:
Risk acceptance is not uncommon…
| Enterprise risk managementWhile these are common criteria, they must be aligned to the enterprise risk management framework and approved by management.Don’t forget the variables that were assessed in Phase 2. This includes the risk from potential lateral movement or if there is an existing exploit. |
When determining if risk acceptance is appropriate, consider the cost of not mitigating vulnerabilities.
With risk acceptance, it is important to review the financial impact of a security incident resulting from that vulnerability. There is always the possibility of exploitation for vulnerabilities. A simple metric taken from NIST SP800-40 to use for this is:Cost not to mitigate = W * T * RWhere (W) is the number of work stations, (T) is the time spent fixing systems or lost in productivity, and (R) is the hourly rate of the time spent. | |
As an example provided by NIST SP800-40 Version 2.0, Creating a Patch and Vulnerability Management Program: “For an organization where there are 1,000 computers to be fixed, each taking an average of 8 hours of down time (4 hours for one worker to rebuild a system, plus 4 hours the computer owner is without a computer to do work) at a rate of $70/hour for wages and benefits: 1,000 computers * 8 hours * $70/hour = $560,000” | Info-Tech InsightAlways consider the financial impact that can occur from an exploited vulnerability that was not remediated. |
Input: List of remediation options
Output: List of remediation options sorted into “when to use” and “when to avoid” lists
Materials: Whiteboard/flip charts, Vulnerability Management SOP Template
Participants: IT Security Manager, IT Infrastructure Manager, IT Operations Manager, Corporate Risk Officer, CISO
It is important to define and document your organization-specific criteria for when a remediation option is appropriate and inappropriate.
When to use:
| When to avoid:
|
Download the Vulnerability Management SOP Template
None for this section.
Although there are no specific activities for this section, it will walk you through your existing processes configuration and change management to ensure that you are leveraging those activities in your vulnerability remediation actions.
Gained understanding of how IT operations processes configuration and change management can be leveraged for the vulnerability remediation process. Don’t reinvent the wheel!
Remediate vulnerabilitiesStep 3.1 | Step 3.2 | Step 3.3 |
Vulnerability management converges with your IT operations functions.
| ![]() |
For guidance on implementing or improving your release management process, refer to Info-Tech’s Stabilize Release and Deployment Management blueprint or speak to one of our experts. | Info-Tech InsightMany organizations don’t have a separate release team. Rather, whomever is doing the deployment will submit a change request and the testing details are vetted through the organization’s change management process. For guidance on the change management process review our Optimize Change Management blueprint. |
Leverage change control, interruption management, approval, and scheduling.
For further guidance on implementing or improving your change management process, refer to Info-Tech’s Optimize Change Management blueprint or speak to one of our experts. | “With no controls in place, IT gets the blame for embarrassing outages. Too much control, and IT is seen as a roadblock to innovation.” (VP IT, Federal Credit Union) |
Vulnerability remediation isn’t a “set it and forget it” activity.
| A scan with your vulnerability management software after remediation can be a way to verify that the overall risk has been reduced, if remediation was done by way of patching/updates.Info-Tech InsightAfter every change completion, whether due to vulnerability remediation or not, it is a good idea to ensure that your infrastructure team increases its monitoring diligence and that your service desk is ready for any sudden influx of end-user calls. |
None for this section.
Although this section has no activities, it will review the process by which you may continually improve vulnerability management.
An understanding of the importance of ongoing improvements to the vulnerability management program.
Remediate vulnerabilitiesStep 3.1 | Step 3.2 | Step 3.3 |
| “The success rate for continual improvement efforts is less than 60 percent. A major – if not the biggest – factor affecting the deployment of long-term continual improvement initiatives today is the fundamental change taking place in the way companies manage and execute work.” (Industry analyst at a consulting firm, 2014) |
Continuously re-evaluate the vulnerability management process.
As your systems and assets change, your vulnerability management program may need updates in two ways.When new assets and systems are introduced:
Effective systems and asset management are needed to track this. Review Info-Tech’s Implement Systems Management to Improve Availability and Visibility blueprint for more help. Document any changes to the vulnerability management program in the Vulnerability Management SOP Template. | When defense-in-depth capabilities are modified:
To assist in building a defense-in-depth model, review Build an Information Security Strategy. |
Phase 11.1 What is vulnerability management? | Phase 22.1 Triage vulnerabilities | ||
Phase 33.1 Assessing remediation options | Phase 44.1 Metrics, KPIs & CSFs |
After a review of the differences between raw metrics, key performance indicators (KPI), and critical success factors (CSF), compile a list of what metrics you will be tracking, why, and the business goals for each.
Outline of metrics you can configure your vulnerability scanning tool to report on.
Measure and formalizeStep 4.1 | Step 4.2 | Step 4.3 | Step 4.4 |
| ![]() |
Tracking the right information and making the information relevant.
| The activity tracker on your wrist is a wealth of metrics, KPIs, and CSFs. If you wear an activity tracker, you are likely already familiar with the differences between metrics, key performance indicators, and critical success factors:
Your security systems can be similarly measured and tracked – transfer this skill! |
Business Goal | Critical Success Factor | Key Performance Indicator | Metric to track |
Minimize overall risk exposure | Reduction of overall risk due to vulnerabilities | Decrease in vulnerabilities | Track the number of vulnerabilities year after year. |
Appropriate allocation of time and resources | Proper prioritization of vulnerability mitigation activities | Decrease of critical and high vulnerabilities | Track the number of high-urgency vulnerabilities. |
Consistent timely remediation of threats to the business | Minimize risk when vulnerabilities are detected | Remediate vulnerabilities more quickly | Mean time to detect: track the average time between the identification to remediation. |
Track effectiveness of scanning tool | Minimize the ratio, indicating that the tool sees everything | Ratio between known assets and what the scanner tracks | Scanner coverage compared to known assets in the organization. |
Having effective tools to track and address | Accuracy of the scanning tool | Difference or ratio between reported vulnerabilities and verified ones | Number of critical or high vulnerabilities verified, between the scanning tool’s criticality rating and actual criticality. |
Reduction of exceptions to ensure minimal exposure | Visibility into persistent vulnerabilities and risk mitigation measures | Number of exceptions granted | Number of vulnerabilities in which little or no remediation action was taken. |
Input: List of metrics current being measured by the vulnerability management tool
Output: List of relevant metrics to track, and the KPIs, CSFs, and business goals related to the metric
Materials: Whiteboard/flip charts, Vulnerability Management SOP Template
Participants: IT Security Manager, IT operations management, CISO
Metrics can offer a way to view how the organization is dealing with vulnerabilities and if there is improvement.
Download the Vulnerability Management SOP Template
If you have a vulnerability management policy, this activity may help augment it. Otherwise, if you don’t have one, this would be a great starting point.
An inaugural policy covering vulnerability management
Measure and formalizeStep 4.1 | Step 4.2 | Step 4.3 | Step 4.4 |
Policies provide governance and enforcement of processes.
| ![]() |
Input: Vulnerability Management SOP, HR guidance on policy creation and approval
Output: Completed Vulnerability Management Policy
Materials: Vulnerability Management SOP, Vulnerability Management Policy Template
Participants: IT Security Manager, IT operations management, CISO, Human resources representative
After having built your entire process in this project, formalize it into a vulnerability management policy. This will set the standards and expectations for vulnerability management in the organization, while the process will be around the specific actions that need to be taken around vulnerability management.
This is separate and distinct from the Vulnerability Management SOP Template, which is a process and procedure document.
| ![]() |
Download the Vulnerability Management Policy Template
If you need to select a new vulnerability scanning tool, or replace your existing one, this activity will help set up a request for proposal (RFP).
The provisions needed for you to create and deploy an RFP for a vulnerability management tool.
Measure and formalizeStep 4.1 | Step 4.2 | Step 4.3 | Step 4.4 |
Similar in nature, yet provide different security functions.
Vulnerability Scanning Tools Scanning tools focus on the network and operating systems. These tools look for items such as missing patches or open ports. They won’t detect specific application vulnerabilities. | Exploitation Tools These tools will look to exploit a detected vulnerability to validate it. | Penetration Tests A penetration test simulates the actions of an external or internal cyber attacker that aims to breach the information security of the organization. (Formal definition of penetration test) | |
‹————— What’s the difference again? —————› | |||
Vulnerability scanning tools are just one type of tool. | When you add an exploitation tool to the mix, you move down the spectrum. | Penetration tests will use scanning tools, exploitation tools, and people. | |
What is the value of each?
| What’s the implication for me?Info-Tech Recommends:
|
Scanning tools will benefit areas beyond just vulnerability management
Vulnerability Detection Use CaseMost organizations use scanners to identify and assess system vulnerabilities and prioritize efforts. Compliance Use CaseOthers will use scanners just for compliance, auditing, or larger GRC reasons. Asset Discovery Use CaseMany organizations will use scanners to perform active host and application identification. | Scanning Tool Market TrendsVulnerability scanning tools have expanded value from conventional checking for vulnerabilities to supporting configuration checking, asset discovery, inventory management, patch management, SSL certificate validation, and malware detection. Expect to see network and system vulnerability scanners develop larger vulnerability management functions and develop exploitation tool functionality. This will become a table stakes option enabling organizations to provide higher levels of validation of detected vulnerabilities. Some tools already possess these capabilities:
Device proliferation (BYOD, IoT, etc.) is increasing the need for stronger vulnerability management and scanners. This is driving the need for numerous device types and platform support and the development of baseline and configuration norms to support system management. Increased regulatory or compliance controls are also stipulating the need for vulnerability scanning, especially by a trusted third party. Organizations are outsourcing security functions or moving to cloud-based deployment options for any security technology they can. Expect to see massive growth of vulnerability scanning as a service. |
Vulnerability Exploitation Tools
| Scanning Tool Market Trends
Web Application Scanning ToolsThese tools perform dynamic application security testing (DAST) and static application security testing (SAST). Application Scanning and Testing Tools
|
|
| |||||||||||||||||||||
Common areas people mistake as tool differentiators:
For more information on vulnerability scanning tools and how they rate, review the Vulnerability Management category on SoftwareReviews. |
Option | Description | Pros | Cons | Use Cases |
On-Premises | Either an on-premises appliance or an on-premises virtualized machine that performs external and internal scanning. |
|
|
|
Cloud | Either hosted on a public cloud infrastructure or hosted by a third party and offered “as a service.” |
|
|
|
Managed | A third party is contracted to manage and maintain your vulnerability scanner so you can dedicate resources elsewhere. |
|
|
|
Method | Description | Pros | Cons | Use Cases |
Agent-Based Scanning | Locally installed software gives the information needed to evaluate the security posture of a device. |
|
|
|
Authenticated Active Scanning | Tool uses authenticated credentials to log in to a device or application to perform scanning. |
|
|
|
Unauthenticated Active Scanning | Scanning of devices without any authentication. |
|
|
|
Passive Scanning | Scanning of network traffic. |
|
|
|
Scanning on IPv4Scanning tools create databases of systems and devices with IP addresses.
| Current Problem With IP AddressesIP addresses are becoming no longer manageable or even owned by organizations. They are often provided by ISPs or other third parties. Even if it is your range, chances are you don't do static IP ranges today. Info-Tech Recommends:
|
Scanning on IPv6First, you need to know if your organization is moving to IPv6. IPv6 is not strategically routed yet for most organizations. If you are moving to IPv6, Info-Tech recommends the following:
If you are already on IPv6, Info-Tech recommends the following:
|
Input: List of key feature requirements for the new tool, List of intersect points with current software, Network topology and layout of servers and applications
Output: Completed RFP document that can be distributed to vendor proponents
Materials: Whiteboard/flip charts, Vulnerability Scanning Tool RFP Template
Participants: IT Security Manager, IT operations managers, CISO, Procurement department representative
Use a request for proposal (RFP) template to convey your desired scanning tool requirements to vendors and outline the proposal and procurement steps set by your organization.
Download the Vulnerability Scanning Tool RFP Template
Things to Consider:
| Info-Tech RFP Table of Contents:
|
Download the Vulnerability Scanning Tool RFP Template
We will review penetration testing, its distinction from vulnerability management, and why you may want to engage a penetration testing service.
We provide a request for proposal (RFP) template that we can review if this is an area of interest.
An understanding of penetration testing, and guidance on how to get started if there is interest to do so.
Measure and formalizeStep 4.1 | Step 4.2 | Step 4.3 | Step 4.4 |
Penetration tests are critical parts of any strong security program.
Penetration testing will emulate the methods an attacker would use in the real world to circumvent your security controls and gain access to systems and data. Penetration testing is much more than just running a scanner or other automated tools and then generating a report. Penetration testing performs critical exploit validation to create certainty around your vulnerability. The primary objective of a penetration test is to identify and validate security weaknesses in an organization’s security systems. Reasons to Test:
Regulatory Considerations:
| How and where is the value being generated?Penetration testing is a service provided by trained and tested professionals with years of experience. The person behind the test is the most important part of the test. The person is able to emulate a real-life attacker better than any computer. It is just a vulnerability scan if you use tools or executables alone. “A penetration test is an audit with validation.” (Joel Shapiro, Vice President Sales, Digital Boundary Group) |
Network Penetration Tests Conventional testing of network defences. Testing vectors include:
| Application Penetration Tests Core business functions are now being provided through web applications, either to external customers or to internal end users. Types: Web apps, non-web apps, mobile apps Application penetration and security testing encompasses:
| Human-Centric Testing
|
Your pen test should use multiple methods. Demonstrating weakness in one area is good but easy to identify. When you blend techniques, you get better success at breaching and it becomes more life-like. Think about prevention, detection, and response testing to provide full insight into your security defenses.
Network, Application, or HumanEvaluate your need to perform different types of penetration testing.Some level of network and application testing is most likely appropriate. The more common decision point is to consider to what degree your organization requires human-centric penetration testing. | External or InternalExternal: Attacking an organization’s perimeter and internet-facing systems. For these, you generally provide some level of information to the tester. The test will begin with publicly available information gathering followed by some kind of network scanning or probing against externally visible servers or devices (DNS server, email server, web server, firewall, etc.) Internal: Carried out within the organization’s network. This emulates an attack originating from an internal point (disgruntled employee, authorized user, etc.). The idea is to see what could happen if the perimeter is breached. |
Transparent, Semi-Transparent, or Opaque BoxOpaque Box: The penetration tester is not provided any information. This emulates a real-life attack. Test team uses publicly available information (corporate website, DNS, USENET, etc.) to start the test. These tests are more time consuming and expensive. They often result in exploitation of the easiest vulnerability. Use cases: full assessment of security controls; testing of attacker traversal capabilities. | Aggressiveness of the TestNot Aggressive: Very slow and careful penetration testing. Usually spread out in terms of packets being sent and number of calls to individuals. It attempts to not set off any alarm bells.Aggressive: A full DoS attack or something similar. These would be DoS attacks that take down systems or full SQL injection attacks all at once versus small injections over time. Testing options cover anything including physical tests, network tests, social engineering, and data extraction and exfiltration. This is more costly and time consuming. Assessing Aggressiveness: How aggressive the test should be is based on the threats you are concerned with. Assess who you are concerned with: random individuals on the internet, state-sponsored attacks, criminals, hacktivists, etc. Who you are concerned with will determine the appropriate aggressiveness of the test. |
Determining the scope of what is being tested is the most important part of a penetration test. Organizations need to be as specific as possible so the vendor can actually respond or ask questions.
Organizations need to define boundaries, objectives, and key success factors.
For scope:
| Boundaries to scope before a test:
| Objectives and key success factors to scope:
|
Usual instances to conduct a penetration test:
Specific timing considerations: Testing should be completed during non-production times of day. Testing should be completed after a backup has been performed. | Assess your threats to determine your appropriate test type: Penetration testing is about what threats you are concerned about. Understand your risk profile, risk tolerance level, and specific threats to see how relevant penetration tests are.
ANALYST PERSPECTIVE: Do a test only after you take a first pass. |
Input: List of criteria and scope for the penetration test, Systems and application information if white box
Output: Completed RFP document that can be distributed to vendor proponents
Materials: Whiteboard/flip charts, Penetration Test RFP Template
Participants: IT Security Manager, IT operations managers, CISO, Procurement department representative
Use an RFP template to convey your desired penetration test requirements to vendors and outline the proposal and procurement steps set by your organization.
Download the Penetration Test RFP Template
Steps of a penetration test:
| Info-Tech RFP Table of Contents:
|
Download the Penetration Test RFP Template
Professional Services Firms. These firms will often provide a myriad of professional services across auditing, financial, and consulting services. If they offer security-related consulting services, they will most likely offer some level of penetration testing.
Security Service Firms. These are dedicated security consulting or advisory firms that will offer a wide spectrum of security-related services. Penetration testing may be one aspect of larger security assessments and strategy development services.
Dedicated Penetration Testing Firms. These are service providers that will often offer the full gamut of penetration testing services.
Managed Security Service Providers. These providers will offer penetration testing. For example, Dell SecureWorks offers numerous services including penetration testing. For organizations like this, you need to be skeptical of ulterior motives. For example, expect recommendations around outsourcing from Dell SecureWorks.
Regional or Small Integrators. These are service providers that provide security services of some kind. For example, they would help in the implementation of a firewall and offer penetration testing services as well.
Communication With Service Provider
| Communication With Internal StaffDo you tell your internal staff that this is happening?This is sometimes called a “double blind test” when you don’t let your IT team know of the test occurring. Pros to notifying:
|
A final results report will state all findings including what was done by the testers, what vulnerabilities or exploitations were detected, how they were compromised, the related risk, and related remediation recommendations.
Expect four major sections:Prioritization
| Remediation
|
At the conclusion of this blueprint, you will have created a full vulnerability management program that will allow you to take a risk-based approach to vulnerability remediation.
Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.
The risk-based approach will allow you to prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities while allowing your standard remediation cycle to address the medium to low vulnerabilities.
With your program defined and developed, you now need to configure your vulnerability scanning tool or acquire one if you don’t already have a tool in place.
Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.
Contact your account representative for more information.
If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.
![]() | Contact your account representative for more information. workshops@infotech.com 1-888-670-8889 |
To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
![]() Review of the Implement Vulnerability Management storyboard | ![]() Build your vulnerability management SOP |
Contributors from 2016 version of this project:
Contributors from current version of this project:
Arya. “COVID-19 Impact: Vulnerability Management Solution Market | Strategic Industry Evolutionary Analysis Focus on Leading Key Players and Revenue Growth Analysis by Forecast To 2028 – FireMon, Digital Shadows, AlienVault.” Bulletin Line, 6 Aug. 2020. Accessed 6 Aug. 2020.
Campagna, Rich. “The Lean, Mean Vulnerability Management Machine.” Security Boulevard, 31 Mar. 2020. Accessed 15 Aug. 2020.
Constantin, Lucian. “What are vulnerability scanners and how do they work?” CSO Online, 10 Apr. 2020. Accessed 1 Sept. 2020.
“CVE security vulnerabilities published in 2019.” CVE Details. Accessed 22 Sept. 2020.
Garden, Paul, et al. “2019 Year End Report – Vulnerability QuickView.” Risk Based Security, 2020. Accessed 22 Sept. 2020.
Keary, Eoin. “2019 Vulnerability Statistics Report.” Edgescan, Feb. 2019. Accessed 22 Sept. 2020.
Lefkowitz, Josh. ““Risk-Based Vulnerability Management is a Must for Security & Compliance.” SecurityWeek, 1 July 2019. Accessed 1 Nov. 2020.
Mell, Peter, Tiffany Bergeron, and David Henning. “Creating a Patch and Vulnerability Management Program.” Creating a Patch and Vulnerability Management Program. NIST, Nov. 2005. Web.
“National Vulnerability Database.” NIST. Accessed 18 Oct. 2020.
“OpenVAS – Open Vulnerability Assessment Scanner.” OpenVAS. Accessed 14 Sept. 2020.
“OVAL.” OVAL. Accessed 21 Oct. 2020.
Paganini, Pierluigi. “Exploiting and Verifying Shellshock: CVE-2014-6271.” INFOSEC, 27 Sept. 2014. Web.
Pritha. “Top 10 Metrics for your Vulnerability Management Program.” CISO Platform, 28 Nov. 2019. Accessed 25 Oct. 2020.
“Risk-Based Vulnerability Management: Understanding Vulnerability Risk With Threat Context And Business Impact.” Tenable. Accessed 21 Oct. 2020.
Stone, Mark. “Shellshock In-Depth: Why This Old Vulnerability Won’t Go Away.” SecurityIntelligence, 6 Aug. 2020. Web.
“The Role of Threat Intelligence in Vulnerability Management.” NOPSEC, 18 Sept. 2014. Accessed 18 Aug. 2020.
“Top 15 Paid and Free Vulnerability Scanner Tools in 2020.” DNSstuff, 6 Jan. 2020. Accessed 15 Sept. 2020.
Truta, Filip. “60% of Breaches in 2019 Involved Unpatched Vulnerabilities.” Security Boulevard, 31 Oct. 2019. Accessed 2 Nov. 2020.
“Vulnerability Management Program.” Core Security. Accessed 15 Sept. 2020.
“What is Risk-Based Vulnerability Management?” Balbix. Accessed 15 Sept. 2020.
White, Monica. “The Cost Savings of Effective Vulnerability Management (Part 1).” Kenna Security, 23 April 2020. Accessed 20 Sept. 2020.
Wilczek, Marc. “Average Cost of a Data Breach in 2020: $3.86M.” Dark Reading, 24 Aug. 2020. Accessed 5 Nov 2020.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Identify your open data program's current state maturity, and gain buy-in from the business for the program.
Identify a target state maturity and reach it through building a policy and processes and the use of metrics.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Ensure that the open data program is being driven out from the business in order to gain business support.
Identify drivers for the open data program that are coming directly from the business.
1.1 Understand constraints for the open data program.
1.2 Conduct interviews with the business to gain input on business drivers and level-set expectations.
1.3 Develop list of business drivers for open data.
Defined list of business drivers for the open data program
Understand the gaps between where your program currently is and where you want it to be.
Identify top processes for improvement in order to bring the open data program to the desired target state maturity.
2.1 Perform current state maturity assessment.
2.2 Define desired target state with business input.
2.3 Highlight gaps between current and target state.
Defined current state maturity
Identified target state maturity
List of top processes to improve in order to reach target state maturity
Develop a draft open data policy that will give you a starting point when building your policy with the community.
A draft open data policy will be developed that is based on best-practice standards.
3.1 Define the purpose of the open data policy.
3.2 Establish principles for the open data program.
3.3 Develop a rough governance outline.
3.4 Create a draft open data policy document based on industry best-practice examples.
Initial draft of open data policy
Build open data processes and identify metrics for the program in order to track benefits realization.
Formalize processes to set in place to improve the maturity of the open data program.
Identify metrics that can track the success of the open data program.
4.1 Develop the roles that will make up the open data program.
4.2 Create processes for new dataset requests, updates of existing datasets, and the retiring of datasets.
4.3 Identify metrics that will be used for measuring the success of the open data program.
Initial draft of open data processes
Established metrics for the open data program
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Establish your project vision and metrics of success before shortlisting potential contact center architectures and deciding which is right-sized for the organization.
Build business requirements to achieve stakeholder buy-in, define key deliverables, and issue an RFP/RFQ to shortlisted vendors.
Score RFP/RFQ responses and decide upon a vendor before constructing a SOW.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Shortlist and decide upon a right-sized contact center architecture.
A high-level decision for a right-sized architecture
1.1 Define vision and mission statements.
1.2 Identify infrastructure metrics of success.
1.3 Confirm key performance indicators for contact center operations.
1.4 Complete architecture assessment.
1.5 Confirm right-sized architecture.
Project outline
Metrics of success
KPIs confirmed
Quickly narrow down right-sized architecture
Decision on right-sized contact center architecture
Build business requirements and define key deliverables to achieve stakeholder buy-in and shortlist potential vendors.
Key deliverables defined and a shortlist of no more than five vendors
Sections 7-8 of the Contact Center Playbook completed
2.1 Hold focus groups with key stakeholders.
2.2 Gather business, nonfunctional, and functional requirements.
2.3 Define key deliverables.
2.4 Shortlist five vendors that appear meet those requirements.
User requirements identified
Business Requirements Document completed
Key deliverables defined
Shortlist of five vendors
Compare and evaluate shortlisted vendors against gathered requirements.
Have a strong overview of which vendors are preferred for issuing RFP/RFQ
Section 9 of the Contact Center Playbook
3.1 Input requirements to the Contact Center RFP Scoring Tool. Define which are mandatory and which are desirable.
3.2 Determine which vendors best meet requirements.
3.3 Compare requirements met with anticipated TCO.
3.4 Compare and rank vendors.
An assessment of requirements
Vendor scoring
A holistic overview of requirements scoring and vendor TCO
An initial ranking of vendors to shape RFP process after workshop end
Walk through the Contact Center SOW Template and Guide to identify how much time to allocate per section and who will be responsible for completing it.
An understanding of a SOW that is designed to avoid major pitfalls with vendor management
Section 10 of the Contact Center Playbook
4.1 Get familiar with the SOW structure.
4.2 Identify which sections will demand greater time allocation.
4.3 Strategize how to avoid potential pitfalls.
4.4 Confirm reviewer responsibilities.
A broad understanding of a SOW’s key sections
A determination of how much time should be allocated for reviewing major sections
A list of ways to avoid major pitfalls with vendor management
A list of reviewers, the sections they are responsible for reviewing, and their time allocation for their review
Finalize deliverables and plan post-workshop communications.
A completed Contact Center Playbook that justifies each decision of this workshop
5.1 Finalize deliverables.
5.2 Support communication efforts.
5.3 Identify resources in support of priority initiatives.
Contact Center Playbook delivered
Post-workshop engagement to confirm satisfaction
Follow-up research that complements the workshop or leads workshop group in relevant new directions
With COVID-19's rapid spread through populations, governments are looking for technology tools that can augment the efforts of manual contact tracing processes. How the system is designed is crucial to a positive outcome.
Mobile contact tracing apps that use a decentralized design approach will be the most likely to be adopted by a wide swath of the population.
There are some key considerations to realize from the way different governments are approaching contact tracing:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use this step-by-step guide to assess your ransomware readiness and implement controls that will improve your ability to prevent incursions and defend against attacks.
Use this assessment tool to assess existing protection, detection, response, and recovery capabilities and identify potential improvements.
Use this threat preparedness workbook to evaluate the threats and tactics in the ransomware kill chain using the MITRE framework and device appropriate countermeasures.
Adapt this tabletop planning session template to plan and practice the response of your internal IT team to a ransomware scenario.
Adapt these workflow and runbook templates to coordinate the actions of different stakeholders through each stage of the ransomware incident response process.
Adapt this tabletop planning session template to plan leadership contributions to the ransomware response workflow. This second tabletop planning session will focus on communication strategy, business continuity plan, and deciding whether the organization should pay a ransom.
Summarize your current state and present a prioritized project roadmap to improve ransomware resilience over time.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Set workshop goals, review ransomware trends and risk scenarios, and assess the organization’s resilience to ransomware attacks.
Develop a solid understanding of the likelihood and impact of a ransomware attack on your organization.
Complete a current state assessment of key security controls in a ransomware context.
1.1 Review incidents, challenges, and project drivers.
1.2 Diagram critical systems and dependencies and build risk scenario.
1.3 Assess ransomware resilience.
Workshop goals
Ransomware Risk Scenario
Ransomware Resilience Assessment
Improve your capacity to protect your organization from ransomware and detect attacks along common vectors.
Identify targeted countermeasures that improve protection and detection capabilities.
2.1 Assess ransomware threat preparedness.
2.2 Determine the impact of ransomware techniques on your environment.
2.3 Identify countermeasures to improve protection and detection capabilities.
Targeted ransomware countermeasures to improve protection and detection capabilities.
Targeted ransomware countermeasures to improve protection and detection capabilities.
Targeted ransomware countermeasures to improve protection and detection capabilities.
· Improve your organization’s capacity to respond to ransomware attacks and recover effectively.
Build response and recovery capabilities that reduce the potential business disruption of successful ransomware attacks.
3.1 Review the workflow and runbook templates.
3.2 Update/define your threat escalation protocol.
3.3 Define scenarios for a range of incidents.
3.4 Run a tabletop planning exercise (IT).
3.5 Update your ransomware response runbook.
Security Incident Response Plan Assessment.
Tabletop Planning Session (IT)
Ransomware Workflow and Runbook.
Identify prioritized initiatives to improve ransomware resilience.
Identify the role of leadership in ransomware response and recovery.
Communicate workshop outcomes and recommend initiatives to improve ransomware resilience.
4.1 Run a tabletop planning exercise (Leadership).
4.2 Identify initiatives to close gaps and improve resilience.
4.3 Review broader strategies to improve your overall security program.
4.4 Prioritize initiatives based on factors such as effort, cost, and risk.
4.5 Review the dashboard to fine tune your roadmap.
4.6 Summarize status and next steps in an executive presentation.
Tabletop Planning Session (Leadership)
Ransomware Resilience Roadmap and Metrics
Ransomware Workflow and Runbook
Ransomware is a high-profile threat that demands immediate attention:
Ransomware is more complex than other security threats:
To prevent a ransomware attack:
Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges. Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, respond effectively, and recovery quickly.
As I write, the frequency and impact of ransomware attacks continue to increase, with no end in sight. Most organizations will experience ransomware in the next 24 months, some more than once, and business leaders know it. You will never have a better chance to implement best practice security controls as you do now.
The opportunity comes with important challenges. Hackers need to spend less time in discovery before they deploy an attack, which have become much more effective. You can't afford to rely solely on your ability to respond and recover. You need to build a resilient organization that can withstand a ransomware event and recover quickly.
Resilient organizations are not impervious to attack, but they have tools to protect assets, detect incursions, and respond effectively. Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to overcome challenges and work through problems. But eventually you reach the top and look back at how far you've come.
Michel Hébert
Research Director, Security and Privacy
Info-Tech Research Group
Three factors contribute to the threat:
Elementus maps ransomware payments made through bitcoin. Since 2019, victims made at least $2B in payments.
A handful of criminal organizations, many of whom operate out of cybercrime hotbeds in Russia, are responsible for most of the damage. The numbers capture only the ransom paid, not the clean-up cost and economic fallout over attacks during this period.
Emerging strains can exfiltrate sensitive data, encrypt systems and destroy backups in only a few hours, which makes recovery a grueling challenge.
Sophos commissioned a vendor agnostic study of the real-world experience of 5,600 IT professionals in mid-sized organizations across 31 countries and 15 industries.
The survey was conducted in Jan – Feb 2022 and asked about the experience of respondents over the previous year.
66%
Hit by ransomware in 2021
(up from 37% in 2020)
90%
Ransomware attack affected their ability to operate
$812,360 USD
Average ransom payment
$4.54M
Average remediation cost
(not including ransom)
ONE MONTH
Average recovery time
Meanwhile, organizations continue to put their faith in ineffective ransomware defenses.
Of the respondents whose organizations weren't hit by ransomware in 2021 and don't expect to be hit in the future, 72% cited either backups or cyberinsurance as reasons why they anticipated an attack.
While these elements can help recover from an attack, they don't prevent it in the first place.
Source: Sophos, State of Ransomware (2022)
IBM, Cost of A Data Breach (2022)
At each point of the playbook, malicious agents need to achieve something before they can move to the next step.
Resilient organizations look for opportunities to:
Initial access Execution |
Privilege Escalation Credential Access |
Lateral Movement Collection |
Data Exfiltration |
Data encryption |
---|---|---|---|---|
Deliver phishing email designed to avoid spam filter. Launch malware undetected. |
Identify user accounts. Target an admin account. Use brute force tactics to crack it. |
Move through the network and collect data. Infect as many critical systems and backups as possible to limit recovery options. |
Exfiltrate data to gain leverage. |
Encrypt data, which triggers alert. Deliver ransom note. |
Ransomware groups thrive through extortion tactics.
Ransom is only a small part of the equation. Four process-related activities drive ransomware recovery costs:
Source: IBM, Cost of a Data Breach (2022)
An effective response with strong, available backups will reduce the operational impact of an attack, but it won't spare you from its reputational and regulatory impact.
Put controls in place to disrupt each stage of the attack workflow to protect the organization from intrusion, enhance detection, respond quickly, and recover effectively.
Ransomware dwell times and average encryption rates are improving dramatically.
Hackers spend less time in your network before they attack, and their attacks are much more effective.
Avg dwell time
3-5 Days
Avg encryption rate
70 GB/h
Avg detection time
11 Days
Dwell time is the time between when a malicious agent gains access to your environment and when they are detected. In a ransomware attack, most organizations don't detect malicious agents until they deploy ransomware, encrypt their files, and lock them out until they pay the ransom.
Effective time is a measure of the effectiveness of the encryption algorithm. Encryption rates vary by ransomware family. Lockbit has the fastest encryption rate, clocking in at 628 GB/h.
It's more critical than ever to build ransomware resilience. Most organizations do not detect ransomware incursions in time to prevent serious business disruption.
References: Bleeping Computers (2022), VentureBeat, Dark Reading, ZDNet.
This blueprint will focus on improving your ransomware resilience to:
Response |
Recovery |
---|---|
![]() |
|
For in-depth assistance with disaster recovery planning, refer to Info-Tech's Create a Right-Sized Disaster Recovery. |
Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.
Put controls in place to harden your environment, train savvy end users, and prevent incursions.
Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.
Protect | Detect | Respond |
Recover |
Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.
Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.
Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.
Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.
Review the user access management program, policies and procedures to ensure they are ransomware-ready.
Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.
Assess resilience | Protect and detect | Respond and recover | Improve resilience | |
---|---|---|---|---|
Phase steps |
|
|
|
|
Phase outcomes |
|
|
|
|
Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges.
Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, and respond and recover quickly
Build risk scenarios that describe how a ransomware attack would impact organizational goals.
Understand possible outcomes to motivate initiatives, protect your organization, plan your response, and practice recovery.
Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.
The frequency and impact of ransomware attacks continue to increase, and business leaders know it. You will never have a better chance to implement best practice security controls than you do now.
The anatomy of ransomware attack is relatively simple: malicious agents get in, spread, and profit. Deploy ransomware protection metrics to measure ransomware resilience at each stage.
The resilience roadmap captures the key insights your work will generate, including:
Info-Tech supports project and workshop activities with deliverables to help you accomplish your goals and accelerate your success.
Ransomware Resilience Assessment
Measure ransomware resilience, identify gaps, and draft initiatives.
Enterprise Threat Preparedness Workbook
Analyze common ransomware techniques and develop countermeasures.
Ransomware Response Workflow & Runbook
Capture key process steps for ransomware response and recovery.
Run tabletops for your IT team and your leadership team to gather lessons learned.
Capture project insights and measure resilience over time.
Organizations worldwide spent on average USD 4.62M in 2021 to rectify a ransomware attack. These costs include escalation, notification, lost business and response costs, but did not include the cost of the ransom. Malicious ransomware attacks that destroyed data in destructive wiper-style attacks cost an average of USD 4.69M.
Building better now is less expensive than incurring the same costs in addition to the clean-up and regulatory and business disruption costs associated with successful ransomware attacks.
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research and advisory services helped them achieve.
Source: IBM, Cost of a Data Breach (2022)
See what members have to say about the ransomware resilience blueprint:
"Our advisor was well-versed and very polished. While the blueprint alone was a good tool to give us direction, his guidance made it significantly faster and easier to accomplish than if we had tried to tackle it on our own."
CIO, Global Manufacturing Organization
IT benefits |
Business benefits |
---|---|
|
|
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
SOURCE: Interview with CIO of large enterprise
Organizations who "build back better" after a ransomware attack often wish they had used relevant controls sooner.
In February 2020, a large organization found a ransomware note on an admin's workstation. They had downloaded a local copy of the organization's identity management database for testing and left a port open on their workstation. Hackers exfiltrated it and encrypted the data on the workstation. They demanded a ransom payment to decrypt the data.
Because private information was breached, the organization informed the state-level regulator. With 250,000 accounts affected, plans were made to require password changes en masse. A public announcement was made two days after the breach to ensure that everyone affected could be reached.
The organization decided not to pay the ransom because it had a copy on an unaffected server.
The organization was praised for its timely and transparent response.
The breach motivated the organization to put more protections in place, including:
SOURCE: Info-Tech Workshop Results
iNDUSTRY: Government
Regional government runs an Info-Tech workshop to fast-track its ransomware incident response planning
The organization was in the middle of developing its security program, rolling out security awareness training for end users, and investing in security solutions to protect the environment and detect incursions. Still, the staff knew they still had holes to fill. They had not yet fully configured and deployed security solutions, key security policies were missing, and they had didn't have a documented ransomware incident response plan.
Info-Tech advisors helped the organization conduct a systematic review of existing processes, policies, and technology, with an eye to identify key gaps in the organization's ransomware readiness. The impact analysis quantified the potential impact of a ransomware attack on critical systems to improve the organizational awareness ransomware risks and improve buy-in for investment in the security program.
Info-Tech's tabletop planning exercise provided a foundation for the organization's actual response plan. The organization used the results to build a ransomware response workflow and the framework for a more detailed runbook. The workshop also helped staff identifies ways to improve the backup strategy and bridge further gaps in their ability to recover.
The net result was a current-state response plan, appropriate capability targets aligned with business requirements, and a project roadmap to achieve the organization's desired state of ransomware readiness.
Scoping Call | Phase 1 | Phase 2 | Phase 3 | Phase 4 |
---|---|---|---|---|
Call #1: Discuss context, identify challenges, and scope project requirements. Identify ransomware resilience metrics. |
Call #2: Build ransomware risk scenario. |
Call #4: Review common ransomware attack vectors. Identify and assess mitigation controls. |
Call #5: Document ransomware workflow and runbook. |
Call #7: Run tabletop test with leadership. |
Call #3: Assess ransomware resilience. |
Call #6: Run tabletop test with IT. |
Call #8: Build ransomware roadmap. Measure ransomware resilience metrics. |
A guided implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 6 to 8 calls over the course of 4 to 6 months.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
---|---|---|---|---|---|
Activities |
Assess ransomware resilience |
Protect and detect |
Respond and recover |
Improve ransomware resilience |
Wrap-up (offsite and offline) |
1.1 1 Review incidents, challenges, and project drivers. 1.1.2 Diagram critical systems and dependencies. 1.1.3 Build ransomware risk scenario. |
2.1 1. Assess ransomware threat preparedness. 2.2 2. Determine the impact of ransomware techniques on your environment. 2.3 3. Identify countermeasures to improve protection and detection capabilities. |
3.1.1 Review the workflow and runbook templates. 3.1.2 Update/define your threat escalation protocol. 3.2.1 Define scenarios for a range of incidents. 3.2.2 Run a tabletop planning exercise (IT). 3.3.1 Update your ransomware response workflow. |
4.1.1 Run a tabletop planning exercise (leadership). 4.1.2 Identify initiatives to close gaps and improve resilience. 4.1.3 Review broader strategies to improve your overall security program. 4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk. 4.2.2 Review the dashboard to fine tune your roadmap. 4.3.1 Summarize status and next steps in an executive presentation. |
5.1 Complete in-progress deliverables from previous four days. 5.2 Set up review time for workshop deliverables and to discuss next steps. 5.3 Revisit ransomware resilience metrics in three months. |
|
Deliverables |
|
|
|
|
|
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
---|---|---|---|
1.1 Build ransomware risk scenario 1.2 Conduct resilience assessment |
2.1 Assess attack vectors 2.2 Identify countermeasures |
3.1 Review Security Incident Management Plan 3.2 Run Tabletop Test (IT) 3.3 Document Workflow and Runbook |
4.1 Run Tabletop Test (Leadership) 4.2 Prioritize resilience initiatives 4.3 Measure resilience metrics |
This phase will walk you through the following activities:
This phase involves the following participants:
1.1.1 Review incidents, challenges and project drivers
1.1.2 Diagram critical systems and dependencies
1.1.3 Build ransomware risk scenario
This step will guide you through the following activities:
This step involves the following participants:
Brainstorm the challenges you need to address in the project. Avoid producing solutions at this stage, but certainly record suggestions for later. Use the categories below to get the brainstorming session started.
Brainstorm critical systems and their dependencies to build a ransomware risk scenario. The scenario will help you socialize ransomware risks with key stakeholders and discuss the importance of ransomware resilience.
Focus on a few key critical systems.
Start with a WAN diagram, then your production data center, and then each critical
system. Use the next three slides as your guide.
When you get to this level of detail, use this opportunity to level-set with the team. Consider the following:
For now, make a note of these gaps and continue with the next step.
Risk scenarios are further distilled into a single sentence or risk statement that communicates the essential elements from the scenario.
Risk identification → Risk scenario → Risk statement
The slides walk through how to build a ransomware risk scenario
![]() |
|||
An actor capable of harming an asset |
Anything of value that can be affected and results in loss |
Technique an actor uses to affect an asset |
How loss materializes |
---|---|---|---|
Examples: Malicious or untrained employees, cybercriminal groups, malicious state actors |
Examples: Systems, regulated data, intellectual property, people |
Examples: Credential compromise, privilege escalation, data exfiltration |
Examples: Loss of data confidentiality, integrity, or availability; impact on staff health and safety |
Risk scenarios are concise, four to six sentence narratives that describe the core elements of forecasted adverse events.
Use them to engage stakeholders with the right questions and guide them to make informed decisions about how to address ransomware risks.
In a ransomware risk scenario, the threat, their motivations, and their methods are known. Malicious agents are motivated to compromise critical systems, sabotage recovery, and exfiltrate data for financial gain.
The purpose of building the risk scenario is to highlight the assets at risk and the potential effect of a ransomware attack.
As a group, consider critical or mission-essential systems identified in step 1.1.2. On a whiteboard, brainstorm the potential adverse effect of a loss of system availability, confidentiality or integrity.
Consider the impact on:
Inputs for risk scenario identification
Risk analysis |
|||
---|---|---|---|
Critical assets |
ERP, CRM, FMS, LMS |
Operational technology |
Sensitive or regulated data |
Threat agents |
Cybercriminals |
||
Methods |
Compromise end user devices through social engineering attacks,. Compromise networks through external exposures and software vulnerabilities. Identify and crack administrative account. Escalate privileges. Move laterally. Collect data, destroy backups, exfiltrate data for leverage, encrypt systems,. Threaten to publish exfiltrated data and demand ransom. |
||
Adverse effect |
Serious business disruption Financial damage Reputational damage Potential litigation Average downtime: 30 Days Average clean-up costs: USD 1.4M |
Likelihood: Medium
Impact: High
Cyber-criminals penetrate the network, exfiltrate critical or sensitive data, encrypt critical systems, and demand a ransom to restore access.
They threaten to publish sensitive data online to pressure the organization to pay the ransom, and reach out to partners, staff, and students directly to increase the pressure on the organization.
Network access likely occurs through a phishing attack, credential compromise, or remote desktop protocol session.
Cybercriminals penetrate the network, compromise backups, exfiltrate and encrypt data, and disrupt computer systems for financial gain.
Threat Actor:
Assets:
Effect:
Methods:
1.2.1 Complete resilience assessment
1.2.2 Establish resilience metrics
The maturity levels are based on the Capability Maturity Model Integration framework. We outline our modifications below.
CMMI Maturity Level – Default Descriptions: |
CMMI Maturity Level – Modified for This Assessment: |
---|---|
|
|
(Source: CMMI Institute, CMMI Levels of Capability and Performance)
Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.
Put controls in place to harden your environment, train savvy end users, and prevent incursions.
Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.
Protect | Detect | Respond |
Recover |
Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.
Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.
Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.
Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.
Review the user access management program, policies and procedures to ensure they are ransomware-ready.
Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.
Use the Ransomware Resilience Assessment Tool to assess maturity of existing controls, establish a target state, and identify an initial set of initiatives to improve ransomware resilience.
Keep the assessment tool on hand to add gap closure initiatives as you proceed through the project.
Download the Ransomware Resilience Assessment
Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.
Measure metrics at the start of the project to establish a baseline, as the project nears completion to measure progress.
Attack workflow | Process | Metric | Target trend | Current | Goal |
---|---|---|---|---|---|
GET IN | Vulnerability Management | % Critical patches applied | Higher is better | ||
Vulnerability Management | # of external exposures | Fewer is better | |||
Security Awareness Training | % of users tested for phishing | Higher is better | |||
SPREAD | Identity and Access Management | Adm accounts / 1000 users | Lower is better | ||
Identity and Access Management | % of users enrolled for MFA | Higher is better | |||
Security Incident Management | Avg time to detect | Lower is better | |||
PROFIT | Security Incident Management | Avg time to resolve | Lower is better | ||
Backup and Disaster Recovery | % critical assets with recovery test | Higher is better | |||
Backup and Disaster Recovery | % backup to immutable storage | Higher is better |
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
---|---|---|---|
1.1 Build ransomware risk scenario 1.2 Conduct resilience assessment | 2.1 Assess attack vectors 2.2 Identify countermeasures | 3.1 Review Security Incident Management Plan 3.2 Run Tabletop Test (IT) 3.3 Document Workflow and Runbook | 4.1 Run Tabletop Test (Leadership) 4.2 Prioritize resilience initiatives 4.3 Measure resilience metrics |
This phase will walk you through the following activities:
This phase involves the following participants:
2.1.1 Assess ransomware threat preparedness
2.1.2 Determine the impact of ransomware techniques on your environment
This step involves the following activities:
This step involves the following participants:
Assess risks associated with common ransomware attack vectors.
Download the Enterprise Threat Preparedness Workbook
Deliver phishing email designed to avoid spam filter. Launch malware undetected. | Identify user accounts. Target an admin account. Use brute force tactics to crack it. | Move through the network. Collect data. Infect critical systems and backups to limit recovery options. | Exfiltrate data to gain leverage. | Encrypt data, which triggers alert. Deliver ransom note. |
Once you're comfortable, follow the instructions on the following pages to configure the MITRE ransomware analysis and identify how to improve your protection and detection capabilities.
Download the Enterprise Threat Preparedness Workbook
If you would like to change the set-up, go through the following steps.
The following slides walk you through the process with screenshots from the workbook.
Download the Enterprise Threat Preparedness Workbook
Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.
As you fill out the Tactic tabs with your evaluation, the overall reading will display the average of your overall preparedness for that tactic.
Choosing the Technique Domain level will increase the accuracy of the reporting at the cost of speed.
The Technique level is faster but provides less specifics for each control and analyzes them as a group.
The Sub-Technique level is much more granular, but each tactic and technique has several sub-techniques that you will need to account for.
Check with the dashboard to see the associated risk level for each of the tactics based on the legend. Tactics that appear white have not yet been assessed or are rated as "N/A" (not applicable).
When you select your Technique Domain, you cannot change it again. Changing the domain mid-analysis will introduce inaccuracies in your security preparedness.
How an attacker will attempt to achieve their goals through a specific action.
The corresponding ID number on the MITRE ATT&CK® Matrix for quick reference.
If an attack of this type is successful on your network, how deep does the damage run?
What security protocols do you have in place right now that can help prevent an attacker from successfully executing this attack technique? The rating is based on the CMMI scale.
We highly recommend that you write comments about your current-state security protocols. First, it's great to have documented your thought processes in the event of a threat modeling session. Second, you can speak to deficits clearly, when asked.
You may discover that you have little to no mitigation actions in place to deal with one or many of these techniques. However, look at this discovery as a positive: You've learned more about the potential vectors and can actively work toward remediating them rather than hoping that a breach never happens through one of these avenues.
If you have chosen the Sub-Technique level, the tool should resemble this image.
Each sub-technique has a note for additional context and understanding about what the techniques are seeking to do and how they may impact your enterprise.
|
![]() |
2.2.1 Identify countermeasures
Identification of countermeasures to common ransomware techniques, and tactics to improve protection and detection capabilities.
As you work through the tool, your dashboard will prioritize your threat preparedness for each of the various attack techniques to give you an overall impression of your preparedness.
For each action, the tool includes detection and remediation actions for you to consider either for implementation or as table stakes for your next threat modeling sessions.
Note: Some sheets will have the same controls. However, the context of the attack technique may change your answers. Be sure to read the tactic and technique that you are on when responding to the controls.
Prioritize the analysis of ransomware tactics and sub-techniques identified on slide 45. If your initial analysis in Activity 2.2.1 determined that you have robust security protocols for some of the attack vectors, set these domains aside.
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
---|---|---|---|
1.1 Build ransomware risk scenario 1.2 Conduct resilience assessment | 2.1 Assess attack vectors 2.2 Identify countermeasures | 3.1 Review Security Incident Management Plan 3.2 Run Tabletop Test (IT) 3.3 Document Workflow and Runbook | 4.1 Run Tabletop Test (Leadership) 4.2 Prioritize resilience initiatives 4.3 Measure resilience metrics |
This phase will guide you through the following steps:
This phase involves the following participants:
3.1.1 Review the workflow and runbook templates
3.1.2 Update/define your threat escalation protocol
This step will walk you through the following activities:
This step involves the following participants:
This blueprint includes sample information in the Ransomware Response Workflow Template and Ransomware Response Runbook Template to use as a starting points for the steps in Phase 3, including documenting your threat escalation protocol.
Download the Ransomware Response Workflow Template
Download the Ransomware Response Runbook Template
Document the Threat Escalation Protocol sections in the Ransomware Response Workflow Template or review/update your existing runbook. The threat escalation protocol defines which stakeholders to involve in the incident management process, depending on impact and scope. Specifically, you will need to define the following:
Impact and scope criteria: Impact considers factors such as the criticality of the system/data, whether PII is at risk, and whether public notification is required. Scope considers how many systems or users are impacted.
Severity assessment: Define the severity levels based on impact and scope criteria.
Relevant stakeholders: Identify stakeholders to notify for each severity level, which can include external stakeholders.
If you need additional guidance, see Info-Tech's Develop and Implement a Security Incident Management Program blueprint, which takes a broader look at security incidents.
3.2.1 Define scenarios for a range of incidents
3.2.2 Run a tabletop planning exercise
As a group, collaborate to define scenarios that enable you to develop incident response details for a wide range of potential incidents. Below are example scenarios:
Note: The above is too much to execute in one 30-minute session, so plan a series of exercises as outlined on the next slide.
Schedule these sessions well in advance to ensure appropriate resources are available. Document this in an annual test plan summary that outlines the scope, participants, and dates and times for the planned sessions.
Remember that the goal is a deeper dive into how you would respond to an attack so you can clarify steps and gaps. This is not meant to just be a read-through of your plan. Follow the guidelines below:
Refer to the Ransomware Tabletop Planning Results – Example as a guide for what to capture. Aim for more detail than found in your Ransomware Response Workflow (but not runbook-level detail).
Download the Ransomware Tabletop Planning Results – Example
3.3.1 Update your ransomware response workflow
3.3.2 Update your ransomware response runbook
Use the results from your tabletop planning exercises (Activity 3.2.2) to update and clarify your ransomware response workflow. For example:
Use the results from your tabletop planning exercises (Activity 3.2.2) to update your ransomware response runbook. For example:
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
---|---|---|---|
1.1 Build ransomware risk scenario 1.2 Conduct resilience assessment | 2.1 Assess attack vectors 2.2 Identify countermeasures | 3.1 Review Security Incident Management Plan 3.2 Run Tabletop Test (IT) 3.3 Document Workflow and Runbook | 4.1 Run Tabletop Test (Leadership) 4.2 Prioritize resilience initiatives 4.3 Measure resilience metrics |
In addition to applying your existing security practices to your backup solution (e.g. anti-malware, restricted access), consider:
This example strategy combines multiple restore points, offsite backup, different storage media, and immutable backups.
Zero trust is a strategy that reduces reliance on perimeter security and moves controls to where your user accesses resources. It often consolidates security solutions, reduces operating costs, and enables business mobility.
IT security needs to determine how zero trust initiatives will affect core business processes. It's not a one-size-fits-all approach to IT security. Zero trust is the goal – but some organizations can only get so close to that ideal.
For more information, see Build a Zero-Trust Roadmap.
A successful zero-trust strategy should evolve. Use an iterative and repeatable process to assess available zero-trust technologies and principles and secure the most relevant protect surfaces. Collaborate with stakeholders to develop a roadmap with targeted solutions and enforceable policies.
Download the Ransomware Resilience Assessment
Prioritize initiatives in the Ransomware Resilience Assessment.
Review and update the roadmap dashboard in your Ransomware Resilience Assessment.
4.3.1 Summarize status and next steps in an executive presentation
Gain stakeholder buy-in by communicating the risk of the status quo and recommendations to reduce that risk. Specifically, capture and present the following from this blueprint:
Overall key findings and next steps.
Download the Ransomware Readiness Summary Presentation Template
Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.
Revisit metrics as the project nears completion and compare them against your baseline to measure progress.
Attack workflow | Process | Metric | Target trend | Current | Goal |
---|---|---|---|---|---|
GET IN | Vulnerability Management | % Critical patches applied | Higher is better | ||
Vulnerability Management | # of external exposures | Fewer is better | |||
Security Awareness Training | % of users tested for phishing | Higher is better | |||
SPREAD | Identity and Access Management | Adm accounts / 1000 users | Lower is better | ||
Identity and Access Management | % of users enrolled for MFA | Higher is better | |||
Security Incident Management | Avg time to detect | Lower is better | |||
PROFIT | Security Incident Management | Avg time to resolve | Lower is better | ||
Backup and Disaster Recovery | % critical assets with recovery test | Higher is better | |||
Backup and Disaster Recovery | % backup to immutable storage | Higher is better |
Project overview |
Project deliverables |
---|---|
This blueprint helped you create a ransomware incident response plan for your organization, as well as identify ransomware prevention strategies and ransomware prevention best practices. |
|
Project phases |
|
Phase 1: Assess ransomware resilience Phase 2: Protect and detect Phase 3: Respond and recover Phase 4: Improve ransomware resilience |
Tab 3. Initiative List in the Ransomware Resilience Assessment identifies relevant Info-Tech Research to support common ransomware resilience initiatives.
Jimmy Tom
AVP of Information Technology and Infrastructure
Financial Horizons
Dan Reisig
Vice President of Technology
UV&S
Samuel Sutton
Computer Scientist (Retired)
FBI
Ali Dehghantanha
Canada Research Chair in Cybersecurity and Threat Intelligence,
University of Guelph
Gary Rietz
CIO
Blommer Chocolate Company
Mark Roman
CIO
Simon Fraser University
Derrick Whalen
Director, IT Services
Halifax Port Authority
Stuart Gaslonde
Director of IT & Digital Services
Falmouth-Exeter Plus
Deborah Curtis
CISO
Placer County
Deuce Sapp
VP of IT
ISCO Industries
Trevor Ward
Information Security Assurance Manager
Falmouth-Exeter Plus
Brian Murphy
IT Manager
Placer County
Arturo Montalvo
CISO
Texas General Land Office and Veterans Land Board
Mduduzi Dlamini
IT Systems Manager
Eswatini Railway
Mike Hare
System Administrator
18th Circuit Florida Courts
Linda Barratt
Director of Enterprise architecture, IT Security, and Data Analytics, Toronto Community Housing Corporation
Josh Lazar
CIO
18th Circuit Florida Courts
Douglas Williamson
Director of IT
Jamaica Civil Aviation Authority
Ira Goldstein
Chief Operating Officer
Herjavec Group
Celine Gravelines
Senior Cybersecurity Analyst
Encryptics
Dan Mathieson
Mayor
City of Stratford
Jacopo Fumagalli
CISO
Omya
Matthew Parker
Program Manager
Utah Transit Authority
Two Additional Anonymous Contributors
2019-Data-Breach-Investigations-Report.-Verizon,-May-2019.
2019-Midyear-Security-Roundup:-Evasive-Threats,-Persistent-Effects.-Trend-Micro,-2019.
Abrams,-Lawrence.-"Ryuk-Ransomware-Uses-Wake-on-Lan-to-Encrypt-Offline-Devices."-Bleeping-Computer,-14-Jan.-2020.
Abrams,-Lawrence.-"Sodinokibi-Ransomware-Publishes-Stolen-Data-for-the-First-Time."-Bleeping-Computer,-11-Jan.-2020.
Canadian-Center-for-Cyber-Security,-"Ransomware-Playbook,"-30-November-2021.-Accessed-21-May-2022.-
Carnegie-Endowment-for-International-Peace.-"Ransomware:-Prevention-and-Protection."-Accessed-May-2022.-
Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-26-Data-Integrity:-Detecting-and-Responding-to-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.
Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-25-Data-Integrity:-Identifying-and-Protecting-Assets-Against-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.-
Cichonski,-P.,-T.-Millar,-T.-Grance,-and-K.-Scarfone.-"Computer-Security-Incident-Handling-Guide."-SP-800-61-Rev.-2.-NIST,-Aug.-2012.
Cimpanu,-Catalin.-"Company-shuts-down-because-of-ransomware,-leaves-300-without-jobs-just-before-holidays."-ZDNet,-3-Jan.-2020.
Cimpanu,-Catalin.-"Ransomware-attack-hits-major-US-data-center-provider."-ZDNet,-5-Dec.-2019.
CISA,-"Stop-Ransomware,"-Accessed-12-May-2022.
"CMMI-Levels-of-Capability-and-Performance."-CMMI-Institute.-Accessed-May-2022.-
Connolly,-Lena-Yuryna,-"An-empirical-study-of-ransomware-attacks-on-organizations:-an-assessment-of-severity-and-salient-factors-affecting-vulnerability."-Journal-of-Cybersecurity,-2020,.-1-18.
"Definitions:-Backup-vs.-Disaster-Recovery-vs.-High-Availability."-CVM-IT-&-Cloud-Services,-12-Jan.-2017.
"Don't-Become-a-Ransomware-Target-–-Secure-Your-RDP-Access-Responsibly."-Coveware,-2019.-
Elementus,-"Rise-of-the-Ransomware-Cartels-"(2022).-YouTube.-Accessed-May-2022.-
Global-Security-Attitude-Survey.-CrowdStrike,-2019.
Graham,-Andrew.-"September-Cyberattack-cost-Woodstock-nearly-$670,00:-report."-
Global-News,-10-Dec.-2019.
Harris,-K.-"California-2016-Data-Breach-Report."-California-Department-of-Justice,-Feb.-2016.
Hiscox-Cyber-Readiness-Report-2019.-Hiscox-UK,-2019.
Cost-of-A-Data-Breach-(2022).-IBM.-Accessed-June-2022.--
Ikeda,-Scott.-"LifeLabs-Data-Breach,-the-Largest-Ever-in-Canada,-May-Cost-the-Company-Over-$1-Billion-in-Class-Action-Lawsuit."-CPO-Magazine,-2020.
Kessem,-Limor-and-Mitch-Mayne.-"Definitive-Guide-to-Ransomware."-IBM,-May-2022.
Krebs,-Brian.-"Ransomware-Gangs-Now-Outing-Victim-Businesses-That-Don't-Pay-Up."-Krebson-Security,-16-Dec.-2019.
Jaquith,-Andrew-and-Barnaby-Clarke,-"Security-metrics-to-help-protect-against-ransomware."-Panaseer,-July-29,-2021,-Accessed-3-June-2022.
"LifeLabs-pays-ransom-after-cyberattack-exposes-information-of-15-million-customers-in-B.C.-and-Ontario."-CBC-News,-17-Dec.-2019.
Matthews,-Lee.-"Louisiana-Suffers-Another-Major-Ransomware-Attack."-Forbes,-20-Nov.-2019.
NISTIR-8374,-"Ransomware-Risk-Management:-A-Cybersecurity-Framework-Profile."-NIST-Computer-Security-Resource-Center.-February-2022.-Accessed-May-2022.-
"Ransomware-attack-hits-school-district-twice-in-4-months."-Associated-Press,-10-Sept.-2019.
"Ransomware-Costs-Double-in-Q4-as-Ryuk,-Sodinokibi-Proliferate."-Coveware,-2019.
Ransomware-Payments-Rise-as-Public-Sector-is-Targeted,-New-Variants-Enter-the-Market."-Coveware,-2019.
Rector,-Kevin.-"Baltimore-to-purchase-$20M-in-cyber-insurance-as-it-pays-off-contractors-who-helped-city-recover-from-ransomware."-The-Baltimore-Sun,-16-Oct.-2019.
"Report:-Average-time-to-detect-and-contain-a-breach-is-287-days."-VentureBeat,-May-25,-2022.-Accessed-June-2022.-
"Five-Lessons-Learned-from-over-600-Ransomware-Attacks."-Riskrecon.-Mar-2022.-Accessed-May-2022.-
Rosenberg,-Matthew,-Nicole-Perlroth,-and-David-E.-Sanger.-"-'Chaos-is-the-Point':-Russian-Hackers-and-Trolls-Grow-Stealthier-in-2020."-The-New-York-Times,-10-Jan.-2020.
Rouse,-Margaret.-"Data-Archiving."-TechTarget,-2018.
Siegel,-Rachel.-"Florida-city-will-pay-hackers-$600,000-to-get-its-computer-systems-back."-The-Washington-Post,-20-June-2019.
Sheridan,-Kelly.-"Global-Dwell-Time-Drops-as-Ransomware-Attacks-Accelerate."-DarkReading,-13-April-2021.-Accessed-May-2022.-
Smith,-Elliot.-"British-Banks-hit-by-hacking-of-foreign-exchange-firm-Travelex."-CNBC,-9-Jan.-2020.
"The-State-of-Ransomware-2022."-Sophos.-Feb-2022.-Accessed-May-2022.-
"The-State-of-Ransomware-in-the-U.S.:-2019-Report-for-Q1-to-Q3."-Emsisoft-Malware-Lab,-1-Oct.2019.
"The-State-of-Ransomware-in-the-U.S.:-Report-and-Statistics-2019."-Emsisoft-Lab,-12-Dec.-2019.
"The-State-of-Ransomware-in-2020."-Black-Fog,-Dec.-2020.
Toulas,-Bill.-"Ten-notorious-ransomware-strains-put-to-the-encryption-speed-test."-Bleeping-Computers,-23-Mar-2022.-Accessed-May-2022.
Tung,-Liam-"This-is-how-long-hackers-will-hide-in-your-network-before-deploying-ransomware-or-being-spotted."-zdnet.-May-19,-2021.-Accessed-June-2022.-
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Outline your plan, form your team, and plan marketing tech stack support.
Set lead flow thresholds, define your ideal customer profile and lead generation engine components, and weight, score, test, and refine them.
Apply your lead scoring model to your lead management app, test it, validate the results with sellers, apply advanced methods, and refine.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Drive an aligned vision for lead scoring.
Attain an aligned vision for lead scoring.
Identify the steering committee and project team and clarify their roles and responsibilities.
Provide your team with an understanding of how leads score through the marketing funnel.
1.1 Outline a vision for lead scoring.
1.2 Identify steering committee and project team members.
1.3 Assess your tech stack for lead scoring and seek advice from Info-Tech analysts to modernize where needed.
1.4 Align on marketing pipeline terminology.
Steering committee and project team make-up
Direction on tech stack to support lead generation
Marketing pipeline definitions alignment
Define the buyer journey and map the lead generation engine.
Align the vision for your target buyer and their buying journey.
Identify the assets and activities that need to compose your lead generation engine.
2.1 Establish a buyer persona.
2.2 Map your buyer journey.
2.3 Document the activities and assets of your lead generation engine.
Buyer persona
Buyer journey map
Lead gen engine assets and activities documented
Build and test your lead scoring model.
Gain team alignment on how leads score and, most importantly, what constitutes a sales-accepted lead.
Develop a scoring model from which future iterations can be tested.
3.1 Understand the Lead Scoring Grid and set your thresholds.
3.2 Identify your ideal customer profile, attributes, and subattribute weightings – run tests.
Lead scoring thresholds
Ideal customer profile, weightings, and tested scores
Test profile scoring
Align on engagement attributes.
Develop a scoring model from which future iterations can be tested.
4.1 Weight the attributes of your lead generation engagement model and run tests.
4.2 Apply weightings to activities and assets.
4.3 Test engagement and profile scenarios together and make any adjustments to weightings or thresholds.
Engagement attributes and weightings tested and complete
Final lead scoring model
Apply the model to your tech platform.
Deliver better qualified leads to Sales.
5.1 Apply model to your marketing management/campaign management software and test the quality of sales-accepted leads in the hands of sellers.
5.2 Measure overall lead flow and conversion rates through your marketing pipeline.
5.3 Apply lead nurturing and other advanced methods.
Model applied to software
Better qualified leads in the hands of sellers
EXECUTIVE BRIEF
As B2B organizations emerge from the lowered demands brought on by COVID-19, they are eager to convert marketing contacts to sales-qualified leads with even the slightest signal of intent, but many sales cycles are wasted when sellers receive unqualified leads. Delivering highly qualified leads to sellers is still more art than science, and it is especially challenging without a way to score a contact profile and engagement. While most marketers capture some profile data from contacts, many will pass a contact over to Sales without any engagement data or schedule a demo with a contact without any qualifying profile data. Passing unqualified leads to Sales suboptimizes Sales’ resources, raises the costs per lead, and often results in lost opportunities. Marketers need to develop a lead scoring methodology that delivers better qualified leads to Field Sales scored against both the ideal customer profile (ICP) and engagement that signals lower-funnel buyer interest. To be successful in building a compelling lead scoring solution, marketers must work closely with key stakeholders to align the ICP asset/activity with the buyer journey. Additionally, working early in the design process with IT/Marketing Operations to implement lead management and analytical tools in support will drive results to maximize lead conversion rates and sales wins.
Jeff Golterman
Managing Director
SoftwareReviews Advisory
The affordability and ease of implementation of digital marketing tools have driven global adoption to record levels. While many marketers are fine-tuning the lead generation engine components of email, social media, and web-based advertising to increase lead volumes, just 32% of companies pass well-qualified leads over to outbound marketers or sales development reps (SDRs). At best, lead gen costs stay high, and marketing-influenced win rates remain suboptimized. At worst, marketing reputation suffers when poorly qualified leads are passed along to sellers.
Most marketers lack a methodology for lead scoring, and some lack alignment among Marketing, Product, and Sales on what defines a qualified lead. In their rush to drive lead generation, marketers often fail to “define and align” on the ICP with stakeholders, creating confusion and wasted time and resources. In the rush to adopt B2B marketing and sales automation tools, many marketers have also skipped the important steps to 1) define the buyer journey and map content types to support, and 2) invest in a consistent content creation and sourcing strategy. The wrong content can leave prospects unmotivated to engage further and cause them to seek alternatives.
To employ lead scoring effectively, marketers need to align Sales, Marketing, and Product teams on the definition of the ICP and what constitutes a Sales-accepted lead. The buyer journey needs to be mapped in order to identify the engagement that will move a lead through the marketing lead generation engine. Then the project team can score prospect engagement and the prospect profile attributes against the ICP to arrive at a lead score. The marketing tech stack needs to be validated to support lead scoring, and finally Sales needs to sign off on results.
Lead scoring is a must-have capability for high-tech marketers. Without lead scoring, marketers will see increased costs of lead gen, decreased SQL to opportunity conversion rates, decreased sales productivity, and longer sales cycles.
Leading marketers who successfully implement a lead scoring methodology develop it collaboratively with stakeholders across Marketing, Sales, and Product Management. Leaders will engage Marketing Operations, Sales Operations, and IT early to gain support for the evaluation and implementation of a supporting campaign management application and for analytics to track lead progress throughout the Marketing and Sales funnels. Leverage the Marketing Lead Scoring Toolkit to build out your version of the model and to test various scenarios. Use the slides contained within this storyboard and the accompanying toolkit as a means to align key stakeholders on the ICP and to weight assets and activities across your marketing lead generation engine.
Lead scoring weighs the value of a prospect’s profile against the ICP and renders a profile score. The process then weighs the value of the prospects activities against the ideal call to action (CTA) and renders an activity score. Combining the profile and activity scores delivers an overall score for the value of the lead to drive the next step along the overall buyer journey.
EXAMPLE: SALES MANAGEMENT SOFTWARE
SoftwareReviews Advisory Insight:
A significant obstacle to quality lead production is disagreement on or lack of a documented definition of the ideal customer profile. Marketers successful in lead scoring will align key stakeholders on a documented definition of the ICP as a first step in improving lead scoring.
Up to 66% of businesses don’t practice any type of lead scoring.
“ With lead scoring, you don’t waste loads of time on unworthy prospects, and you don’t ignore people on the edge of buying.”
“The benefits of lead scoring number in the dozens. Having a deeper understanding of which leads meet the qualifications of your highest converters and then systematically communicating with them accordingly increases both ongoing engagement and saves your internal team time chasing down inopportune leads.”
Optimizing Sales Resources Using Lead Scoring
“On average, organizations that currently use lead scoring experience a 77% lift in lead generation ROI, over organizations that do not currently use lead scoring.”
Average Lead Generation ROI by Use of Lead Scoring
1. Drive Aligned Vision for Lead Scoring |
2. Build and Test Your Lead Scoring Model |
3. Apply to Your Tech Platform and Validate, Nurture, and Grow |
|
Phase |
|
|
|
Phase Outcomes |
|
|
|
The workbook walks you through a step-by-step process to:
Consider core functions and form a cross-functional lead scoring team. Document the team’s details here.
Set your initial threshold weightings for profile and engagement scores.
Establish Your Ideal Customer Profile
Identify major attributes and attribute values and the weightings of both. You’ll eventually score your leads against this ICP.
Record and Weight Lead Gen Engine Activities
Identify the major activities that compose prospect engagement with your lead gen engine. Weight them together as a team.
Test Lead Profile Scenarios
Test actual lead profiles to see how they score against where you believe they should score. Adjust threshold settings in Tab 2.
Test Activity Engagement Scores
Test scenarios of how contacts navigate your lead gen engine. See how they score against where you believe they should score. Adjust thresholds on Tab 2 as needed.
Review Combined Profile and Activity Score
Review the combined scores to see where on your lead scoring matrix the lead falls. Make any final adjustments to thresholds accordingly.
DIY Toolkit | Guided Implementation | Workshop | Consulting |
---|---|---|---|
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." |
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." |
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." |
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
|
|
|
|
Phase 1 |
Phase 2 |
Phase 3 |
---|---|---|
Call #1: Collaborate on vision for lead scoring and the overall project. Call #2: Identify the steering committee and the rest of the team. Call #3: Discuss app/tech stack support for lead scoring. Understand key marketing pipeline terminology and the buyer journey. Call #4: Discuss your ICP, apply weightings, and run test scenarios. |
Call #5: Discuss and record lead generation engine components. Call #6: Understand the Lead Scoring Grid and set thresholds for your model. Call #7: Identify your ICP, apply weightings to attributes, and run tests. |
Call #8: Weight the attributes of engagement activities and run tests. Review the application of the scoring model on lead management software. Call #9: Test quality of sales-accepted leads in the hands of sellers. Measure lead flow and conversion rates through your marketing pipeline. Call #10: Review progress and discuss nurturing and other advanced topics. |
A Guided Implementation (GI) is series of calls with a SoftwareReviews Advisory analyst to help implement our best practices in your organization. For guidance on marketing applications, we can arrange a discussion with an Info-Tech analyst. Your engagement managers will work with you to schedule analyst calls.
Day 1 |
Day 2 |
Day 3 |
Day 4 |
Day 5 |
|
---|---|---|---|---|---|
Drive Aligned Vision for Lead Scoring |
Buyer Journey and Lead Gen Engine Mapping |
Build and Test Your Lead Scoring Model |
Align on Engagement Attributes |
Apply to Your Tech Platform |
|
Activities |
1.1 Outline a vision for lead scoring. 1.2 Identify steering committee and project team members. 1.3 Assess your tech stack for lead scoring and seek advice from Info-Tech analysts to modernize where needed. 1.4 Align on marketing pipeline terminology. |
2.1 Establish a buyer persona (if not done already). 2.2 Map your buyer journey. 2.3 Document the activities and assets of your lead gen engine. |
3.1 Understand Lead Scoring Grid and set your thresholds. 3.2 Identify ICP attribute and sub-attribute weightings. Run tests. |
4.1 Weight the attributes of your lead gen engagement model and run tests. 4.2 Apply weightings to activities and assets. 4.3 Test engagement and profile scenarios together and adjust weightings and thresholds as needed. |
5.1 Apply model to your campaign management software and test quality of sales-accepted leads in the hands of sellers. 5.2. Measure overall lead flow and conversion rates through your marketing pipeline. 5.3 Apply lead nurturing and other advanced methods. |
Deliverables |
|
|
|
|
|
Phase 1 |
Phase 2 |
Phase 3 |
---|---|---|
1.1 Establish a cross-functional vision for lead scoring 1.2 Asses your tech stack for lead scoring (optional) 1.3 Catalog your buyer journey and lead gen engine assets |
2.1 Start building your lead scoring model 2.2 Identify and verify your IPC and weightings 2.3 Establish key lead generation activities and assets |
3.1 Apply model to your marketing management software 3.2 Test the quality of sales-accepted leads 3.3 Apply advanced methods |
This phase will walk you through the following activities:
This phase involves the following stakeholders:
Activities
1.1.1 Identify stakeholders critical to success
1.1.2 Outline the vision for lead scoring
1.1.3 Select your lead scoring team
This step will walk you through the following activities:
This step involves the following participants:
Outcomes of this step
1 hour
Input | Output |
|
|
Materials | Participants |
|
|
B2B marketers that lack agreement among Marketing, Sales, Inside Sales, and lead management supporting staff of what constitutes a qualified lead will squander precious time and resources throughout the customer acquisition process.
1 hour
Input | Output |
|
|
Materials | Participants |
|
|
While SMBs can implement some form of lead scoring when volume is very low and leads can be scored by hand, lead scoring and effective lead management cannot be performed without investment in digital platforms and lead management software and integration with customer relationship management (CRM) applications in the hands of inside and field sales staff. Marketers should plan and budget for the right combination of applications and tools to be in place for proper lead management.
Title |
Key Stakeholders Within a Lead Generation/Scoring Initiative |
---|---|
Lead Scoring Sponsor |
|
Lead Scoring Initiative Manager |
|
Business Leads |
|
Digital, Marketing/Sales Ops/IT Team |
|
Steering Committee |
|
Marketers managing the lead scoring initiative must include Product Marketing, Sales, Inside Sales, and Product Management. And given that world-class B2B lead generation engines cannot run without technology enablement, Marketing Operations/IT – those that are charged with enabling marketing and sales – must also be part of the decision making and implementation process of lead scoring and lead generation.
30 minutes
Input | Output |
|
|
Materials | Participants |
|
|
Download the Lead Scoring Workbook
Consider the core team functions when composing the lead scoring team. Form a cross-functional team (i.e. across IT, Marketing, Sales, Service, Operations) to create a well-aligned lead management/scoring strategy. Don’t let your core team become too large when trying to include all relevant stakeholders. Carefully limit the size of the team to enable effective decision making while still including functional business units.
Required Skills/Knowledge |
Suggested Team Members |
---|---|
Business |
|
|
|
IT |
|
|
|
Other |
|
|
|
Our model assumes you have:
1.2.1 A marketing application/campaign management application in place that accommodates lead scoring.
1.2.2 Lead management software integrated with the sales automation/CRM tool in the hands of Field Sales.
1.2.3 Reporting/analytics that spans the entire lead generation pipeline/funnel.
Refer to the following three slides if you need guidance in these areas.
This step will walk you through the following activities:
This step involves the following participants:
Outcomes of this step
SoftwareReviews Advisory Insight:
Marketers that collaborate closely with Marketing Ops/IT early in the process of lead scoring design will be best able to assess whether current marketing applications and tools can support a full lead scoring capability.
A thorough evaluation takes months – start early
A thorough evaluation takes months – start early
Access the Info-Tech blueprint Select and Implement a CRM Platform, along with analyst inquiry support during the requirements definition, vendor evaluation, and vendor selection phases. Use the SoftwareReviews CRM Data Quadrant during vendor evaluation and selection.
A thorough evaluation takes weeks – start early
Activities
1.3.1 Review marketing pipeline terminology
1.3.2 Describe your buyer journey
1.3.3 Describe your awareness and lead generation engine
This step will walk you through the following activities:
This step involves the following participants:
Outcomes of this step
30 minutes
Stage |
Characteristics |
Actions |
Contact |
|
Nurture SDR Qualify Send to Sales Close |
MQL |
|
|
SQL |
|
|
Oppt’y |
|
|
Win |
|
SoftwareReviews Advisory Insight:
Score leads in a way that makes it crystal clear whether they should be ignored, further nurtured, further qualified, or go right into a sellers’ hands as a super hot lead.
2 hours
On the following slide:
SoftwareReviews Advisory Insight:
Establishing a buyer journey is one of the most valuable tools that, typically, Product Marketing produces. Its use helps campaigners, product managers, and Inside and Field Sales. Leading marketers keep journeys updated based on live deals and characteristics of wins.
[Persona name] ([levels it includes from arrows above]) Buyer’s Journey for [solution type] Vendor Selection
* For guidance on best practices in engaging industry analysts, contact your engagement manager to schedule an inquiry with our expert in this area. during that inquiry, we will share best practices and recommended analyst engagement models.
2 hours
On the following slide:
SoftwareReviews Advisory Insight:
Marketing’s primary mission is to deliver marketing-influenced wins (MIWs) to the company. Building a compelling awareness and lead gen engine must be done with that goal in mind. Leaders are ruthless in testing – copy, email subjects, website navigation, etc. – to fine-tune the engine and staying highly collaborative with sellers to ensure high value lead delivery.
Phase 1 | Phase 2 | Phase 3 |
---|---|---|
1.1 Establish a cross-functional vision for lead scoring 1.2 Asses your tech stack for lead scoring (optional) 1.3 Catalog your buyer journey and lead gen engine assets | 2.1 Start building your lead scoring model 2.2 Identify and verify your IPC and weightings 2.3 Establish key lead generation activities and assets | 3.1 Apply model to your marketing management software 3.2 Test the quality of sales-accepted leads 3.3 Apply advanced methods |
This phase will walk you through the following activities:
This phase involves the following participants:
Activities
2.1.1 Understand the Lead Scoring Grid
2.1.2 Identify thresholds
This step will walk you through the following activities:
This step involves the following participants:
Outcomes of this step
30 minutes
30 minutes
We have set up a model Lead Scoring Grid – see Lead Scoring Workbook, tab 2, “Identify Thresholds.”
Set your thresholds within the Lead Scoring Workbook:
SoftwareReviews Advisory Insight:
Clarify that all-important threshold for when a lead passes to your expensive and time-starved outbound sellers.
Activities
2.2.1 Identify your ideal customer profile
2.2.2 Run tests to validate profile weightings
This step will walk you through the following activities:
This step involves the following participants:
Outcomes of this step
2 hours
SoftwareReviews Advisory Insight:
Marketers who align with colleagues in areas such as Product Marketing, Sales, Inside Sales, Sales Training/Enablement, and Product Managers and document the ICP give their organizations a greater probability of lead generation success.
SoftwareReviews Advisory Insight:
Keep your model simple in the interest of fast implementation and to drive early learnings. The goal is not to be perfect but to start iterating toward success. You will update your scoring model even after going into production.
2 hours
Activities
2.3.1 Establish activities, attribute values, and weights
2.3.2 Run tests to evaluate activity ratings
This step will walk you through the following activities:
This step involves the following participants:
Outcomes of this step
2 hours
SoftwareReviews Advisory Insight:
Use data from actual closed deals and the underlying activities to build your model – nothing like using facts to inform your key decisions. Use common sense and keep things simple. Then update further when data from new wins appears.
2 hours
Phase 1 | Phase 2 | Phase 3 |
---|---|---|
1.1 Establish a cross-functional vision for lead scoring 1.2 Asses your tech stack for lead scoring (optional) 1.3 Catalog your buyer journey and lead gen engine assets | 2.1 Start building your lead scoring model 2.2 Identify and verify your IPC and weightings 2.3 Establish key lead generation activities and assets | 3.1 Apply model to your marketing management software 3.2 Test the quality of sales-accepted leads 3.3 Apply advanced methods |
This phase will walk you through the following activities:
This phase involves the following participants:
Activities
3.1.1 Apply final model to your lead management software
This step will walk you through the following activities:
This step involves the following participants:
Outcomes of this step
3 hours
Activities
3.2.1 Achieve sales lead acceptance
3.2.2 Measure and optimize
This step will walk you through the following activities:
This step involves the following participants:
Outcomes of this step
1 hour
Stage | Characteristics | Actions |
Contact |
| Nurture SDR Qualify Send to Sales Close |
MQL |
| |
SQL |
| |
Oppt’y |
| |
Win |
|
SoftwareReviews Advisory Insight:
Marketers that collaborate with Sales – and in this case, a group of sellers as a sales advisory team – well in advance of sales acceptance to design lead scoring will save time during this stage, build trust with sellers, and make faster decisions related to lead management/scoring.
Ongoing
Analytics will also drive additional key insights across your lead gen engine:
Activities
3.3.1 Employ lead nurturing strategies
3.3.2 Adjust your model over time to accommodate more advanced methods
This step will walk you through the following activities:
This step involves the following participants:
Outcomes of this step
SoftwareReviews Advisory Insight:
Nurturing success combines the art of crafting engaging copy/experiences and the science of knowing just where a prospect is within your lead gen engine. Great B2B marketers demonstrate the discipline of knowing when to drive engagement and/or additional profile attribute capture using intent while not losing the prospect to over-profiling.
Ongoing
SoftwareReviews Advisory Insight:
When nurturing, choose/design content as to what “intent” it satisfies. For example, a head-to-head comparison with a key competitor signals “Selection” phase of the buyer journey. Content that helps determine what app-type to buy signals “Solution”. A company video, or a webinar replay, may mean your buyer is “educating themselves.
Ongoing
Advanced Methods
ABM |
Account-Based Marketing |
---|---|
B2B |
Business to Business |
CMO |
Chief Marketing Officer |
CRM |
Customer Relationship Management |
ICP |
Ideal Customer Profile |
MIW |
Marketing-Influenced Win |
MQL |
Marketing-Qualified Lead |
SDR |
Sales Development Representative |
SQL |
Sales-Qualified Lead |
Arora, Rajat. “Mining the Real Gems from you Data – Lead Scoring and Engagement Scoring.” LeadSquared, 27 Sept. 2014. Web.
Doyle, Jen. “2012 B2B Marketing Benchmark Report: Research and insights on attracting and converting the modern B2B buyer.” MarketingSherpa, 2012. Web.
Doyle, Jen, and Sergio Balegno. “2011 MarketingSherpa B2B Marketing Benchmark Survey: Research and Insights on Elevating Marketing Effectiveness from Lead Generation to Sales Conversion.” MarketingSherpa, 2011.
Kirkpatrick, David. “Lead Scoring: CMOs realize a 138% lead gen ROI … and so can you.” marketingsherpa blog, 26 Jan 2012. Web.
Moser, Jeremy. “Lead Scoring Is Important for Your Business: Here’s How to Create Scoring Model and Hand-Off Strategy.” BigCommerce, 25 Feb. 2019. Web.
Strawn, Joey. “Why Lead Scoring Is Important for B2Bs (and How You Can Implement It for Your Company.” IndustrialMarketer.com, 17 Aug. 2016. Web.
As the sophistication of malicious attacks increases, it has become more difficult to ensure applications such as email software are properly protected and secured. The increase in usage and traffic of email exacerbates the security risks to the organization.
Email has changed. Your email security needs to evolve as well to ensure you are protecting your organization’s communication.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This research provides guidelines to assist organizations in identifying controls to secure their emails along with recommendations on the most common and effective controls to secure and protect corporate emails.
This checklist of common email security categories and their associated controls helps ensure organizations are following best practices.
As organizations increasingly rely on email communication for day-to-day business operations, threat actors are exploiting the increased traction to develop and implement more sophisticated email-based attacks. Furthermore, the lack of investment in measures, tools, and technologies for an organization’s email security exacerbates the vulnerabilities at hand.
Effective use of security procedures and techniques can mitigate and minimize email-based threats have been shown to reduce the ability of these attacks to infiltrate the email inbox. These guidelines and best practices will help your organization conduct due diligence to protect the contents of the email, its transit, and its arrival to the authorized recipient.
Ahmad Jowhar
Research Specialist, Security & Privacy
Info-Tech Research Group
Your Challenge | Common Obstacles | Info-Tech’s Approach |
|
|
|
Info-Tech Insight
Email has changed. Your email security must evolve to ensure the safety of your organization’s communication.
75% of organizations have experienced an increase in email-based threats.
97% of security breaches are due to phishing attacks.
82% of companies reported a higher volume of email in 2022.
Source: Mimecast, 2023.
Enhance your security posture by modernizing your email security Email has changed. Your email security must evolve to ensure the safety of your organization’s communication. |
|||
Deploy an added layer of defense by preventing the contents of your email from being intercepted. Encrypting your email communication will provide an additional layer of protection which only allows authorized users to read the email. |
Leverage triple-threat authentication controls to strengthen your email security. Leveraging SPF, DKIM, and DMARC enables you to have the proper authentication controls in place, ensuring that only legitimate users are part of the email communication. |
Protect the contents of your email through data classification and data loss prevention. Having tools and technologies in place to ensure that data is classified and backed up will enable better storage, analysis, and processing of the email. |
Implement email policies for a holistic email security protection. Policies ensure acceptable standards are in place to protect the organization’s assets, including the creation, attachment, sending, and receiving of emails. |
User awareness and training Training employees on protecting their corporate emails adds an extra layer of defense by ensuring end users are aware of various email-based threats and can confidently safeguard their organizations from attacks. |
Along with the increased use of emails, organizations are seeing an increase in the number of attacks orchestrating from emails. This has resulted in 74% of organizations seeing an increase in email-based threats.
Source: Mimecast, 2023.
Info-Tech Insight
Encrypting your email communication will provide an additional layer of protection which only allows authorized users to read the email.
Although these authentication controls are available for organizations to leverage, the adoption rate remains low. 73% of survey respondents indicated they didn’t deploy email authentication controls within their organization.
Source: Mimecast, 2023.
SPF | DKIM | DMARC |
---|---|---|
Creating an SPF record identifies which IP addresses are allowed to send emails from your domain. Steps to implement SPF include the following:
|
Implementing DKIM helps prevent attackers from sending emails that pretend to come from your domain. Steps to implement DKIM include the following:
|
Setting up DMARC ensures emails are validated and defines actions to take if an email fails authentication. These include:
|
For more information:
Discover and Classify Your Data
Leverage this Info-Tech blueprint for guidelines on implementing a data classification program for your organization.
Info-Tech Insight
Having tools and technologies in place to ensure that data is classified and backed up will enable better storage, analysis, and processing of the email.
48% of employees have accidently attached the wrong file to an email.
39% of respondents have accidently sent emails that contained security information such as passwords and passcodes.
Source: Tessian, 2021.
Develop a Security Awareness and Training Program That Empowers End Users
Leverage this Info-Tech blueprint for assistance on creating various user training materials and empower your employees to become a main line of defense for your organization.
64% of organizations conduct formal training sessions (in-person or computer-based).
74% of organizations only focus on providing phishing-based training.
Source: Proofpoint, 2021.
Phishing
Email sent by threat actors designed to manipulate end user into providing sensitive information by posing as a trustworthy source
Business Email Compromise
Attackers trick a user into sending money or providing confidential information
Spam
Users receive unsolicited email, usually in bulk, some of which contains malware
Spear Phishing
A type of phishing attack where the email is sent to specific and targeted emails within the organization
Whaling
A type of phishing attack similar to spear phishing, but targeting senior executives within the organization
Password/Email Exposure
Employees use organizational email accounts and passwords to sign up for social media, leaving them susceptible to email and/or password exposure in a social media breach
Developing security policies that are reasonable, auditable, enforceable, and measurable ensures proper procedures are followed and necessary measures are implemented to protect the organization. Policies relating to email security can be categorized into two groups:
Develop and Deploy Security Policies
Leverage this Info-Tech blueprint for assistance on developing and deploying actionable policies and creating an overall policy management lifecycle to keep your policies current, effective, and compliant.
Info-Tech Insight
Policies ensure acceptable standards are in place to protect the organization’s assets, including the creation, attachment, sending, and receiving of emails.
SoftwareReviews, a division of Info-Tech Research Group, provides enterprise software reviews to help organizations make more efficient decisions during the software selection process. Reviews are provided by authenticated IT professionals who have leveraged the software and provide unbiased insights on different vendors and their products.
Learn from the collective knowledge of real IT professionals.
Evaluate market leaders through vendor rankings and awards.
Cut through misleading marketing material.
Download the Email Security Checklist tool
Discover and Classify Your Data
Leverage this Info-Tech blueprint for guidelines on implementing a data classification program for your organization.
Develop a Security Awareness and Training Program That Empowers End Users
Leverage this Info-Tech blueprint for assistance on creating various user training materials and empower your employees to become a main line of defense for your organization.
Develop and Deploy Security Policies
Leverage this Info-Tech blueprint for assistance on developing and deploying actionable policies and creating an overall policy management lifecycle to keep your policies current, effective, and compliant.
“10 Best Practices for Email Security in 2022.” TitanFile, 22 Sept. 2022. Web.
“2021 State of the Phish.” Proofpoint, 2021. Web.
Ahmad, Summra. “11 Email Security Best Practices You Shouldn't Miss (2023).” Mailmunch, 9 Mar. 2023. Web.
“Blumira's State of Detection and Response.” Blumira, 18 Jan. 2023. Web.
Clay, Jon. “Email Security Best Practices for Phishing Prevention.” Trend Micro, 17 Nov. 2022. Web.
Crane, Casey. “6 Email Security Best Practices to Keep Your Business Safe in 2019.” Hashed Out by The SSL Store™, 7 Aug. 2019. Web.
Hateb, Seif. “Basic Email Security Guide.” Twilio Blog, Twilio, 5 Dec. 2022. Web.
“How DMARC Advances Email Security.” CIS, 9 July 2021. Web.
Pal, Suryanarayan. “10 Email Security Best Practices You Should Know in 2023.” Mailmodo, 9 Feb. 2023. Web.
Pitchkites, Max. “Email Security: A Guide to Keeping Your Inbox Safe in 2023.” Cloudwards, 9 Dec. 2022. Web.
Rudra, Ahona. “Corporate Email Security Checklist.” PowerDMARC, 4 July 2022. Web.
“Sender Policy Framework.” Mimecast, n.d. Web.
Shea, Sharon, and Peter Loshin. “Top 15 Email Security Best Practices for 2023: TechTarget.” TechTarget, 14 Dec. 2022. Web.
“The Email Security Checklist: Upguard.” UpGuard, 16 Feb. 2022. Web.
“The State of Email Security 2023.” Mimecast, 2023. Web.
Wetherald, Harry. “New Product - Stop Employees Emailing the Wrong Attachments.” Tessian, 16 Sept. 2021. Web.
“What Is DMARC? - Record, Verification & More: Proofpoint Us.” Proofpoint, 9 Mar. 2023. Web.
“What Is Email Security? - Defining Security of Email: Proofpoint Us.” Proofpoint, 3 Mar.2023. Web.
Wilton, Laird. “How to Secure Email in Your Business with an Email Security Policy.” Carbide, 31 Jan. 2022. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
The post-pandemic pace of change continues to accelerate as the economic rapidly becomes more digital. To keep pace with shifting consumer expectations, CIOs must help the CEO compete in the digital economy by focusing on five key capabilities: innovation, human resources management, data architecture, security strategy, and business process controls and internal audit. Raising maturity in these capabilities will help CIOs deliver on opportunities to streamline back-office processes and develop new lines of revenue.
As part of its research process for the 2022 Tech Trends Report, Info-Tech Research Group conducted an open online survey among its membership and wider community of professionals. The survey was fielded from August 2021 through to September 2021, collecting 475 responses. We asked some of the same questions as last year’s survey so we can compare results as well as new questions to explore new trends.
This year, about half of IT professionals expect a lot of change to the way we work and 13% expect a transformative change with a fundamental shift in their business. Last year, the same percentage expected a lot of change and only 10% expected transformative change.
30% more professionals expect transformative permanent change compared to one year ago.
47% of professionals expect a lot of permanent change; this remains the same as last year. (Info-Tech Tech Trends 2022 Survey)
With the massive disruption preventing people from gathering, businesses shifted to digital interactions with customers.
Companies also accelerated the pace of creating digital or digitally enhanced products and services.
“The Digital Economy incorporates all economic activity reliant on or significantly enhanced by the use of digital inputs, including digital technologies, digital infrastructure, digital services and data.” (OECD Definition)
Consumers have cut back spending on sectors where purchases are mostly made offline. That spending has shifted to digital services and online purchases. New habits formed during the pandemic are likely to stick for many consumers, with a continued shift to online consumption for many sectors.
Purchases on online platforms are projected to rise from 10% today to 33% by 2030.
Recreation & culture | 30% |
Restaurants & hotels | 50% |
Transport | 10% |
Communications | 90% |
Education | 50% |
Health | 20% |
Housing & utilities | 50% |
IT practitioners agree that customer expectations are changing. They expect this to be more likely to disrupt their business in the next 12 months than new competition, cybersecurity incidents, or government-enacted policy changes.
Government-enacted policy changes | 22% |
Cybersecurity incidents | 56% |
Regulatory changes | 45% |
Established competitor wins | 26% |
New player enters the market | 23% |
Changing customer expectations | 68% |
Most IT departments rated their maturity in the “optimize” or “support” level on Info-Tech’s maturity ladder.
CIOs at the “optimize” level can play a role in digital transformation by improving back-office processes but should aim for a higher mandate.
CIOs achieving at the “expand” level can help directly improve revenues by improving customer-facing products and services, and those at the “transform” level can help fundamentally change the business to create revenue in new ways. CIOs can climb the maturity ladder by enabling new digital capabilities.
Only half of IT practitioners described their department’s maturity as “transform” compared to last year’s survey, and more than twice the number rated themselves as “struggle.”
48% rate their IT departments as low maturity.
Innovation: Identify innovation opportunities and plan how to use technology innovation to create a competitive advantage or achieve improved operational effectiveness and efficiency.
Human Resources Management: Provide a structured approach to ensure optimal planning, evaluation, and development of human resources.
Data Architecture: Manage the business’ data stores, including technology, governance, and people that manage them. Establish guidelines for the effective use of data.
Security Strategy: Define, operate, and monitor a system for information security management. Keep the impact and occurrence of information security incidents within risk appetite levels.
Business Process Controls and Internal Audit: Manage business process controls such as self-assessments and independent assurance reviews to ensure information related to and used by business processes meets security and integrity requirements. (ISACA, 2020)
In this report, we explore five use cases for emerging technology that can improve on capabilities needed to compete in the digital economy. Use cases combine emerging technologies with new processes and strategic planning.
HYBRID COLLABORATION
Provide a digital employee experience that is flexible, contextual, and free from the friction of hybrid operating models.
BATTLE AGAINST RANSOMWARE
Prevent ransomware infections and create a response plan for a worst-case scenario. Collaborate with relevant external partners to access resources and mitigate risks.
CARBON METRICS IN ENERGY 4.0
Use internet of things (IoT) and auditable tracking to provide insight into business process implications for greenhouse gas emissions.
INTANGIBLE VALUE CREATION
Provide governance around digital marketplace and manage implications of digital currency. Use blockchain technology to turn unique intellectual property into saleable digital products
AUTOMATION AS A SERVICE
Automate business processes and access new sophisticated technology services through platform integration.
Hybrid work models have become the default post-pandemic work approach as most knowledge workers prefer the flexibility to choose whether to work remotely or come into the office. CIOs have an opportunity lead hybrid work by facilitating collaboration between employees mixed between meeting at the office and virtually.
IT departments rose to the challenge to quickly facilitate an all-remote work scenario for their organizations at the outset of the pandemic. Now they must adapt again to facilitate the hybrid work model, which brings new friction to collaboration but also new opportunities to hire a talented, engaged, and diverse workforce.
79% of organizations will have a mix of workers in the office and at home. (Info-Tech Tech Trends 2022 Survey)
35% view role type as a determining factor in the feasibility of the hybrid work model.
Only 18% of employees want to return to the office full-time.
But 70% of employers want people back in the office. (CNBC, April 2021)
IT has an opportunity to lead by defining the hybrid operating model through technology that enables collaboration. To foster collaboration, companies plan to invest in the same sort of tools that helped them cope during the pandemic.
As 79% of organizations envision a hybrid model going forward, investments into hybrid work tech stacks – including web conferencing tools, document collaboration tools, and team workspaces – are expected to continue into 2022.
Web Conferencing | 41% |
Document Collaboration and Co-Authoring | 39% |
Team Workspaces | 38% |
Instant Messaging | 37% |
Project and Task Management Tools | 36% |
Office Meeting Room Solutions | 35% |
Virtual Whiteboarding | 30% |
Intranet Sites | 21% |
Enterprise Social Networking | 19% |
Vaccination rates around the world are rising and allowing more offices to welcome back workers because the risk of COVID-19 transmission is reduced and jurisdictions are lifting restrictions limiting gatherings.
Most workers don't want to go to the office full-time. In a Bloomberg poll (2021), almost half of millennial and Gen Z workers say they would quit their job if not given an option to work remotely.
Companies are investing more into IT budgets to find ways to support a mix of remote work and in-office resources to cope with work disruption. This extra spending is offset in some cases by companies saving money from having employees work from home some portion of the time. (CIO Dive, 2021)
Flexibility | Employees able to choose between working from home and working in the office have more control over their work/life balance. |
Intelligence | Platforms that track contextual work relationships can accelerate workflows through smart recommendations that connect people at the right time, in the right place. |
Talent | Flexible work arrangements provide businesses with access to the best talent available around the world and employees with more career options as they work from a home office (The Official Microsoft Blog, 2021). |
Uncertainty | The pandemic lacks a clear finish line and local health regulations can still waver between strict control of movement and open movement. There are no clear assurances of what to expect for how we'll work in the near future. |
FOMO | With some employees going back to the office while others remain at home, employee bases could be fractured along the lines of those seeing each other in person every day and those still connecting by videoconference. |
Complexity | Workers may not know in advance whether they're meeting certain people in person or online, or a mix of the two. They'll have to use technology on the fly to try and collaborate across a mixed group of people in the office and people working remotely (McKinsey Quarterly, 2021). |
Listen to the Tech Insights podcast: Unique approach to hybrid collaboration
Zoho Corp. is a cloud software firm based in Chennai, India. It develops a wide range of cloud software, including enterprise collaboration software and productivity tools. Over the past decade, Zoho has used flexible work models to grant remote work options to some employees.
When the coronavirus pandemic hit, not only did the office have to shut down but also many employees had to relocate back with families in rural areas. The human costs of the pandemic experienced by staff required Zoho to respond by offering counseling services and material support to employees.
Zoho prides itself as an employee-centric company and views its culture as a community that's purpose goes beyond work. That sense of community was lost because of the disruption caused by the pandemic. Employees lost their social context and their work role models. Zoho had to find a way to recreate that without the central hub of the office or find a way to work with the limitations of it not being possible.
To support employees in rural settings, Zoho sent out phones to provide redundant bandwidth. As lockdowns in India end, Zoho is taking a flexible approach and giving employees the option to come to the office. It's seeing more people come back each week, drawn by the strong community.
Zoho supports the hybrid mix of workers by balancing synchronous and asynchronous collaboration. It holds meetings when absolutely necessary through tools like Zoho Meet but tries to keep more work context to asynchronous collaboration that allows people to complete tasks quickly and move on. Its applications are connected to a common platform that is designed to facilitate workflows between employees with context and intelligence. (Interview with Vijay Sundaram, Chief Strategy Officer, Zoho)
Listen to the Tech Insights podcast: Microsoft on the ‘paradox of hybrid work’
Before the pandemic, only 18% of Microsoft employees were working remotely. As of April 1, 2020, they were joined by the other 82% of non-essential workers at the company in working remotely.
As with its own customers, Microsoft used its own software to enable this new work experience, including Microsoft Teams for web conferencing and instant messaging and Office 365 for document collaboration. Employees proved just as productive getting their work done from home as they were working in the office.
At Microsoft, the effects of firm-wide remote work changed the collaboration patterns of the company. Even though a portion of the company was working remotely before the pandemic, the effects of everyone working remotely were different. Employees collaborated in a more static and siloed way, focusing on scheduled meetings with existing relationships. Fewer connections were made with more disparate parts of the organization. There was also a decrease in synchronous communication and an increase in asynchronous communication.
Microsoft is creating new tools to break down the silos in organizations that are grappling with hybrid work challenges. For example, Viva Insights is designed to inform workers about their collaboration habits with analytics. Microsoft wants to provide workers with insights on their collaborative networks and whether they are creating new connections or deepening existing connections. (Interview with Jason Brommet, Head of Modern Work and Security Business Group, Microsoft; Nature Human Behaviour, 2021)
International Workplace Group says that more companies are taking advantage of its full network deals on coworking spaces. Companies such as Standard Charter are looking to provide their workers with a happy compromise between working from home and making the commute all the way to the central office. The hub-and-spoke model gives employees the opportunity to work near home and looks to be part of the hybrid operating model mix for many companies. (Interview with Wayne Berger, CEO of IWG Canada & Latin America)
Facilitating hybrid meetings between employees grouped in the office and remote workers will be a major pain point. New hybrid meeting solutions will provide cameras embedded with intelligence to put boardroom participants into independent video streams. They will also focus on making connecting to the same meeting from various locations as convenient as possible and capture clear and crisp audio from each speaker.
It's clear we're not going to work the way we used to previously with central work hubs, but full-on remote work isn't the right path forward either. A new hybrid work model is emerging, and organizations are experimenting to find the right approach.
Between April and September 2021, 15 million US workers quit their jobs, setting a record pace. Employees seek a renewed sense of purpose in their work, and many won’t accept mandates to go back to the office. (McKinsey, 2021)
What are the new best practices for conducting an effective meeting between employees in the office and those who are remote? Some companies ask each employee to connect via a laptop. Others are using conference rooms with tech to group in-office workers together and connect them with remote workers.
Organizations can plan their response to the hybrid work context by plotting their circumstances across two continuums: synchronous to asynchronous collaboration approach and remote work to central hub work model.
Rethink technology solutions. Don't expect your pre-pandemic videoconference rooms to suffice. And consider how to optimize your facilities and infrastructure for hot-desking scenarios.
Optimize remote work. Shift from the collaboration approach you put together just to get by to the program you'll use to maximize flexibility.
Enable effective collaboration. Enable knowledge sharing no matter where and when your employees work and choose the best collaboration software solutions for your scenario.
Run better meetings. Successful hybrid workplace plans must include planning around hybrid meetings. Seamless hybrid meetings are the result of thoughtful planning and documented best practices.
89% of organizations invested in web conferencing technology to facilitate better collaboration, but only 43% invested in office meeting room solutions. (Info-Tech Tech Trends 2022 Survey)
Listen to the Tech Insights podcast: Ransomware crisis and AI in military
Security strategies are crucial for companies to control access to their digital assets and confidential data, providing it only to the right people at the right time. Now security strategies must adapt to a new caliber of threat in ransomware to avoid operational disruption and reputational damage.
In 2021, ransomware attacks exploiting flaws in widely used software from vendors Kaseya, SolarWinds, and Microsoft affected many companies and saw record-breaking ransomware payments made to state-sponsored cybercriminal groups.
After a ransomware attack caused Colonial Pipeline to shut down its pipeline operations across the US, the ransomware issue became a topic of federal attention with executives brought before Senate committees. A presidential task force to combat ransomware was formed.
62% of IT professionals say they are more concerned about being a victim of ransomware than they were one year ago. (Info-Tech Tech Trends 2022 Survey)
$70 million demanded by REvil gang in ransom to unlock firms affected by the Kaseya breach. (TechRadar, 2021)
The most popular methods to prepare for ransomware are to buy an insurance policy or create offline backups and redundant systems. Few are making an effort to be aware of free decryption tools, and only 2% admit to budgeting to pay ransoms.
44% of IT professionals say they spent time and money specifically to prevent ransomware over the past year. (Info-Tech Tech Trends 2022 Survey)
Kept aware of free decryption tools available | 9% |
Set aside budget to pay ransoms | 2% |
Designed network to contain ransomware | 24% |
Implemented technology to eradicate ransomware | 36% |
Created a specific incident response plan for ransomware | 26% |
Created offline backups and redundant systems | 41% |
Purchased insurance covering cyberattacks | 47% |
(Info-Tech Tech Trends 2022 Survey)
Attacks on US infrastructure and government agencies have prompted the White House to treat ransomware as a matter of national security. The government stance is that Russia supports the attacks. The US is establishing new mechanisms to address the threat. Plans include new funding to support ransomware response, a mandate for organizations to report incidents, and requirements for organizations to consider the alternatives before paying a ransom. (Institute for Security and Technology, 2021)
Increases in ransom payouts have caused cybersecurity insurance providers to raise premiums and put in place more security requirements for policyholders to try and prevent ransomware infection. However, when clients are hit with ransomware, insurance providers advise to pay the ransom as it's usually the cheapest option. (ProPublica, 2019)
Ransomware attacks also often include a data breach event with hackers exfiltrating the data before encrypting it. Admitting a breach to customers can seriously damage an organization's reputation as trustworthy. Organizations may also be obligated to pay for credit protection of their customers. (Interview with Frank Trovato, Research Director – Infrastructure, Info-Tech Research Group)
Privacy | Protecting personal data from theft improves people’s confidence that their privacy is being respected and they are not at risk of identity theft. |
Productivity | Ransomware can lock out employees from critical work systems and stop them from being able to complete their tasks. |
Access | Ransomware has prevented public access to transportation, healthcare, and any number of consumer services for days at a time. Ransomware prevention ensures public service continuity. |
Expenses | Investing in cybersecurity measures to protect against attacks is becoming more expensive, and recently cybersecurity insurance premiums have gone up in response to expensive ransoms. |
Friction | More security requirements could create friction between IT priorities and business priorities in trying to get work done. |
Stability | If ransomware attacks become worse or cybercriminals retaliate for not receiving payments, people could find their interactions with government services and commercial services are disrupted. |
In February 2020, a large organization found a ransomware note on an admin’s workstation. They had downloaded a local copy of the organization’s identity management database for testing and left a port open on their workstation. Hackers exfiltrated it and encrypted the data on the workstation. They demanded a ransom payment to decrypt the data.
Because private information of employees and customers was breached, the organization decided to voluntarily inform the state-level regulator. With 250,000 accounts affected, plans were made to require password changes en masse. A public announcement was made two days after the breach to ensure that everyone affected could be reached.
The organization decided not to pay the ransom because it didn’t need the data back, since it had a copy on an unaffected server.
After a one-day news cycle for the breach, the story about the ransom was over. The organization also received praise for handling the situation well and quickly informing stakeholders.
The breach motivated the organization to put more protections in place. It implemented a deny-by-default network and turned off remote desktop protocol and secure shell. It mandated multi-factor authentication and put in a new endpoint-detection and response system. (Interview with CIO of large enterprise)
New endpoint protections using AI are being deployed to help defend against ransomware and other cybersecurity intrusions. The solutions focus on the prevention and detection of ransomware by learning about the expected behavior of an environment and then detecting anomalies that could be attack attempts. This type of approach can be applied to everything from reading the contents of an email to helping employees detect phishing attempts to lightweight endpoint protection deployed to an Internet of Things device to detect an unusual connection attempt.
Unfortunately, AI is a tool available to both the cybersecurity industry and hackers. Examples of hackers tampering with cybersecurity AI to bypass it have already surfaced. (Forbes, 23 Sept. 2021)
In the US, the Ransomware Task Force has made recommendations to the government but it's not clear whether all of them will be followed. Other countries such as Russia are reported to be at least tolerating ransomware operations if not supporting them directly with resources.
Sophisticated attacks using zero-day exploits in widely used software show that organizations simply can't account for every potential vulnerability.
The ransomware-as-a-service industry is doing good business and finding new ways to evade detection by cybersecurity vendors. New detection techniques involving AI are being introduced by vendors, but will it just be another step in the back-and-forth game of one-upmanship? (Interview with Frank Trovato)
Determine your organization’s threat profile for ransomware by plotting two variables: the investment made in cybersecurity and the sophistication level of attacks that you should be prepared to guard against.
Create a ransomware incident response plan. Assess your current security practices and identify gaps. Quantify your ransomware risk to prioritize investments and run tabletop planning exercises for ransomware attacks.
Reduce your exposure to ransomware. Focus on securing the frontlines by improving phishing awareness among staff and deploying AI tools to help flag attacks. Use multi-factor authentication. Take a zero-trust approach and review your use of RDP, SSH, and VPN.
Require security in contracts. Security must be built into vendor contracts. Government contracts are now doing this, elevating security to the same level as functionality and support features. This puts money incentives behind improving security. (Interview with Intel Federal CTO Steve Orrin)
42% of IT practitioners feel employees must do much more to help defend against ransomware. (Info-Tech Tech Trends 2022 Survey)
A landmark report published in 2021 by the United Nations Intergovernmental Panel on Climate Change underlines that human actions can still determine the future course of climate change. The report calls on governments, individuals, and organizations to stop putting new greenhouse gas emissions into the atmosphere no later than 2050, and to be at the halfway point to achieving that by 2030.
With calls to action becoming more urgent, organizations are making plans to reduce the use of fossil fuels, move to renewable energy sources, and reduce consumption that causes more emissions downstream. As both voluntary and mandatory regulatory requirements task organizations with reducing emissions, they will first be challenged to accurately measure the size of their footprint.
CIOs in organizations are well positioned to make conscious decisions to both influence how technology choices impact carbon emissions and implement effective tracking of emissions across the entire enterprise.
Canada’s CIO strategy council is calling on organizations to sign a “sustainable IT pledge” to cut emissions from IT operations and supply chain and to measure and disclose emissions annually. (CIO Strategy Council, Sustainable IT Pledge)
About two-thirds of organizations have a commitment to reduce greenhouse gas emissions. When asked about what tactics they use to reduce emissions, the most popular options affect either scope 1 emissions (retiring older IT equipment) or scope 2 emissions (using renewable energy sources). Fewer are using tactics that would measure scope 3 emissions such as using IoT to track or using software or AI.
68% of organizations say they have a commitment to reduce greenhouse gas emissions. (Info-Tech Tech Trends 2022 Survey)
Using "smart technologies" or IoT to help cut emissions | 12% |
Creating incentive programs for staff to reduce emissions | 10% |
Using software or AI to manage energy use | 8% |
Using external DC or cloud on renewable energy | 16% |
Committing to external emissions standards | 15% |
Retiring/updating older IT equipment | 33% |
Using renewable energy sources | 41% |
(Info-Tech Tech Trends 2022 Survey)
The world’s largest asset manager, at $7 trillion in investments, says it will move away from investing in firms that are not aligned to the Paris Agreement. (The New York Times, 2020)
International charity CDP has been collecting environmental disclosure from organizations since 2002. In 2020, more than 9,600 of the world’s largest companies – representing over 50% of global market value – took part. (CDP, 2021)
In 2021, six countries have net-zero emissions policies in law, six have proposed legislations, and 20 have policy documents. (Energy & Climate Intelligence Unit, 2021)
In 2019, thousands of workers walked out of offices of Amazon, Google, Twitter, and Microsoft to demand their employers do more to reduce carbon emissions. (NBC News, 2021)
(Info-Tech Tech Trends 2022 Survey)
Trust | Tracking carbon emissions creates transparency into an organization’s operations and demonstrates accountability to its carbon emissions reduction goals. |
Innovation | As organizations become more proficient with carbon measurement and modeling, insights can be leveraged as a decision-making tool. |
Resilience | Reducing energy usage shrinks your carbon footprint, increases operational efficiency, and decreases energy costs. |
Regulatory Divergence | Standardization of compliance enforcement around carbon emissions is a work in progress. Several different voluntary frameworks exist, and different governments are taking different approaches including taxation and cap-and-trade markets. |
Perceptions | Company communications that speak to emissions reduction targets without providing proof can be accused of “greenwashing” or falsely trying to improve public perception. |
Financial Pain | Institutional investments are requiring clear commitments and plans to reduce greenhouse gases. Some jurisdictions are now taxing carbon emissions. |
Listen to the Tech Insights podcast: The future of farming is digital
The Alberta Technology Innovation and Emissions Reduction Regulation is Alberta’s approach to reduce emissions from large industrial emitters. It prices GHG and provides a trading system.
No-till farming and nitrogen management techniques sequester up to 0.3 metric tons of GHG per year.
Farmers Edge offers farmers a digital platform that includes IoT and a unified data warehouse. It can turn farm records into digital environmental assets, which are aggregated and sold to emitters.
Real-time data from connected vehicles, connected sensors, and other various inputs can be verified by third-party auditors.
Farmers Edge sold aggregated carbon offsets to Alberta power producer Capital Power to help it meet regulatory compliance.
Farmers Edge is expanding its platform to include farmers in other provinces and in the US, providing them opportunity to earn revenue via its Smart Carbon program.
The firm is working to meet standards outlined by the U.S. Department of Agriculture’s Natural Resources Conservation Service. (Interview with Wade Barnes, CEO, Farmers Edge)
The International Sustainability Standards Board (ISSB) has been formed by the International Financial Reporting Standards Foundation and will have its headquarters location announced in November at a United Nations conference. The body is already governing a set of global standards that have a roadmap for development through 2023 through open consultation. The standards are expected to bring together the multiple frameworks for sustainability standards and offer one global set of standards. (Business Council of Canada, 2021)
The CIO is well positioned to take the lead role on corporate sustainability initiatives, including measuring and reducing an organization’s carbon footprint (or perhaps even monetizing carbon credits for an organization that is a negative emitter). CIOs can use their position as facilities managers and cross-functional process owners and mandate to reduce waste and inefficiency to take accountability for this important role. CIOs will expand their roles to deliver transparent and auditable reporting on environmental, social, and governance (ESG) goals for the enterprise.
Fighting the climate crisis will require governments and private sector collaboration from around the world to commit to creating new economic structures to discourage greenhouse gas emissions and incentivize long-term sustainable thinking. If some countries or private sector forces continue to prioritize short-term gains over sustainability, the U.N.’s goals won’t be achieved and the human costs as a result of climate change will become more profound.
Markets where carbon credits are sold to emitters are organized by various jurisdictions around the world and have different incentive structures. Some are created by governments and others are voluntary markets created by industry. This type of organization for these markets limits their size and makes it hard to scale the impact. Organizations looking to sell carbon credits at volume face the friction of having to navigate different compliance rules for each market they want to participate in.
Determine your organization’s approach to measuring carbon dioxide and other greenhouse gas emissions by considering whether your organization is likely to be a high emitter or a carbon sink. Also consider your capability to measure and report on your carbon footprint.
Measure the whole footprint. Devise a plan to measure scope 1, 2, and 3 greenhouse gas emissions at a level that is auditable by a third party.
Gauge the impact of Industry 4.0. New technologies in Industry 4.0 include IoT, additive manufacturing, and advanced analytics. Make sustainability a core part of your focus as you plan out how these technologies will integrate with your business.
Commit to net zero. Make a clear commitment to achieve net-zero emissions by a specific date as part of your organization’s core strategy. Take a continuous improvement approach to make progress towards the goal with measurable results.
New laws from governments will have the highest degree of influence on an organization’s decision to reduce emissions. (Info-Tech Tech Trends 2022 Survey)
As the COVID-19 pandemic has accelerated our shift into virtual social and economic systems, blockchain technology poses a new technological frontier – further disrupting digital interactions and value creation by providing a modification of data without relying on third parties. New blockchain software developments are being used to redefine how central banks distribute currency and to track provenance for scarce digital assets.
Non-fungible tokens (NFTs) are distinct cryptographic tokens created from blockchain technology. The rarity systems in NFTs are redefining digital ownership and being used to drive creator-centric communities.
Central Bank Digital Currencies (CBDC) combine the same architecture of cryptocurrencies built on blockchain with the financial authority of a central bank. These currencies are not decentralized because they are controlled by a central authority, rather they are distributed systems. (Decrypt, 2021)
80% of banks are working on a digital currency. (Atlantic Council, 2021)
NBA, NFL, Formula 1, Nike, Stella Artois, Coca-Cola, Mattel, Dolce & Gabbana, Ubisoft, Charmin
The Bahamas, Saint Kitts and Nevis, Antigua and Barbuda, Saint Lucia, Grenada
Blockchains can contain smart contracts that automatically execute given specific conditions, protecting stakeholders involved in a transaction. These have been used by central banks to automate when and how currency can be spent and by NFT platforms to attribute a unique identity to a digital asset. Automation and identity verification are the most highly valued digital capabilities of IT practitioners.
$69.3 million – The world’s most expensive NFT artwork sale, for Beeple’s “Everydays: The First 5,000 Days” (The New York Times, Mar. 2021)
E-commerce | 50% |
Automation | 79% |
Smart contracts | 42% |
Community building and engagement | 55% |
Real-time payments | 46% |
Tracking provenance | 33% |
Identity verification | 74% |
(Info-Tech Tech Trends 2022 Survey)
Central banks view cryptocurrencies as "working against the public good" and want to maintain control over their financial system to maintain the integrity of payments and provide financial crime oversight and protections against money laundering. (Board of Governors of the Federal Reserve System, 2021)
Annual energy consumption of the Bitcoin blockchain in China is estimated to peak in 2024 at 297 TwH and generate 130.5 million metric tons of carbon emissions. That would exceed the annual GHG of the Czech Republic and Qatar and rank in the top 10 among 182 cities and 42 industrial sectors in China. This is motiving cryptocurrency developers and central banks to move away from the energy-intensive "Proof of Work" mining approach and towards the "Proof of Stake" approach. (Nature Communications, 2021)
During the pandemic, people spent more time exploring digital spaces and interacting in digital communities. Asset ownership within those communities is a way for individuals to show their own personal investment in the community and achieve a status that often comes with additional privileges. The digital assets can also be viewed as an investment vehicle or to gain access to exclusive experiences.
Listen to the Tech Insights podcast: Raine Maida's startup is an NFT app for music
Artists can create works and distribute them to a wide audience more easily than ever with the internet. Publishing a drawing or a song to a website allows it to be infinitely copied. Creators can use social media accounts and digital advertisements to build up a fan base for their work and monetize it through sales or premium-access subscriber schemes.
The internet's capacity for frictionless distribution is a boon and a burden for artists at the same time. Protecting copyright in a digital environment is difficult because there is no way to track a song or a picture back to its creator. This devalues the work because it can be freely exchanged by users.
S!NG allows creators to mint their works with a digital token that stamps its origin to the file and tracks provenance as it is reused and adapted into other works. It uses the ERC 721 standard on the Ethereum blockchain to create its NFT tokens. They are portable files that the user can create for free on the S!NG platform and are interoperable with other digital token platforms. This enables a collaboration utility by reducing friction in using other people's works while giving proper attribution. Musicians can create mix tracks using the samples of others’ work easily and benefit from a smart-contract-based revenue structure that returns money to creators when sales are made. (Interview with Geoff Osler and Raine Maida, S!NG Executives)
Autonomy | Digital money and assets could proliferate the desire for autonomy as users have greater control over their assets (by cutting out the middlemen, democratizing access to investments, and re-claiming ownership over intangible data). |
Community | Digital worlds and assets offer integrated and interoperable experiences influenced by user communities. |
Equity | Digital assets allow different shareholder equity models as they grant accessible and affordable access to ownership. |
Volatility | Digital assets are prone to volatile price fluctuations. A primary reason for this is due to its perceived value relative to the fiat currency and the uncertainty around its future value. |
Security | While one of the main features of blockchain-based digital assets is security, digital assets are vulnerable to breaches during the process of storing and trading assets. |
Access | Access to digital marketplaces requires a steep learning curve and a base level of technical knowledge. |
Digital tokens are finding new utility in virtual environments known as the Metaverse. Decentraland is an example of a virtual reality environment that can be accessed via a web browser. Based on the Ethereum blockchain, it's seen sales of virtual land plots for hundreds of thousands of dollars. Sotheby's is one buyer, building a digital replica of its New Bond Street gallery in London, complete with commissionaire Hans Lomuldur in avatar form to greet visitors. The gallery will showcase and sell Sotheby's digital artworks. (Artnet News, 2021)
El Salvador became the first country in the world to make Bitcoin legal tender in September 2021. The government intended for this to help citizens avoid remittance fees when receiving money sent from abroad and to provide a way for citizens without bank accounts to receive payments. Digital wallet Chivo launched with technical glitches and in October a loophole that allowed “price scalping” had to be removed to stop speculators from using the app to trade for profit. El Salvador’s experiment will influence whether other countries consider using Bitcoin as legal tender. (New Scientist, 2021)
William Shatner complained that Twitter account @tokenizedtweets had taken his content without permission and minted tokens for sale. In doing so, he pointed out there’s no guarantee a minted digital asset is linked to the creator of the attached intellectual property.
Will blockchain-based markets be controlled by a single platform operator or become truly open? For example, Dapper Labs centralizes the minting of NFTs on its Flow blockchain and controls sales through its markets. OpenSea allows NFTs minted elsewhere to be brought to the platform and sold.
Platforms need to improve the reliability of minting technology to create tokens in the future. Ethereum's network is facing more demand than it can keep up with and requires future upgrades to improve its efficiency. Other platforms that support minting tokens are also awaiting upgrades to be fully functional or have seen limited NFT projects launched on their platform.
Determine your organization’s strategy by considering the different scenarios based on two main factors. The design decisions are made around whether digital assets are decentralized or distributed and whether the assets facilitate transactions or collections.
Track what your country’s central bank is planning for digital currency and determine if you’ll need to prepare to support it. Be informed about payment partner support for cryptocurrency and consider any complications that may introduce.
$1 billion+ – The amount of cryptocurrency spent by consumers globally through crypto-linked Visa cards in first half of 2021. (CNBC, July 2021)
Rapidly constructing a business model that is ready to compete in a digital economy requires continuous innovation. Application programming interfaces (APIs) can accelerate innovation by unlocking marketplaces of ready-to-use solutions to business problems and automating manual tasks to make more time for creativity. APIs facilitate a microarchitecture approach and make it possible to call upon a new capability with a few lines of code. This is not a new tool, as the first API was specified in 1951, but there were significant advances of both scale and capability in this area in 2021.
In the past 18 months, API adoption has exploded and even industries previously considered as digital laggards are now integrating them to reinvent back-office processes. Technology platforms specializing in API management are attracting record-breaking investment. And sophisticated technology services such as artificial intelligence are being delivered by APIs.
APIs can play a role in every company’s digital strategy, from transforming back-office processes to creating revenue as part of a platform.
$500,000 was invested in API companies in 2016. (Forbes, May 2021)
$2,000,000,000+ was invested in API companies in 2020. (Forbes, May 2021)
69% of IT practitioners say digital transformation has been a high priority for their organization during the pandemic. (Info-Tech Tech Trends 2022 Survey)
51% of developers used more APIs in 2020 than in 2019. (InsideHPC, 2021)
71% of developers planned to use even more APIs in 2021. (InsideHPC, 2021)
IT practitioners indicate that digital transformation was a strong focus for their organization during the pandemic and will remain so during the period afterwards, and one-third say their organizations were “extremely focused” on digital transformation.
When it came to shifting processes from being done manually to being completed digitally, more than half of IT practitioners say they shifted at least 21% of their processes during the past year. More than one in five say that at least 60% of their processes were shifted from manual to digital in the past year.
3.5 trillion calls were performed on API management platform Apigee, representing a 50% increase year over year. (SiliconANGLE, 2021)
The pandemic lockdowns pushed everyone into a remote-work scenario. With in-person interaction not an option, even more traditional businesses had to adapt to digital processes.
The success of digital services in the consumer space is causing expectations to rise in other areas, such as professional services. Consumers now want their health records to be portable and they want to pay their lawyer through e-transfer, not by writing a cheque. (Interview with Mik Lernout)
Technology laggard industries such as legal and healthcare are recognizing the pain of working with siloed systems. New standardization efforts are driving the adoption of open APIs at a rapid rate. (Interview with Jennifer Jones, Research Director – Industry, Info-Tech Research Group)
Speed | Using a microarchitecture approach with readily available services constructed in different ways provides a faster way to get from idea to minimum-viable product. |
Intelligence | Open APIs have more than ever exposed people to sophisticated AI algorithms that were in the domain of only advanced researchers just a couple years ago. Developers can integrate AI with a couple lines of code. Non-technical users can train algorithms with low-code and no-code tools (Forbes, Sept. 2021). |
Resilience | If one function of a solution doesn't work, it can be easily replaced with another one available on the market and the overall experience is maintained. |
Loss of Privacy | APIs are being targeted by hackers as a way to access personal information. Recent API-related leaks affected Experian, John Deere, Clubhouse, and Peloton (VentureBeat, 2021). |
Complexity | Using a decentralized approach to assemble applications means that there is no single party accountable for the solution. Different pieces can break, or oversights can go unnoticed. |
Copycats | Platforms that take the approach of exposing all functions via API run the risk of having their services used by a competitor to offer the same solution but with an even better user experience. |
Listen to the Tech Insights podcast: Clio drives digital transformation to redefine the legal industry
The COVID-19 pandemic required the legal industry to shift to remote work. A typically change-resistant industry was now holding court hearings over videoconference, taking online payments, and collecting e-signatures on contracts. For Clio, a software-as-a-service software vendor that serves the legal industry, its client base grew and its usage increased. It previously focused on the innovators in the legal industry, but now it noticed laggards were going digital too.
Law firms have very different needs depending on their legal practice area (e.g. family law, corporate law, or personal injury) and what jurisdiction they operate in.
Clients are also demanding more from their lawyers in terms of service experience. They don't want to travel to the law office to drop off a check but expect digital interactions on par with service they receive in other areas.
Since its inception, Clio built its software product so that all of its functions could be called upon by an API as well. It describes its platform as the "operating system for the legal industry." Its API functions include capabilities like managing activities, billing, and contracts. External developers can submit applications to the Clio Marketplace to add new functionality. Its platform approach enables it to find solutions for its 150,000+ users. During the pandemic, Clio saw its customers rely on its APIs more than ever before. It expects this accelerated adoption to be the way of working in the future. (ProgrammableWeb, 2021; Interview with Mik Lernout)
Google is expanding its Apigee API management platform so enterprises will be able to connect existing data and applications and access them via APIs. It's part of Google's API-first approach to digital transformation, helping enterprises with their integration challenges. The new release includes tools and a framework that's needed to integrate services in this way and includes pre-built connectors for common business apps and services such as Salesforce, Cloud SQL, MySQL, and BigQuery. (SiliconANGLE, 2021)
APIs represent another potential vulnerability for hackers to exploit and the rise in popularity has come with more security incidents. Companies using APIs have leaked data through APIs, with one research report on the state of API security finding that 91% of organizations have suffered an API security incident. Yet more than a quarter of firms running production APIs don’t have an API security strategy. (VentureBeat, 2021)
For low IT maturity organizations moving onto platforms that introduce API capabilities, education is required about the consequences of creating more integrations. Platforms must bear some responsibility for monitoring for irregular activity. (Interview with Mik Lernout)
Determine your organization’s platform strategy from the basis of your digital maturity – from that of a laggard to a native – and whether it involves monetized APIs vs. freely available public APIs. A strategy can include both the consumption of APIs and the creation of them.
Leverage APIs to connect your systems. Create a repeatable process to improve the quality, reusability, and governance of your web APIs.
Transform your business model with digital platforms. Use the best practices of digital native enterprises and leverage your core assets to compete in a digital economy.
Deliver sophisticated new capabilities with APIs. Develop an awareness of new services made available through API integration, such as artificial intelligence, and take advantage of them.
4.5 billion words per day generated by the OpenAI natural language API GPT-3, just nine months after launch. (OpenAI, 2021)
The golden ratio has long fascinated humans for its common occurrence in nature and inspired artists who adopted its proportions as a guiding principle for their creations. A new discovery of the golden ratio in economic cycles was published in August 2021 by Bert de Groot, et al. As the boundaries of value creation blur between physical and digital and the pace of change accelerates, these digital innovations may change our lives in many ways. But they are still bound by the context of the structure of the economy. Hear more about this surprising finding from de Groot and from this report’s designer by listening to our podcast. (Technological Forecasting and Social Change, 2021)
“Everything happening will adapt itself into the next cycle, and that cycle is one phi distance away.” (Bert de Groot, professor of economics at Erasmus University Rotterdam)
Listen to the Tech Insights podcast: New discovery of the golden ratio in the economy
Vijay Sundaram
|
![]() |
Jason Brommet
|
![]() |
Steve Orrin
|
![]() |
Wade Barnes
|
![]() |
Raine Maida
|
![]() |
Geoff Osler
|
![]() |
Mik Lernout
|
![]() |
Bert de Groot
|
![]() |
“2021 Canada Dealer Financing Satisfaction Study.” J.D. Power, 13 May 2021. Accessed 27 May 2021.
Brown, Sara. “The CIO Role Is Changing. Here’s What’s on the Horizon.” MIT Sloan, 2 Aug. 2021. Accessed 16 Aug. 2021.
de Groot, E. A., et al. “Disentangling the Enigma of Multi-Structured Economic Cycles - A New Appearance of the Golden Ratio.” Technological Forecasting and Social Change, vol. 169, Aug. 2021, pp. 120793. ScienceDirect, https://doi.org/10.1016/j.techfore.2021.120793.
Hatem, Louise, Daniel Ker, and John Mitchell. “Roadmap toward a common framework for measuring the Digital Economy.” Report for the G20 Digital Economy Task Force, OECD, 2020. Accessed 19 Oct. 2021.
LaBerge, Laura, et al. “How COVID-19 has pushed companies over the technology tipping point—and transformed business forever.” McKinsey, 5 Oct. 2020. Accessed 14 June 2021.
Pomeroy, James. The booming digital economy. HSBC, Sept. 2020. Web.
Salman, Syed. “Digital Transformation Realized Through COBIT 2019.” ISACA, 13 Oct. 2020. Accessed 25 Oct. 2021.
De Smet, Aaron, et al. “Getting Real about Hybrid Work.” McKinsey Quarterly, 9 July 2021. Web.
Herskowitz, Nicole. “Brace Yourselves: Hybrid Work Is Hard. Here’s How Microsoft Teams and Office 365 Can Help.” Microsoft 365 Blog, 9 Sept. 2021. Web.
Melin, Anders, and Misyrlena Egkolfopoulou. “Employees Are Quitting Instead of Giving Up Working From Home.” Bloomberg, 1 June 2021. Web.
Spataro, Jared. “Microsoft and LinkedIn Share Latest Data and Innovation for Hybrid Work.” The Official Microsoft Blog, 9 Sept. 2021. Web.
Subin, Samantha. “The new negotiation over job benefits and perks in post-Covid hybrid work.” CNBC, 23 Apr. 2021. Web.
Torres, Roberto. “How to Sidestep Overspend as Hybrid Work Tests IT.” CIO Dive, 26 July 2021. Accessed 16 Sept. 2021.
Wong, Christine. “How the hybrid workplace will affect IT spending.” ExpertIP, 15 July 2021. Web.
Yang, Longqi, et al. “The Effects of Remote Work on Collaboration among Information Workers.” Nature Human Behaviour, Sept. 2021, pp. 1-12. Springer Nature, https://doi.org/10.1038/s41562-021-01196-4.
Berg, Leandro. “RTF Report: Combatting Ransomware.” Institute for Security and Technology (IST), 2021. Accessed 21 Sept. 2021.
Dudley, Renee. “The Extortion Economy: How Insurance Companies Are Fueling a Rise in Ransomware Attacks.” ProPublica, 27 Aug. 2019. Accessed 22 Sept. 2021.
Durbin, Steve. “Council Post: Artificial Intelligence: The Future Of Cybersecurity?” Forbes, 23 Sept. 2021. Accessed 21 Oct. 2021.
“FACT SHEET: Ongoing Public U.S. Efforts to Counter Ransomware.” The White House, 13 Oct. 2021. Web.
Jeffery, Lynsey, and Vignesh Ramachandran. “Why ransomware attacks are on the rise — and what can be done to stop them.” PBS NewsHour, 8 July 2021. Web.
McBride, Timothy, et al. Data Integrity: Recovering from Ransomware and Other Destructive Events. NIST Special Publication (SP) 1800-11, National Institute of Standards and Technology, 22 Sept. 2020. NIST Computer Security Resource Center (CSRC), https://doi.org/10.6028/NIST.SP.1800-11.
Mehrotra, Karitkay, and Jennifer Jacobs. “Crypto Channels Targeted in Biden’s Fight Against Ransomware.” BNN Bloomberg, 21 Sept. 2021. Web.
Sharma, Mayank. “Hackers demand $70m ransom after executing massive Solar Winds-like attack.” TechRadar, 5 July 2021. Web.
“Unhacked: 121 Tools against Ransomware on a Single Website.” Europol, 26 July 2021. Web.
“The A List 2020.” CDP, 2021. Web.
Baazil, Diedrik, Hugo Miller, and Laura Hurst. “Shell loses climate case that may set precedent for big oil.” Australian Financial Review, 27 May 2021. Web.
“BlackRock’s 2020 Carbon Footprint.” BlackRock, 2020. Accessed 25 May 2021.
“CDP Media Factsheet.” CDP, n.d. Accessed 25 May 2021.
Glaser, April, and Leticia Miranda. “Amazon workers demand end to pollution hitting people of color hardest.” NBC News, 24 May 2021. Accessed 25 May 2021.
Little, Mark. “Why Canada should be the home of the new global sustainability standards board.” Business Council of Canada, 1 Oct. 2021. Accessed 22 Oct. 2021.
McIntyre, Catherine. “Canada vying for global headquarters to oversee sustainable-finance standards.” The Logic, 22 July 2021. Web.
“Net Zero Scorecard.” Energy & Climate Intelligence Unit, 2021. Accessed 25 May 2021.
Sayer, Peter. “Greenhouse gas emissions: The next big issue for CIOs.” CIO, 13 Oct. 2021. Web.
“Scope 1 and Scope 2 Inventory Guidance.” US EPA, OAR. 14 Dec. 2020. Web.
Sorkin, Andrew Ross. “BlackRock C.E.O. Larry Fink: Climate Crisis Will Reshape Finance.” The New York Times, 14 Jan. 2020. Web.
“Sustainable IT Pledge.” CIO Strategy Council, 2021. Accessed 22 Oct. 2021.
Areddy, James T. “China Creates Its Own Digital Currency, a First for Major Economy.” Wall Street Journal, 5 Apr. 2021. Web.
Boar, Codruta, et al. Impending arrival - a sequel to the survey on central bank digital currency. BIS Papers No 107, Jan. 2020. Web.
Brainard, Lael. “Speech by Governor Brainard on Private Money and Central Bank Money as Payments Go Digital: An Update on CBDCs.” Board of Governors of the Federal Reserve System, 24 May 2021. Accessed 28 May 2021.
Howcroft, Elizabeth, and Ritvik Carvalho. “How a 10-second video clip sold for $6.6 million.” Reuters, 1 Mar. 2021. Web.
“Central Bank Digital Currency Tracker.” Atlantic Council, 2021. Accessed 10 Sept. 2021.
“Expert Comment From Warwick Business School: Problems With El Salvador’s Bitcoin Experiment Are Unsurprising.” Mondo Visione, 8 Sept. 2021. Accessed 10 Sept. 2021.
Goldstein, Caroline. “In Its Ongoing Bid to Draw Crypto-Collectors, Sotheby’s Unveils a Replica of Its London H.Q. in the Blockchain World Decentraland.” Artnet News, 7 June 2021. Web.
Hamacher, Adriana. “Taco Bell to Charmin: 10 Big Brands Jumping On The NFT Bandwagon.” Decrypt, 22 Mar. 2021. Web.
Hazan, Eric, et al. “Getting tangible about intangibles: The future of growth and productivity?” McKinsey. 16 June 2021. Web.
Herrera, Pedro. “Dapp Industry Report: Q3 2021 Overview.” DappRadar, 1 Oct. 2021. Web.
Holland, Frank. “Visa Says Crypto-Linked Card Usage Tops $1 Billion in First Half of 2021.” CNBC, 7 July 2021. Web.
Jiang, Shangrong, et al. “Policy Assessments for the Carbon Emission Flows and Sustainability of Bitcoin Blockchain Operation in China.” Nature Communications, vol. 12, no. 1, Apr. 2021, p. 1938. Springer Nature, https://doi.org/10.1038/s41467-021-22256-3.
Reyburn, Scott. “JPG File Sells for $69 Million, as ‘NFT Mania’ Gathers Pace.” The New York Times, 11 Mar. 2021. Web.
Taylor, Luke. “Bitcoin: El Salvador’s Cryptocurrency Gamble Hit by Trading Loophole.” New Scientist, 25 Oct. 2021. Web.
Belsky, Scott. “The Furry Lisa, CryptoArt, & The New Economy Of Digital Creativity.” Medium, 21 Feb. 2021. Web.
Culbertson, Joy. “10 Top Law APIs.” ProgrammableWeb, 14 Feb. 2021. Web.
Caballar, Rina Diane. “Programming by Voice May Be the Next Frontier in Software Development - IEEE Spectrum.” IEEE Spectrum: Technology, Engineering, and Science News, 22 Mar 2021. Accessed 23 Mar. 2021.
Gonsalves, Chris. “The Problem with APIs.” VentureBeat, 7 May 2021. Web.
Graca, Joao. “Council Post: How APIs Are Democratizing Access To AI (And Where They Hit Their Limits).” Forbes, 24 Sept 2021. Accessed 28 Sept. 2021.
Harris, Tony. “What is the API Economy?” API Blog: Everything You Need to Know, 4 May 2021. Web.
Kitsing, Meelis. Scenarios for Digital Platform Ecosystems, 2020, pp. 453-57. ResearchGate, https://doi.org/10.1109/ICCCS49078.2020.9118571.
Pilipiszyn, Ashley. “GPT-3 Powers the Next Generation of Apps.” OpenAI, 25 Mar. 2021. Web.
Rethans, John. “So You Want to Monetize Your APIs?” APIs and Digital Transformation, 29 June 2018. Web.
Salyer, Patrick. “API Stack: The Billion Dollar Opportunities Redefining Infrastructure, Services & Platforms.” Forbes, 4 May 2021. Accessed 27 Oct. 2021.
staff. “RapidAPI Raises $60M for Expansion of API Platform.” InsideHPC, 21 Apr. 2021. Web.
Taulli, Tom. “API Economy: Is It The Next Big Thing?” Forbes, 18 Jan. 2021. Accessed 5 May 2021.
Warren, Zach. “Clio Taking 2021 Cloud Conference Virtual, Announces New Mission Among Other News.” Legaltech News, 11 Mar. 2021. Web.
Wheatley, Mike. “Google Announces API-First Approach to Application Data Integration with Apigee.” SiliconANGLE, 28 Sept. 2021. Web.
As part of its research process for the 2022 Tech Trends Report, Info-Tech Research Group conducted an open online survey among its membership and wider community of professionals. The survey was fielded from August 2021 to September 2021, collecting 475 responses.
The underlying metrics are diverse, capturing 14 countries and regions and 16 Industries.
01 United States | 45.3% | 08 India | 1.7% |
02 Canada | 19.2% | 09 Other (Asia) | 1.7% |
03 Africa | 9.3% | 10 New Zealand | 1.5% |
04 Other (Europe) | 5.3% | 11 Germany | 0.8% |
05 Australia | 4.2% | 12 Mexico | 0.4% |
06 Great Britain | 3.8% | 13 Netherlands | 0.4% |
07 Middle East | 2.9% | 14 Japan | 0.2% |
01 Government | 18.9% |
02 Media, Information, & Technology | 12.8% |
03 Professional Services | 12.8% |
04 Manufacturing | 9.9% |
05 Education | 8.8% |
06 Healthcare | 8.2% |
07 Financial Services | 7.8% |
08 Transportation & Logistics | 3.4% |
09 Utilities | 3.4% |
10 Insurance | 2.5% |
11 Retail & Wholesale | 2.5% |
12 Construction | 2.3% |
13 Natural Resources | 2.1% |
14 Real Estate & Property Management | 1.7% |
15 Arts & Leisure | 1.5% |
16 Professional Associations | 1.3% |
IT (information technology) | 88.2% |
Other (Department) | 3.79% |
Operations | 2.32% |
Research & Development | 1.89% |
Sales | 1.26% |
Administration | 1.06% |
Finance | 0.42% |
HR (Human Resources) | 0.42% |
Marketing | 0.42% |
Production | 0.21% |
Manager | 24% |
Director-level | 22% |
C-level officer | 19% |
VP-level | 9% |
Team lead / supervisor | 7% |
Owner / President / CEO | 7% |
Team member | 7% |
Consultant | 5% |
Contractor | 1% |
Respondents on average spent 35 million per year on their IT budget.
Accounting for the outlier responses – the median spend sits closer to 4.5 million per year. The highest spend on IT was within the Government, Healthcare, and Retail & Wholesale sectors.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Gain business buy-in to understanding the key IT risks that could negatively impact the organization and create an IT risk management program to properly identify, assess, respond, monitor, and report on those risks.
Leverage this Risk Management Program Manual to ensure that the decisions around how IT risks will be governed and managed can be documented in a single source accessible by those involved.
Engage these tools in your organization if you do not currently have a GRC tool to document risk events as they relate to the IT function. Consider the best risk response to high severity risk events to ensure all possible situations are considered.
Establish clear guidelines and responses to risk events that will leave your organization vulnerable to unwanted threats. Ensure risk owners have agreed to the risk responses and are willing to take accountability for that response.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
To assess current risk management maturity, develop goals, and establish IT risk governance.
Identified obstacles to effective IT risk management.
Established attainable goals to increase maturity.
Clearly laid out risk management accountabilities and responsibilities for IT and business stakeholders.
1.1 Assess current program maturity
1.2 Complete RACI chart
1.3 Create the IT risk council
1.4 Identify and engage key stakeholders
1.5 Add organization-specific risk scenarios
1.6 Identify risk events
Maturity Assessment
Risk Management Program Manual
Risk Register
Identify and assess all IT risks.
Created a comprehensive list of all IT risk events.
Risk events prioritized according to risk severity – as defined by the business.
2.1 Identify risk events (continued)
2.2 Augment risk event list using COBIT 5 processes
2.3 Determine the threshold for (un)acceptable risk
2.4 Create impact and probability scales
2.5 Select a technique to measure reputational cost
2.6 Conduct risk severity level assessment
Finalized List of IT Risk Events
Risk Register
Risk Management Program Manual
Prioritize risks, establish monitoring responsibilities, and develop risk responses for top risks.
Risk monitoring responsibilities are established.
Risk response strategies have been identified for all key risks.
3.1 Conduct risk severity level assessment
3.2 Document the proximity of the risk event
3.3 Conduct expected cost assessment
3.4 Develop key risk indicators (KRIs) and escalation protocols
3.5 Root cause analysis
3.6 Identify and assess risk responses
Risk Register
Risk Management Program Manual
Risk Event Action Plans
Assess and select risk responses for top risks and effectively communicate recommendations and priorities to the business.
Thorough analysis has been conducted on the value and effectiveness of risk responses for high severity risk events.
Authoritative risk response recommendations can be made to senior leadership.
A finalized Risk Management Program Manual is ready for distribution to key stakeholders.
4.1 Identify and assess risk responses
4.2 Risk response cost-benefit analysis
4.3 Create multi-year cost projections
4.4 Review techniques for embedding risk management in IT
4.5 Finalize the Risk Report and Risk Management Program Manual
4.6 Transfer ownership of risk responses to project managers
Risk Report
Risk Management Program Manual
3 Executive Brief
4 Analyst Perspective
5 Executive Summary
19 Phase 1: Review IT Risk Fundamentals & Governance
43 Phase 2: Identify and Assess IT Risk
74 Phase 3: Monitor, Communicate, and Respond to IT Risk
102 Appendix
108 Bibliography
![]() Valence Howden Principal Research Director, CIO Practice |
![]() Brittany Lutes Senior Research Analyst, CIO Practice |
Risk is an inherent part of life but not very well understood or executed within organizations. This has led to risk being avoided or, when it’s implemented, being performed in isolated siloes with inconsistencies in understanding of impact and terminology.
Looking at risk in an integrated way within an organization drives a truer sense of the thresholds and levels of risks an organization is facing – making it easier to manage and leverage risk while reducing risks associated with different mitigation responses to the same risk events.
This opens the door to using risk information – not only to prevent negative impacts but as a strategic differentiator in decision making. It helps you know which risks are worth taking, driving strong positive outcomes for your organization.
IT has several challenges when it comes to addressing risk management:
Many IT organizations realize these obstacles:
IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business.
58% of organizations still lack a systematic and robust method to actually report on risks (Source: AICPA, 2021)
By identifying areas of risk exposure and creating solutions proactively, obstacles can be removed or circumvented before they become a real problem.
Only 12% of organizations are using risk as a strategic tool most or all of the time (Source: AICPA, 2021)
![]() |
IT risks have a direct and often aggregated impact on enterprise risks and opportunities in the same way other business risks can. This relationship must be understood and addressed through integrated risk management to ensure a consistent approach to risk. |
![]() Start Here |
PHASE 1Review IT Risk Fundamentals and Governance |
PHASE 2Identify and Assess IT Risk |
PHASE 3Monitor, Report, and Respond to IT Risk |
|||
1.1Review IT Risk Management Fundamentals |
1.2Establish a Risk Governance Framework |
2.1Identify IT Risks |
2.2Assess and Prioritize IT Risks |
3.1Monitor IT Risks and Develop Risk Responses |
3.2Report IT Risk Priorities |
Accelerate and optimize your organization by leveraging meaningful risk data to make intelligent enterprise risk decisions.
Risk Drivers
|
![]() |
Only 7% of organizations are in a “leading” or “aspirational” level of risk maturity. (OECD, 2021) | 63% of organizations struggle when it comes to defining their appetite toward strategy related risks. (“Global Risk Management Survey,” Deloitte, 2021) | Late adopters of risk management were 70% more likely to use instinct over data or facts to inform an efficient process. (Clear Risk, 2020) | 55% of organizations have little to no training on ERM to properly implement such practices. (AICPA, NC State Poole College of Management, 2021) |
1. Assess Enterprise Risk Maturity | 3. Build a Risk Management Program Plan | 4. Establish Risk Management Processes | 5. Implement a Risk Management Program | ||
2. Determine Authority with Governance
Unfortunately, less than 50% of those in risk focused roles are also in a governance role where they have the authority to provide risk oversight. (Governance Institute of Australia, 2020) |
|||||
IT can improve the maturity of the organization’s risk governance and help identify risk owners who have authority and accountability.
Governance and related decision making is optimized with integrated and aligned risk data. |
![]() |
![]() ERM incorporates the different types of risk, including IT, security, digital, vendor, and other risk types. The program plan is meant to consider all the major risk types in a unified approach. |
![]() |
Implementation of an integrated risk management program requires ongoing access to risk data by those with decision making authority who can take action. |
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Key deliverable:Risk Management Program ManualUse the tools and activities in each phase of the blueprint to create a comprehensive, customized program manual for the ongoing management of IT risk. ![]() |
Integrated Risk Maturity Assessment
Assess the organization's current maturity and readiness for integrated risk management (IRM). |
![]() |
Centralized Risk Register
The repository for all the risks that have been identified within your environment. |
![]() |
Risk Costing Tool
A potential cost-benefit analysis of possible risk responses to determine a good method to move forward. |
![]() |
Risk Report & Risk Event Action Plan
A method to report risk severity and hold risk owners accountable for chosen method of responding. |
![]() |
As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensured that our project-focused approach is grounded in industry-leading best practices for managing IT risk.
Risk Management can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment. (ISO 31000) |
A strong risk management foundation is valuable when building your IT risk management program.This research covers the following IT risk fundamentals:
|
Drivers of Formalized Risk Management: |
|
Drivers External to IT | ||
External Audit | Internal Audit | |
Mandated by ERM | ||
Occurrence of Risk Event | ||
Demonstrating IT’s value to the business | Proactive initiative | |
Emerging IT risk awareness | ||
Grassroots Drivers |
IT Benefits
|
Business Benefits
|
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 6 to 8 calls over the course of 3 to 6 months.
What does a typical GI on this topic look like?
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
Activities | Review IT Risk Fundamentals and Governance1.1 Assess current program maturity 1.2 Complete RACI chart 1.3 Create the IT risk council 1.4 Identify and engage key stakeholders 1.5 Add organization-specific risk scenarios 1.6 Identify risk events |
Identify IT Risks2.1 Identify risk events (continued) 2.2 Augment risk event list using COBIT5 processes 2.3 Determine the threshold for (un)acceptable risk 2.4 Create impact and probability scales 2.5 Select a technique to measure reputational cost 2.6 Conduct risk severity level assessment |
Assess IT Risks3.1 Conduct risk severity level assessment 3.2 Document the proximity of the risk event 3.3 Conduct expected cost assessment 3.4 Develop key risk indicators (KRIs) and escalation protocols 3.5 Perform root cause analysis 3.6 Identify and assess risk responses |
Monitor, Report, and Respond to IT Risk4.1 Identify and assess risk responses 4.2 Risk response cost-benefit analysis 4.3 Create multi-year cost projections 4.4 Review techniques for embedding risk management in IT 4.5 Finalize the Risk Report and Risk Management Program Manual 4.6 Transfer ownership of risk responses to project managers |
Next Steps and Wrap-Up (offsite)5.1 Complete in-progress deliverables from previous four days 5.2 Set up review time for workshop deliverables and to discuss next steps |
Outcomes |
|
|
|
|
|
Phase 1
|
Phase 2
|
Phase 3
|
Step 1.1 | Step 1.2 |
Most IT departments find themselves in one of these two organizational frameworks for managing IT risk:
Core Responsibilities | With an ERM | Without an ERM |
|
Senior Leadership Team | Senior Leadership Team |
|
ERM | IT Risk Management |
|
IT Risk Management | |
Pro: IT’s risk management responsibilities are defined (assessment schedules, escalation and reporting procedures).
Con: IT may lack autonomy to implement IT risk management best practices. |
Pro: IT is free to create its own IT risk council and develop customized processes that serve its unique needs.
Con: Lack of clear reporting procedures and mechanisms to share accountability with the business. |
Risk Governance
|
![]() |
Risk Identification
|
Risk Response
|
Risk Assessment
|
Risk management benefits | To engage the business... |
IT is compliant with external laws and regulations. | Identify the industry or legal legislation and regulations your organization abides by. |
IT provides support for business compliance. | Find relevant business compliance issues, and relate compliance failures to cost. |
IT regularly communicates costs, benefits, and risks to the business. | Acknowledge the number of times IT and the business miscommunicate critical information. |
Information and processing infrastructure are very secure. | Point to past security breaches or potential vulnerabilities in your systems. |
IT services are usually delivered in line with business requirements. | Bring up IT services that the business was unsatisfied with. Explain that their inputs in identifying risks are correlated with project quality. |
IT related business risks are managed very well. | Make it clear that with no risk tracking process, business processes become exposed and tend to slow down. |
IT projects are completed on time and within budget. | Point out late or over-budget projects due to the occurrence of unforeseen risks. |
Input: List of IT personnel and business stakeholders
Output: Buy-in from senior leadership for an IT risk management program
Materials: Risk Management Program Manual
Participants: IT executive leadership, Business executive leadership
The resource demands of IT risk management will vary from organization to organization. Here are typical requirements:
Record the results in the Risk Management Program Manual.
Frequently and continually assessing your organization’s maturity toward integrated risk ensures the right risk management program can be adopted by your organization.
Integrated Risk Maturity Assessment A simple tool to understand if your organization is ready to embrace integrated risk management by measuring maturity across four key categories: Context & Strategic Direction, Risk Culture & Authority, Risk Management Process, and Risk Program Optimization. |
![]() |
Use the results from this integrated risk maturity assessment to determine the type of risk management program that can and should be adopted by your organizations.
Some organizations will need to remain siloed and focused on IT risk management only, while others will be able to integrate risk-related information to start enabling automatic controls that respond to this data.
1-4 hours
Input: List of IT personnel and business stakeholders
Output: Maturity scores across four key risk categories
Materials: Integrated Risk Maturity Assessment Tool
Participants: IT executive leadership, Business executive leadership
This assessment is intended for frequent use; process completeness should be re-evaluated on a regular basis.
How to Use This Assessment:
Record the results in the Integrated Risk Maturity Assessment.
Integrated Risk Maturity Categories |
![]() |
1 |
Context & Strategic Direction | Understanding of the organization’s main objectives and how risk can support or enhance those objectives. |
2 |
Risk Culture and Authority | Examine if risk-based decisions are being made by those with the right level of authority and if the organization’s risk appetite is embedded in the culture. | ||
3 |
Risk Management Process | Determine if the current process to identify, assess, respond to, monitor, and report on risks is benefitting the organization. | ||
4 |
Risk Program Optimization | Consider opportunities where risk-related data is being gathered, reported, and used to make informed decisions across the enterprise. |
Review IT Risk Fundamentals and Governance
Step 1.1 | Step 1.2 |
Challenges:
|
Key metrics:
|
Metrics provide the foundation for determining the success of your IT risk management program and ensure ongoing funding to support appropriate risk responses.
Support and sponsorship from senior leadership
IT risk management has more success when initiated by a member of the senior leadership team or the board, rather than emerging from IT as a grassroots initiative. Sponsorship increases the likelihood that risk management is prioritized and receives the necessary resources and attention. It also ensures that IT risk accountability is assumed by senior leadership. |
Risk culture and awareness
A risk-aware organizational culture embraces new policies and processes that reflect a proactive approach to risk. An organization with a risk-aware culture is better equipped to facilitate communication vertically within the organization. Risk awareness can be embedded by revising job descriptions and performance assessments to reflect IT risk management responsibilities. |
Organization size
Smaller organizations can often institute a mature risk management program much more quickly than larger organizations. It is common for key personnel within smaller organizations to be responsible for multiple roles associated with risk management, making it easier to integrate IT and business risk management. Larger organizations may find it more difficult to integrate a more complex and dispersed network of individuals responsible for various risk management responsibilities. |
1-4 hours
Input: Integrated Risk Maturity Assessment
Output: Obstacles and pain points identified
Materials: IT Risk Management Success Factors
Participants: IT executive leadership, Business executive leadership
Anticipate potential challenges and “blind spots” by determining which success factors are missing from your current situation.
Instructions:
Replace the example pain points and opportunities with real scenarios in your organization.
Pain Points/Obstacles
|
Opportunities
|
Risk Tolerant
|
Moderate
|
Risk Averse
|
One element of risk culture is what levels of risk the organization is willing to accept to pursue its objectives and what levels of risk are deemed unacceptable. This is often called risk appetite. | |
Risk tolerant
Risk-tolerant organizations embrace the potential of accelerating growth and the attainment of business objectives by taking calculated risks. |
Risk averse
Risk-averse organizations prefer consistent, gradual growth and goal attainment by embracing a more cautious stance toward risk. |
The other component of risk culture is the degree to which risk factors into decision making. | |
Risk conscious
Risk-conscious organizations place a high priority on being aware of all risks impacting business objectives, regardless of whether they choose to accept or respond to those risks. |
Unaware
Organizations that are largely unaware of the impact of risk generally believe there are few major risks impacting business objectives and choose to invest resources elsewhere. |
Organizations typically fall in the middle of these spectrums. While risk culture will vary depending on the industry and maturity of the organization, a culture with a balanced risk appetite that is extremely risk conscious is able to make creative, dynamic decisions with reasonable limits placed on risk-related decision making.
1-4 hours
Input: Integrated Risk Maturity Assessment, Risk Culture, Pain Points and Opportunities
Output: Goals for the IT risk management program
Materials: Risk Management Program Manual
Participants: IT executive leadership, Business executive leadership
Translate your maturity assessment and knowledge about organizational risk culture, potential obstacles, and success factors to develop goals for your IT risk management program.
Instructions:
Record the results in the Risk Management Program Manual.
Ensure that all success metrics are SMART | Instructions
|
|
Strong | Make sure the objective is clear and detailed. | |
Measurable | Objectives are measurable if there are specific metrics assigned to measure success. Metrics should be objective. | |
Actionable | Objectives become actionable when specific initiatives designed to achieve the objective are identified. | |
Realistic | Objectives must be achievable given your current resources or known available resources. | |
Time-Bound | An objective without a timeline can be put off indefinitely. Furthermore, measuring success is challenging without a timeline. |
Replace the example metrics with accurate KPIs or metrics for your organization.
Sample MetricsName | Method | Baseline | Target | Deadline | Checkpoint 1 | Checkpoint 2 | Final |
Number of risks identified (per year) | Risk register | 0 | 100 | Dec. 31 | |||
Number of business units represented (risk identification) | Meeting minutes | 0 | 5 | Dec. 31 | |||
Frequency of risk assessment | Assessments recorded in risk management program manual | 0 | 2 per year | Year 2 | |||
Percentage of identified risk events that undergo expected cost assessment | Ratio of risks assessed in the risk costing tool to risks assessed in the risk register | 0 | 20% | Dec. 31 | |||
Number of top risks without an identified risk response | Risk register | 5 | 0 | March 1 | |||
Cost of risk management program operations per year | Meeting frequency and duration, multiplied by the cost of participation | $2,000 | $5,000 | Dec. 31 |
Responsibilities of the ITRC:
|
Must be on the ITRC:
Must be on the ITRC:
|
1-4 hours
Input: List of IT personnel and business stakeholders
Output: Goals for the IT risk management program
Materials: Risk Management Program Manual
Participants: CIO, CRO (if applicable), Senior Directors, Head of Operations
Identify the essential individuals from both the IT department and the business to create a permanent committee that meets regularly and carries out IT risk management activities.
Instructions:
Record the results in the Risk Management Program Manual.
RACI is an acronym made up of four participatory roles: | Instructions
|
|
Responsible | Stakeholders who undertake the activity. | |
Accountable | Stakeholders who are held responsible for failure or take credit for success. | |
Consulted | Stakeholders whose opinions are sought. | |
Informed | Stakeholders who receive updates. |
Stakeholder Coordination | Risk Identification | Risk Thresholds | Risk Assessment | Identify Responses | Cost-Benefit Analysis | Monitoring | Risk Decision Making | |
ITRC | A | R | I | R | R | R | A | C |
ERM | C | I | C | I | I | I | I | C |
CIO | I | A | A | A | A | A | I | R |
CRO | I | R | C | I | R | |||
CFO | I | R | C | I | R | |||
CEO | I | R | C | I | A | |||
Business Units | I | C | C | C | ||||
IT | I | I | I | I | I | I | R | C |
PMO | C | C | C |
Legend: | Responsible | Accountable | Consulted | Informed |
Phase 1
| Phase 2
| Phase 3
|
Step 2.1 | Step 2.2 |
|
Key metrics:
|
What you don’t know CAN hurt you. How do you identify IT-related threats and vulnerabilities that you are not already aware of? Now that you have created a strong risk governance framework that formalizes risk management within IT and connects it to the enterprise, follow the steps outlined in this section to reveal all of IT’s risks.
Benefits of obtaining business involvement during the risk identification stage:
Executive Participation:
| Prioritizing and Selecting Stakeholders
Info-Tech InsightWhile IT personnel are better equipped to identify IT risk than anyone, IT does not always have an accurate view of the business’ exposure to IT risk. Strive to maintain a 3 to 1 ratio of IT to non-IT personnel involved in the process. |
Info-Tech’s risk categories are consistent with a risk identification method called Risk Prompting.
A risk prompt list is a list that categorizes risks into types or areas. The n10 risk categories encapsulate the services, activities, responsibilities, and functions of most IT departments. Use these categories and the example risk scenarios provided as prompts to guide brainstorming and organize risks.
Risk Category: High-level groupings that describe risk pertaining to major IT functions. See the following slide for all ten of Info-Tech’s IT risk categories. | Risk Scenario: An abstract profile representing common risk groups that are more specific than risk categories. Typically, organizations are able to identify two to five scenarios for each category. | Risk Event: Specific threats and vulnerabilities that fall under a particular risk scenario. Organizations are able to identify anywhere between 1 and 20 events for each scenario. See the Appendix of the Risk Management Program Manual for a list of risk event examples. |
Risk Category |
Risk Scenario |
Risk Event |
Compliance | Regulatory compliance | Being fined for not complying/being aware of a new regulation. |
Externally originated attack | Phishing attack on the organization. | |
Operational | Technology evaluation & selection | Partnering with a vendor that is not in compliance with a key regulation. |
Capacity planning | Not having sufficient resources to support a DRP. | |
Third-Party Risk | Vendor management | Vendor performance requirements are improperly defined. |
Vendor selection | Vendors are improperly selected to meet the defined use case. |
IT Reputational
|
IT Financial
|
IT Strategic
|
Operational
|
Availability
|
Performance
|
Compliance
|
Security
|
Third Party
|
Digital
|
Input: IT risk categories
Output: Risk events identified and categorized
Materials: Risk Register Tool
Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owners, CRO (if applicable)
Use Info-Tech’s IT risk categories and scenarios to brainstorm a comprehensive list of IT-related threats and vulnerabilities impacting your organization.
Instructions:
Tip: If disagreement arises regarding whether a specific risk event is relevant to the organization or not and it cannot be resolved quickly, include it in the list. The applicability of these risks will become apparent during the assessment process.
Record the results in the Risk Register Tool.
|
|
Consider the External Environment – PESTLE Analysis
Despite efforts to encourage equal participation in the risk identification process, key risks may not have been shared in previous exercises. Conduct a PESTLE analysis as a final safety net to ensure that all key risk events have been identified. |
Avoid “Groupthink” – Nominal Group Technique
The Nominal Group Technique uses the silent generation of ideas and an enforced “safe” period of time where ideas are shared but not discussed to encourage judgement-free idea generation.
Note: Employing either of these techniques will lengthen an already time-consuming process. Only consider these techniques if you have concerns regarding the homogeneity of the ideas being generated or if select individuals are dominating the exercise. |
|
List the following factors influencing the risk event:
|
![]() |
Identify and Assess IT Risk
Step 2.1 | Step 2.2 |
|
Key metrics:
|
Risk is money. It’s impossible to make intelligent decisions about risks without knowing what their financial impact will be.
In this section, you will be prioritizing your IT risks according to their risk severity, which is a reflection of their expected cost.
How much you expect a risk event to cost if it were to occur:
Likelihood of Risk Impact e.g. $250,000 or “High” |
X |
Calibrated by how likely the risk is to occur:
Likelihood of Risk Occurrence e.g. 10% or “Low” |
= |
Produces a dollar value or “severity level” for comparing risks:
Risk Severity e.g. $25,000 or “Medium” |
Which must be evaluated against thresholds for acceptable risk and the cost of risk responses.
Risk Tolerance
|
CBA
Cost-benefit analysis |
1Engage the Business During Assessment ProcessAsking business stakeholders to make significant contributions to the assessment exercise may be unrealistic (particularly for members of the senior leadership team, other than the CIO). Ensure that they work with you to finalize thresholds for acceptable or unacceptable risk. |
2Verify the Risk Impact and AssessmentIf IT has ranked risk events appropriately, the business will be more likely to offer their input. Share impact and likelihood values for key risks to see if they agree with the calculated risk severity scores. |
3Identify Where the Business Focuses AttentionWhile verifying, pay attention to the risk events that the business stresses as key risks. Keep these risks in mind when prioritizing risk responses as they are more likely to receive funding. Try to communicate the assessments of these risk events in terms of expected cost to attract the attention of business leaders. |
If business executives still won’t provide the necessary information to update your initial risk assessments, IT should approach business unit leaders and lower-level management. Lean on strong relationships forged over time between IT and business managers or supervisors to obtain any additional information.
Review the two levels of risk assessment offered in this blueprint.
1 | Information Number of risks: Assess all risk events identified in Phase 1.
| Assess Likelihood Negligible
| X | Assess Likelihood Negligible
| = | Output Moderate |
2 | Information Number of risks: Only assess high-priority risks revealed by severity-level assessment.
| Assess Likelihood15%Moderate | X | Assess Likelihood$100,000High | = | Output $15,000Expected cost is useful for conducting cost-benefit analysis and comparing IT risks to non-IT risks and other budget priorities for the business. |
For risk events warranting further analysis, translate risk severity levels into hard expected-cost numbers.
Why conduct expected cost assessments?
|
Why is expected cost assessment optional?
|
Input: Risk events, Risk appetite
Output: Threshold for risk identified
Materials: Risk Register Tool, Risk Management Program Manual
Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner
Instructions:
There are times when the business needs to know about IT risks with high expected costs.
This threshold is typically based on the organization’s ability to absorb financial losses, and its tolerance/appetite towards risk.
If your organization has ERM, adopt the existing acceptability threshold.
Record this threshold in section 5.3 of the Risk Management Program Manual
1-4 hours
Input: Risk events, Risk threshold
Output: Financial impact scale created
Materials: Risk Register Tool, Risk Management Program Manual
Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner
Instructions:
Record the risk impact scale in section 5.3 of the Risk Management Program Manual
Use the tables below to quickly convert impacts typically measured in units of time to financial cost. Replace the values in the table with those that reflect your own costs.
Project Overruns | ![]() |
||||
Project |
Time (days)20 days |
Number of employees8 |
Average cost per employee (per day)$300 |
Estimated cost$48,000 |
|
Service Outages | |||||
Service |
Time (hours)4 hours |
Lost revenue (per hour)$10,000 |
Estimated cost$40,000 |
Impact scaleLow |
Reputational cost can take several forms, including the internal and external perception of:
Based on your industry and the nature of the risk, select one of the three techniques described in this section to incorporate reputational costs into your risk assessment. |
Technique #1 – Use financial indicators:
For-profit companies typically experience reputational loss as a gradual decline in the strength of their brand, exclusion from industry groups, or lost revenue. If possible, use these measures to put a price on reputational loss:
Match this dollar value to the corresponding level on the impact scale created in Activity 2.2.2.
|
It is common for public sector or not-for-profit organizations to have difficulty putting a price tag on intangible reputational costs.
|
Technique #2 – Calculate the value of avoiding reputational cost:
For example: A data breach, which caused the unsanctioned disclosure of 2,000 client files, has inflicted high reputational costs on the organization. These have impacted the organization in the following ways:
|
If you feel that the other techniques have not reflected reputational impacts in the overall severity level of the risk, create a parallel scale that roughly matches your financial impact scale.
Technique #3 – Create a parallel scale for reputational impact:
Visibility is a useful metric for measuring reputational impact. Visibility measures how widely knowledge of the risk event has spread and how negatively the organization is perceived. Visibility has two main dimensions:
Internal/External: The further outside of the organization that the risk event is visible, the higher the reputational impact.
|
Example:
![]() |
1-3 hours
Instructions:
Record the risk impact scale in section 5.3 of the Risk Management Program Manual |
![]() |
Note: Info-Tech endorses the use of likelihood values (1-99%) rather than frequency (3 times per year) as a measurement.
For an explanation of why likelihood values lead to more precise and robust risk assessment, see the Appendix.
6-10 hours
Input: Risk events identified
Output: Assessed the likelihood of occurrence and impact for all identified risk events
Materials: Risk Register Tool
Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner
Instructions:
Record results in the Risk Register Tool
Instructions (continued):
|
Tips for Selecting Likelihood Values:
Does ~10% sound right? Test a likelihood estimate by assessing the truth of the following statements:
|
Consider how IT is already addressing key risks.
Tactical controls
Apply to individual risks only. Example: A tactical control for backup/replication failure is faster WAN lines. |
Tactical risk control | Strategic controls
Apply to multiple risks. Example: A strategic control for backup/replication failure is implementing formal DR plans. |
Strategic risk control | |
Risk event | Risk event | Risk event |
Consider both tactical and strategic controls already in place when filling out risk event information in the Risk Register Tool.
Identifying existing risk controls (past risk responses) provides a clear picture of the measures already in place to avoid, mitigate, or transfer key risks. This reveals opportunities to improve existing risk controls, or where new strategies are needed, to reduce risk severity levels below business thresholds.
Selecting the Appropriate Risk Owner
Use the following considerations to determine the best owner for each risk:
|
Risk Owner Responsibilities
Risk ownership means that an individual is responsible for the following activities:
|
Select risks with these characteristics:
Strongly consider conducting an expected cost assessment for risk events that meet one or more of the following criteria. The risk:
|
Determine which risks require a deeper assessment:
Info-Tech recommends conducting a second-level assessment for 5-15% of your IT risk register. Communicating the expected cost of high-priority risks significantly increases awareness of IT risks by the business. Communicating risks to the business using their language also increases the likelihood that risk responses will receive the necessary support and investment Record the list of risk events requiring second-level assessment in the Risk Costing Tool.
|
Instructions:
|
Who should participate?
|
Intersubjective likelihood The goal of the expected cost assessment is to develop robust intersubjective estimates of likelihood and financial impact. By aggregating a number of expert opinions of what they deem to be the “correct” value, you will arrive at a collectively determined value that better reflects reality than an individual opinion. Example: The Delphi MethodThe Delphi Method is a common technique to produce a judgement that is representative of the collective opinion of a group.
| Justifying Your Estimates: When asked to explain the numbers you arrived at during the risk assessment, pointing to an assessment methodology gives greater credibility to your estimates.
Info-Tech InsightThe underlying assumption behind intersubjective forecasting is that group judgements are more accurate than individual judgements. However, this may not be the case at all. Sometimes, a single expert opinion is more valuable than many uninformed opinions. Defining whose opinion is valuable and whose is not is an unpleasant exercise; therefore, selecting the right personnel to participate in the exercise is crucially important. |
Phase 1
| Phase 2
| Phase 3
|
Monitor, Respond, and Report on IT Risk
Step 3.1 | Step 3.2 |
Risk Event Action Plan | ![]() |
Obtaining sign-off from the senior leadership team or from the ERM office is an important step of the risk management process. The Risk Event Action Plan ensures that high-priority risks are closely monitored and that changes in risk severity are detected and reported.
Clear documentation is a way to ensure that critical information is shared with management so that they can make informed risk decisions. These reports should be succinct yet comprehensive; depending on time and resources, it is good practice to fill out this form and obtain sign-off for the majority of IT risks.
The risk owner should be held accountable for monitoring their assigned risks but may delegate responsibility for these tasks.Instructions:
Note: Examples of KRIs can be found on the following slide. |
What are KRIs?
|
Document KRIs, escalation thresholds, and escalation protocols for each risk in a Risk Event Action Plan.
Reporting | Risk Event |
Weekly reports to ITRC | ![]() |
Bi-weekly reports to ITRC | |
Monthly reports to ITRC | |
Report to ITRC only if KRI thresholds triggered | |
No reports; reassessed bi-annually |
1(Mandatory) | Tool | Information
|
2(Optional) | Tool | Information
|
Determine the root cause of IT risksRoot cause analysisUse the “Five Whys” methodology to identify the root cause and contributing/exacerbating factors for each risk event. Diagnosing the root cause of a risk as well as the environmental factors that increase its potential impact and likelihood of occurring allow you to identify more effective risk responses. Risk responses that only address the symptoms of the risk are less likely to succeed than responses that address the core issue. |
![]() |
What factors matter?
Identify relevant actors and assets that amplify or diminish the severity of the risk. Actors
Assets/Resources
|
Develop risk responses that target contributing factors. | ||
Root cause:
Business units rely on “real-time” data gathered from latency-sensitive applications Actors: Enterprise App users (Finance, Product Development, Product Management) Asset/resource: Applications, network Risk response:
XDecreasing the use of key apps contradicts business objectives. |
Contributing factors:
Unreliable router software Actors: Network provider, router vendor, router software vendor, IT department Asset/resource: Network, router, router software Risk response:
✓Replacing the vendor would reduce network outages at a relatively low cost. |
Symptoms:
Network outage Actors: All business units, network provider Asset/resource: Network, business operations, employee productivity Risk response:
XReplacing legacy systems would be too costly. |
Instructions:
Complete the following steps for each risk event.
|
Document the following in the Risk Event Action Plan for each risk event:
|
Record the results in the Risk Event Action Plan.
Risk Avoidance
Example Risk event: Information security vulnerability from third-party cloud services provider.
|
![]() |
Example 1
Most risk responses will reduce both the likelihood of the risk event occurring and its potential impact. Example Mitigation: Purchase and implement enterprise mobility management (EMM) software with remote wipe capability.
|
Example 2
However, some risk responses will have a greater effect on decreasing the likelihood of a risk event with little effect on decreasing impact. Example Mitigation: Create policies that restrict which personnel can access sensitive data on mobile devices.
|
Example 3
Others will reduce the potential impact without decreasing its likelihood of occurring. Example Mitigation: Use robust encryption for all sensitive data.
|
Process Improvement
Key processes that would most directly improve the risk profile:
|
Infrastructure Management
|
Personnel
|
Rationalization and Simplification
This is a foundational activity, as complexity is a major source of risk:
|
Insurance
The most common form of risk transfer is the purchase of insurance.
Not all risks can be insured. Insurable risks typically possess the following five characteristics:
|
Other Forms of Risk Transfer
Other forms of risk transfer include:
|
Accepting a risk means tolerating the expected cost of a risk event. It is a conscious and deliberate decision to retain the threat.
You may choose to accept a risk event for one of the following three reasons:
Constant monitoring and the assignment of responsibility and accountability for accepted risk events is crucial for effective management of these risks. No IT risk should be accepted without detailed documentation outlining the reasoning behind that decision and evidence of approval by senior management.
This helps IT make risk-conscious investment decisions that fall within the IT budget and helps the organization make sound budgetary decisions for risk response projects that cannot be addressed by IT’s existing budget.
Instructions:
|
![]() Record the results in the Risk Costing Tool. |
Instructions:
![]() |
The tool will calculate the expected residual cost of the risk event: (Financial Impact x Likelihood) - Costs = Expected Residual Cost |
Note: See Activity 3.1.5 to build multi-year cost projections for risk responses.
Instructions: Calculate expected cost for multiple years using the Risk Costing Tool for:
Copy and paste the graphs into the Risk Report and the Risk Event Action Plan for the risk event. | ![]() Record the results in the Risk Costing Tool. |
Monitor, Respond, and Report on IT Risk
Step 3.1 | Step 3.2 |
Communicate IT risk management in two directions:
|
Create a strong paper trail and obtain sign-off for the ITRC’s recommendations.
Now that you have collected all of the necessary raw data, you must communicate your insights and recommendations effectively. A fundamental task of risk management is communicating risk information to senior management. It is your responsibility to enable them to make informed risk decisions. This can be considered upward communication. The two primary goals of upward communication are:
Good risk management also has a trickle-down effect impacting all of IT. This can be considered downward communication. The two primary goals of downward communication are:
|
Best practice is for all acceptable risks to also be signed-off by senior leadership. However, for ITRCs that brainstorm 100+ risks, this may not be possible. If this is the case, prioritize accepted risks that were assessed to be closest to the organization’s thresholds.
By receiving a stamp of approval for each key risk from senior management, you ensure that:
|
![]() |
Task:
All IT risks that were flagged for exceeding the organization’s severity thresholds must obtain sign-off by the CIO or another member of the senior leadership team.
The Risk Report contains:
|
![]() |
The IT risk council plays an instrumental role in fostering a culture of risk awareness throughout the IT department. In addition to periodic risk assessments, fulfilling reporting requirements, and undertaking ongoing monitoring responsibilities, members of the ITRC can take a number of actions to encourage other IT employees to adopt a risk-focused approach, particularly at the project planning stage.
Embed risk management in project planningMake time for discussing project risks at every project kick-off.
|
Embed risk management with employeeTrain IT staff on the ITRC’s planned responses to specific risk events.
|
Depending on the size of your IT department and the amount of resources dedicated to ongoing risk management, you may consider embedding risk management responsibilities into the performance assessments of certain ITRC members or other IT personnel.
If risk management responsibilities are not built into performance assessments, it is less likely that they will invest time and energy into these tasks. Adding risk management metrics to performance assessments directly links good job performance with good risk management, making it more likely that ITRC activities and initiatives gain traction throughout the IT department.
Changing job titles to reflect the focus of an individual’s role on managing IT risk may be a good way to distinguish personnel tasked with developing KRIs and monitoring risks on a week-to-week basis.
Go back through the Risk Management Program Manual and ensure that the material will accurately reflect your approach to risk management going forward.
Remember, the program manual is a living document that should be evolving alongside your risk management program, reflecting best practices, knowledge, and experiences accrued from your own assessments and experienced risk events.
The best way to ensure that the program manual continues to guide and document your risk management program is to make it the focal point of every ITRC meeting and ensure that one participant is tasked with making necessary adjustments and additions.
![]() |
Risk Management Program Manual |
“Upon completing the Info-Tech workshop, the deliverables that we were left with were really outstanding. We put together a 3-year project plan from a high level, outlining projects that will touch upon our high risk areas.” (Director of Security & Risk, Water Management Company)
54% of small businesses haven’t implemented controls to respond to the threat of cyber attacks (Source: Insurance Bureau of Canada, 2021)
So you’ve identified the most important IT risks and implemented projects to protect IT and the business.
Unfortunately, your risk assessment is already outdated.
Perform regular health checks to keep your finger on the pulse of the key risks threatening the business and your reputation.
To continue the momentum of your newly forged IT risk management program, read Info-Tech’s research on conducting periodic risk assessments and “health checks”:
Revive Your Risk Management Program With a Regular Health Check
Risk | An uncertain event or set of events which, should it occur, will have an effect on the achievement of objectives. A risk consists of a combination of the likelihood of a perceived threat or opportunity occurring and the magnitude of its impact on objectives (Office of Government Commerce, 2007). |
Threat | An event that can create a negative outcome (e.g. hostile cyber/physical attacks, human errors). |
Vulnerability | A weakness that can be taken advantage of in a system (e.g. weakness in hardware, software, business processes). |
Risk Management | The systematic application of principles, approaches, and processes to the tasks of identifying and assessing risks, and then planning and implementing risk responses. This provides a disciplined environment for proactive decision making (Office of Government Commerce, 2007). |
Risk Category | Distinct from a risk event, a category is an abstract profile of risk. It represents a common group of risks. For example, you can group certain types of risks under the risk category of IT Operations Risks. |
Risk Event | A specific occurrence of an event that falls under a particular risk category. For example, a phishing attack is a risk event that falls under the risk category of IT Security Risks. |
Risk Appetite | An organization’s attitude towards risk taking, which determines the amount of risk that it considers acceptable. Risk appetite also refers to an organization’s willingness to take on certain levels of exposure to risk, which is influenced by the organization’s capacity to financially bear risk. |
Enterprise Risk Management | (ERM) – A strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of organizational risks and managing the combined impact of those risks as an interrelated risk portfolio (RIMS, 2015). |
The basic formula of Likelihood x Impact = Severity is a common methodology used across risk management frameworks. However, some frameworks measure likelihood using Frequency rather than Likelihood.
Frequency is typically measured as the number of instances an event occurs over a given period of time (e.g. once per month).
Likelihood is a numerical representation of the “degree of belief” that the risk event will occur in a given future timeframe (e.g. 25% likelihood that the event will occur within the next year).
False Objectivity
While some may argue that frequency provides an objective measurement of likelihood, it is well understood in the field of likelihood theory that historical data regarding the frequency of a risk event may have little bearing over the likelihood of that event happening in the future. Frequency is often an indication of future likelihood but should not be considered an objective measurement of it.
Likelihood scales that use frequency underestimate the magnitude of risks that lack historical precedent. For example, an IT department that has never experienced a high-impact data breach would adopt a very low likelihood score using the frequentist approach. However, if all of the organization’s major competitors have suffered a major breach within the last two years, they ought to possess a much higher degree of belief that the risk event will occur within the next year.
Likelihood is a more comprehensive measurement of future likelihood, as frequency can be used to inform the selection of a likelihood value. The process of selecting intersubjective likelihood values will naturally internalize historical data such as the frequency that the event occurred in the past. Further, the frequency that the event is expected to occur in the future can be captured by the expected impact value. For example, a risk event that has an expected impact per occurrence of $10,000 that is expected to occur three times over the next year has an expected impact of $30,000.
Don’t just fixate on the most likely impact – be aware of high-impact outcomes.During assessment, risks are evaluated according to their most likely financial impact.
Naturally, focusing on the most likely financial impact will exclude higher impacts that – while theoretically possible – are so unlikely that they do not warrant any real consideration.
While the risk severity level assessment allows you to present impacts as a range of values (e.g. $50,000 to $75,000), the expected cost assessment requires you to select specific values.
Sometimes called Black Swan events or Fat-Tailed outcomes, high-impact events may occur when the far right of the likelihood distribution – or the “tail” – is thicker than a normal distribution (see fig. 2).
For risk events that contain non-negligible likelihoods (too high to be ignored) consider elevating the risk severity level or expected cost. |
![]() ![]() |
![]() | Info-Tech InsightDon’t gamble recklessly with external compliance. Play a winning system and take calculated risks to stack the odds in your favor. Take an agile approach to analyze your gaps and prioritize your remediations. You don’t always have to be fully compliant as long as your organization understands and can live with the consequences. |
![]() | Info-Tech InsightSecurity risk management equals cost effectiveness. Time spent upfront identifying and prioritizing risks can mean the difference between spending too much and staying on budget. |
Sandi Conrad
Christine Coz
Milena Litoiu
Scott Magerfleisch
|
Aadil Nanji
Andy Neill
Daisha Pennie
Ken Piddington
|
Frank Sewell
Andrew Sharpe
Chris Warner
Sterling Bjorndahl
|
Ibrahim Abdel-Kader
Tamara Dwarika
Anne Leroux
|
Ian Mulholland
Michel Fossé
|
Petar Hristov
Steve Woodward
|
*Plus 10 additional interviewees who wish to remain anonymous.
“2021 State of the CIO.” IDG, 28 January 2021. Web.
“4 Reasons Why CIOs Lose Their Jobs.” Silverton Consulting, 2012. Web.
Beasley, Mark, Bruce Branson, and Bonnie Hancock. “The State of Risk Oversight,” AICPA, April 2021. Web.
COBIT 2019. ISACA, 2019. Web.
“Cognyte jeopardized its database exposing 5 billion records, including earlier data breaches.” SecureBlink, 21 June 2021. Web.
Culp, Steve. “Accenture 2019 Global Risk Management Study, Financial Services Report.” Accenture, 2019. Web.
Curtis, Patchin, and Mark Carey. “Risk Assessment in Practice.” COSO Committee of Sponsoring Organizations of the Treadway Commission, Deloitte & Touche LLP, 2012. Web.
“Cyber Risk Management.” Insurance Bureau of Canada (IBC), 2022. Web.
Eccles, Robert G., Scott C. Newquist, and Roland Schatz. “Reputation and Its Risks.” Harvard Business Review, February 2007. Web.
Eden, C. and F. Ackermann. Making Strategy: The Journey of Strategic Management. Sage Publications, 1998.
“Enterprise Risk Management Maturity Model.” OECD, 9 February 2021. Web.
Ganguly, Saptarshi, Holger Harreis, Ben Margolis, and Kayvaun Rowshankish. “Digital Risks: Transforming risk management for the 2020s.” McKinsey & Company, 10 February 2017. Web.
“Governance Institute of Australia Risk Management Survey 2020.” Governance Institute of Australia, 2020. Web.
“Guidance on Enterprise Risk Management.” COSO, 2022. Web.
Henriquez, Maria. “The Top 10 Data Breaches of 2021” Security Magazine, 9 December 2021. Web.
Holmes, Aaron. “533 million Facebook users’ phone numbers and personal data have been leaked online.” Business Insider, 3 April 2021. Web.
“Integrated Risk and Compliance Management for Banks and Financial Services Organizations: Benefits of a Holistic Approach.” MetricStream, 2022. Web.
“ISACA’s Risk IT Framework Offers a Structured Methodology for Enterprises to Manage Information and Technology Risk.” ISACA, 25 June 2020. Web.
ISO 31000 Risk Management. ISO, 2018. Web.
Lawton, George. “10 Enterprise Risk Management Trends in 2022.” TechTarget, 2 February 2022. Web.
Levenson, Michael. “MGM Resorts Says Data Breach Exposed Some Guests’ Personal Information.” The New York Times, 19 February 2020. Web.
Management of Risk (M_o_R): Guidance for Practitioners. Office of Government Commerce, 2007. Web.
“Many small businesses vulnerable to cyber attacks.” Insurance Bureau of Canada (IBC), 5 October 2021.
Maxwell, Phil. “Why risk-informed decision-making matters.” EY, 3 December 2019. Web.
“Measuring and Mitigating Reputational Risk.” Marsh, September 2014. Web.
Natarajan, Aarthi. “The Top 6 Business Risks you should Prepare for in 2022.” Diligent, 22 December 2021. Web.
“Operational Risk Management Excellence – Get to Strong Survey: Executive Report.” KMPG and RMA, 2014. Web.
“Third-party risk is becoming a first priority challenge.” Deloitte, 2022. Web.
Thomas, Adam, and Dan Kinsella. “Extended Enterprise Risk Management Survey, 2020.” Deloitte, 2021. Web.
Treasury Board Secretariat. “Guide to Integrated Risk Management.” Government of Canada, 12 May 2016. Web.
Webb, Rebecca. “6 Reasons Data is Key for Risk Management.” ClearRisk, 13 January 2021. Web.
“What is Enterprise Risk Management (ERM)?” RIMS, 2015. Web.
Wiggins, Perry. “Do you spend enough time assessing strategic risks?” CFO, 26 January 2022. Web.
To drive a rapid shift towards the adoption of emerging technology, CIOs need:
IT must lead the innovation capabilities that will drive the adoption of emerging technology across the enterprise. In an exponential world, IT needs to adopt business value targets and become a value creator rather limit itself to IT service targets and remain a cost center in the organization.
Assess your innovation capability in five key areas supporting Exponential IT:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This research walks you through how to assess your capabilities to lead enterprise innovation and drive Exponential IT.
This tool will facilitate your readiness assessment.
Traditionally, CIOs have struggled to gain the trust of the executive leadership team and be recognized as business leaders rather than just technical leaders. In fact, based on a 2023 study by Info-Tech Research Group, only 36% of CIOs report directly to the CEO with most of the remainder reporting through either the CFO or COO.
Exponential IT requires that CIOs gain a seat at the table and build the capabilities necessary to not only lead the transformation of their business but also drive the innovation that will lead to enterprise adoption of emerging technologies. CIOs will be required to gain a detailed understanding of their business and in-depth knowledge of emerging technologies so that they can match business opportunities with technology capabilities, while managing risk and change.
This research will help CIOs identify the capabilities they need to transform the business, and better understand where they must mature their capabilities to drive Exponential IT.
Kim Osborne Rodriguez
Research Director, CIO Advisory
Info-Tech Research Group
Your ChallengeTo drive a rapid shift toward adopting emerging technology, CIOs need:
|
Common ObstaclesExponential IT is dramatically shifting how IT engages the business. Many CIOs are unprepared.
|
Info-Tech's ApproachIs your IT team ready to drive the adoption of emerging technology? Assess your innovation capability in five key areas supporting Exponential IT:
|
[1] Info-Tech CXO-CIO diagnostic benchmark data, 2022, n=76
IT must lead the innovation capabilities that will drive the adoption of emerging technology across the enterprise. In an exponential world, IT needs to adopt business value targets and become a value creator rather than limit itself to IT service targets and remain a cost center in the organization.
Your ability to capture enterprise value from autonomization relies on your innovation capabilities and potential. Is your IT team ready to drive the adoption of AI-driven business processes? Assess your innovation readiness in five key areas supporting Exponential IT.
If IT leaders cannot lead the transformation, then the business will move forward without them.
Only 3% of CXOs report that their IT department can transform the business. Most IT organizations (81%) still struggle to adequately support the business.
The most common obstacles to innovation are cultural, including politics, lack of alignment on goals, misaligned culture, and an inability to act on indicators of change.[1]
CIOs struggle to get a seat at the table and influence change. Info-Tech research shows that only 36% of CIOs report directly to the CEO, with over a third reporting to another C-suite leader such as a COO or CFO.[2]
[1] Harvard Business Review, 2018
[2] Info-Tech Research Group CIO Time Study, 2023
To drive change, CIOs need to gain the trust of their senior leadership team. Getting a seat at the table should be the first step for any CIO looking to transform their business.
36%Only 36% of CIOs report directly to the CEO. Source: Info-Tech Research Group, 2023. |
48%48% of Boards report that they lack frequent or direct lines of communication with their CIOs. Source: CIO Dive, 2022 |
Borealis AI is a research center backed by RBC Royal Bank, tasked with researching, designing, and building AI products and tools which transform the financial services industry. It gathers researchers with backgrounds in artificial intelligence (AI), computer vision, natural language processing (NLP), computer science, computational finance, mathematics, and machine learning (ML) to create solutions in areas including asynchronous temporal models, non-cooperative learning in competing markets, and causal machine learning from observational data.
Borealis AI has created many innovative products for RBC, including:
In 2023, Borealis AI won the Best Use of AI for Customer Experience award from The Digital Banker, for the NOMI Forecast app, which has been downloaded by nearly a million RBC clients since launching in 2021.
"NOMI Forecast is a cutting-edge AI solution that uses deep learning to offer timely and accurate predictions of our clients' cashflow. Powered by our unique datasets, these AI models have been trained to deliver personalized experiences for RBC clients,"
— Foteini Agrafioti, Chief Science Officer at RBC and Head of Borealis AI
Emerging tech brings new challenges for organizations looking to create a competitive advantage. Access to sophisticated tools with minimal upfront costs have lowered the barriers to entry and democratized innovation, particularly among smaller players. The explosion of data processing & collaboration tools has allowed more focused and data-driven innovation efforts through analysis and insights, increasing the competitive advantage for those who get it right.
This has led to an accelerated pace of change as autonomous business processes start driving their own market shifts. The rise of autonomous business processes creates exponential reward, but also exponential risk for early adopters.
IT innovation leadership explains 75% of the variation in satisfaction with IT (Source: Info-Tech Research Group survey, n=305) and is the fourth-highest priority for IT end users.
A 7-year review by McKinsey (2020) showed that the most innovative companies[1] outperformed the market by upwards of 30%.
A 25-year study by Business Development Canada & Statistics Canada showed that innovation was more important to business success than management, human resources, marketing, or finance.
[1]Top innovators are defined as companies which were listed on Fast Company World's 50 Most Innovative Companies for 2+ years.
IT as a fast execution engineIdeal for developing new methods, products, or services which provide value to the organization Can be led by IT or the business, depending on the scope of innovation (IT generally leads IT/internal innovation while the business leads customer-focused innovation) Often follows the pace of the business IT is a fast executor on requests generated by the business Leverages Agile to develop new ideas and products, and uses DevOps to put into production Use Info-Tech's research to Build your Enterprise Innovation Program |
IT as an exponential innovation leaderIdeal for driving the enterprise adoption of emerging tech and autonomous business capabilities Led by IT, which brings the understanding of emerging technology and can link opportunities to business problems Driven by a faster pace of change, which requires more frequent assessment of emerging technology IT is a fast executor on ideas and uses partnerships to drive execution Leverages Agile, machine learning operations (MLOps), DataOps and product design to test and implement ideas Use this research to successfully drive innovation with an Exponential IT mindset |
Transformation efforts fail over 75% of the time[1] resulting in millions of dollars of lost revenue[2]
Our research indicates that most organizations would take months to prepare this type of assessment without our resources. That's nearly 70 work hours spent researching and gathering data to support due diligence, for a total cost of thousands of dollars. Improve your success rate by understanding what's needed to successfully drive innovation.
[1] Lombard, 2022
[2] FutureCIO, 2022
Gauge the effectiveness of this research by completing the following table before and after using this blueprint:
Five tips to get the most out of your readiness assessment
Organizational excellence sets the stage for innovation.
"Innovation distinguishes between a leader and a follower." – Steve Jobs, Apple Founder
Without strong leadership, innovation efforts are almost certain to fail. Innovation requires buy-in and support, a leader who walks the talk, culture which supports risk taking and allows failure, and a clear and compelling vision. Without these elements in place, transformation efforts are a fifteen times more likely to fail [1] – and waste time and money along the way.
[1] Lombard, 2022.
Strong leadership is critical to the success of innovation. A global survey of 600 business leaders pointed to leadership as the best predictor of innovation success[1] and showed a strong correlation between leadership ability and innovation capabilities.
Innovation leadership starts with a mandate from the senior leadership team and requires a clearly articulated vision and strategy to deliver the intended benefits to the organization. A survey of 270 business leaders showed that over a third of them struggled with articulating the right strategy or vision, hindering their efforts to innovate.[2]
45% of business leaders report that cultural issues stifle their innovation efforts, and 55% report unhealthy politics which cause infighting that negatively affects their organization.[2]
[1] McKinsey, 2008
[2] Harvard Business Review, 2018
75% of high IT satisfaction scores are associated with a strong ability to lead innovation.
Source: Info-Tech Research Group survey, n=305
It can be challenging to drive innovation efforts without trust and buy-in from senior leadership. Start with small initiatives and build your reputation by consistently delivering on your commitments.
Build your innovation leadership with the following capabilities:
Innovation mandate: There is strong support and trust from the senior leadership team, which gives IT leaders the opportunity to lead innovation despite any temporary failure. IT leaders are well-informed about and have input into business decisions.
Transformational leadership: IT leaders are influential change agents, not only within their organization but across their industry or community. They inspire others and actively collaborate with external partners, driving change beyond their organization.
Culture of innovation: Innovative cultures generally demonstrate ten behaviors that are most closely correlated with innovation success: growth mindset, learning-focused, psychological safety, curiosity, trust, willingness to fail, collaboration, diverse perspectives, autonomy, and appropriate risk-taking. These behaviors are embedded in the organization and strongly demonstrated in daily work.
Vision & strategy: The innovation vision and strategy are continuously refined and adapted to changing market and emerging technology trends. Emerging technology innovation is second nature in the organization, and it becomes a leader in driving change across the industry.
|
Build your Enterprise Innovation ProgramDefine your innovation mandate
|
|
Manage Your CXO RelationsSuccessfully manage CXO relationships to get a seat at the table and build your mandate to drive innovation |
|
Become a Transformational CIOBuild the capabilities to drive transformation as an IT leader in your organization |
The foundation of innovation is data.
"Without data you're just another person with an opinion." – Edwards Deming, Statistician
Having comprehensive and accurate data about the problems you hope to solve is critical to realizing the benefits of innovation. Build your understanding of the business and ability to predict how trends will impact your industry, then stay on top of emerging tech and align solutions with strategic business capabilities.
Info-Tech data shows that businesses are 93% more likely to be satisfied with IT when their IT teams have a better understanding of the business. Teams need to understand who your organization serves, how it delivers value, and what its goals are.
When seeking to capitalize on emerging technology opportunities, businesses face an execution challenge. 82% of business leaders report being able to identify leading indicators of change, but less than two thirds of them are confident in their ability to act on those indicators.[1]
A report by Leadership IQ noted that only 29% of the 21,008 employees surveyed considered their leader's vision consistently well aligned with the organizational vision.[2] Strategic alignment is not just important from a results perspective. It impacts employee motivation: employees with strong leadership alignment are 24% more likely to give their best at work.[2]
[1] Harvard Business Review, 2018
[2] Leadership IQ, 2020
82% of business leaders say they can correctly identify leading indicators of change…
…however, only 58% feel confident in their abilities to act on these indicators.
Source: Harvard Business Review, 2018
Develop key insights and intelligence with the following capabilities:
Business context: IT actively participates in the business as a value creator and innovator, proactively disrupting the business and driving the adoption of emerging tech that drives exponential value.
Strategic foresight: IT not only embraces emerging technologies, but actively drives innovation and disruption through their adoption. IT is adept at using trends to drive exploration and can quickly execute on initiatives.
Emerging tech expertise: There is an expert-level understanding of emerging technologies including their capabilities, limitations, risks, trends, and potential use cases. IT proactively drives the adoption of emerging technology.
Strategic alignment: IT proactively uses the business strategy to drive adoption of emerging technology and identify new opportunities. Each initiative has clear metrics and targets which directly impact business targets.
|
Tech Trends 2023Like a chess grandmaster, CIOs must play both sides of the board. Emerging technologies present opportunities to attack, but it's necessary to protect from a volatile board. |
|
Establish a Foresight CapabilityTo be recognized and validated as a forward-thinking CIO, you must establish a structured approach to innovation that considers external trends alongside internal processes. |
|
Build a Business-Aligned IT StrategyElicit the business context and identify strategic initiatives that are most important to the organization while building a plan to execute on it. |
IT must use data to drive the ideation process, engaging the business to identify opportunities – all while managing risk.
"Innovation is key. Only those who have the agility to change with the market and innovate quickly will survive."- Robert Kiyosaki, Entrepreneur & Author
Many Agile concepts are used in the process of innovation, regardless of whether the formal Agile methodology is used. Fast iterations ("fail fast"), lessons learned, and risk management are equally important for ideation as they are for execution. This category evaluates IT's ability to drive the ideation process at the enterprise level.
Agility is critical for innovation, particularly when adopting emerging technology. AI and other emerging technologies are accelerating the pace of change and driving a necessary increase in how quickly organizations must adapt.
Data is also critical when building a case for change. A survey of over 1,000 senior business leaders showed that organizations that effectively use data to drive decision making are three times more likely to report significant improvements in the quality of their decisions.[1]
[1] Harvard Business School Online, 2019
The business must be involved in ideation. Develop the skills needed to engage the business and identify challenges and opportunities.
Build your proficiency in the following ideation capabilities:
Data-driven decision making: Data is proactively collected from multiple internal and external sources to inform innovation strategies. Continuous monitoring of innovation provides a strong rationale for outcomes and benefits. Data governance, quality, and privacy measures are in place to ensure data quality.
Ability to identify opportunities: IT actively shapes the future of the organization and the industry by proactively identifying business opportunities for emerging technology and leading the way in their adoption. Experiments and pilots are often industry firsts.
Business engagement: IT enables the business by engaging at all levels to identify and refine emerging technology opportunities. They effectively communicate benefits and risks in business terms, while understanding business needs and challenges. IT collaborates with the business to establish innovation centers or communities of practice.
Risk management: There is a proactive and holistic approach to risk management, considering both opportunities and threats associated with emerging technology adoption. IT and the business continually anticipate and monitor emerging risks, evaluate the effectiveness of risk management practices, and adapt them to evolving technology landscapes.
|
Develop Your Agile Approach for a Successful TransformationUnderstand Agile fundamentals, principles, and practices so you can apply them effectively in your organization. |
|
Build an IT Risk Management ProgramRisk is inevitable. Without a formal management program, you may be unaware of your greatest IT risks. Reacting to risks after they occur can be costly and devastating, yet this is one of the most common tactics used by IT departments. |
|
Kick-Start IT-Led Business InnovationBusiness demand for new technology is intensifying pressure to innovate and executive stakeholders expect more from IT. If IT is not considered a source of innovation, its perceived value decreases, and the threat of shadow IT grows. Don't wait to start finding and capitalizing on opportunities for IT-led innovation. |
Ensure you have the right resources and skills needed to drive innovation.
"The best way to predict the future is to invent it." – Alan Kay, Computer Scientist
Resourcing and skills are critical building blocks for driving innovation, and without a strong understanding of emerging technology and the processes needed to adopt it, organizations will falter at driving change.
Develop the right resourcing, skills, change management, and partnerships to drive Exponential IT.
Scaled Agile (SAFe): Scaled Agile is a framework for implementing Agile and lean methodologies at the enterprise level or outside of a single team.
Development operations (DevOps): A methodology for software development which includes practices and tools that support the development lifecycle.
Data operations (DataOps): A set of tools and processes that support data management within an organization. Typically used when training AI on a specialized data set.
Analytics: The systematic analysis of information used to discover, interpret, and communicate insights gleaned from patterns in data. Analytics typically generate insights that support data-driven decision making.
Machine learning operations (MLOps): Tools and processes that support the development of machine learning (ML) models, including AI and large language models (LLM). Can include expertise in computer science, natural language processing (NLP), computer vision, computational algorithms, mathematics, and ML expertise.
Artificial intelligence operations (AIOps): Leveraging AI to develop autonomous business processes at the enterprise level.
Agile: Build the methodologies to drive execution
DevOps: Drive the software development lifecycle
DataOps: Effectively manage data
Analytics: Develop insights from data
MLOps: Develop machine learning tools
AIOps: Build autonomous business processes
Resourcing & investment: IT manages a well-defined and substantial budget dedicated to innovation, which is integrated into the overall strategic planning and decision-making processes. Investments are made in a holistic and forward-looking manner, considering the long-term implications and potential disruption caused by emerging technologies.
Talent & skills: Teams exhibit thought leadership and innovate within emerging technologies, including advanced machine learning engineering, MLOps, DataOps, and analytics. Employees actively contribute to the advancement of these technologies, engage in research and development, and explore new applications and use cases.
Change management: This is a core competency led by change champions and change management professionals. There is a strategic approach to driving and sustaining change, focusing on long-term adoption and continuous improvement. Change management is embedded in the organizational culture, and there is a proactive effort to foster change agility and build change capability at all levels.
Partnerships & ecosystems: IT builds an orchestrated innovation ecosystem for the adoption of emerging technology. They take a proactive role in orchestrating collaboration among ecosystem partners. The organization acts as a catalyst for innovation, bringing together diverse partners to address complex challenges and drive transformative solutions.
|
Drive Technology AdoptionThe project isn't over if the new product or system isn't being used. How do you ensure that what you've put in place will not be ignored or only partially adopted? People are more complicated than any new system and managing them through change requires careful planning. |
|
Extend Agile Practices Beyond ITFurther the benefits of Agile by extending a scaled Agile framework to the business. Not all lessons from scaling Agile to IT are transferable. IT Agile scaling processes are tailored to IT's scope, team, and tools, which may not account for diverse attributes within your organization. |
|
Managing Exponential Value RelationshipsSuccessfully managing outcome-based relationships requires a higher degree of trust than traditional vendor relationships. Building trust comes from sharing risks and rewards between organizations and vendors. |
Can you deliver results? Develop the capability to execute on innovative ideas.
"What good is an idea if it remains an idea? Try. Experiment. Fail. Try again. Change the world." – Simon Sinek, Author, Motivational Speaker
The foundational elements of innovation significantly overlap with the activities you must do to excel at core IT operations. Build your ability to execute quickly on innovative ideas and build the trust of the enterprise.
The foundational capabilities of innovation are central to many core IT processes: governance, security, supporting infrastructure, and the ability to execute on ideas are all critical to running an effective IT shop.
IT governance is a critical and embedded practice ensuring information and technology investments, risks, and resources are aligned in the organization's best interests while producing business value. Effective governance ensures that the right technology investments are made at the right time to support and enable your organization's mission, vision, and goals.
The ability to rapidly execute on ideas is fundamental not only to innovation but also running an effective IT organization.
The ability to execute is based on key foundational capabilities, including:
Governance: Adaptable and automated governance guides effective innovation and supports the adoption of emerging technology. Decision making is flexible and can move quickly to enable the implementation of new technologies. Responsibility and authority are aligned across all levels of the organization.
Embedded security: Security and privacy controls are embedded in the applications and technologies deployed across the enterprise. Security is built into the organizational culture, with a strong focus on promoting security awareness and fostering a security-first mindset.
Infrastructure: IT infrastructure is modern, adaptive, and future-proof. Infrastructure should support a range of emerging technology applications, including the flexibility to adapt to future use cases. There is a focus on agility, scalability, flexibility, and interoperability.
Ability to execute: The IT team drives rapid innovation across the organization and can reliably execute and collaborate with internal and external partners. They are pivotal in driving innovation initiatives that align with the organization's strategic objectives. Agile methodologies and practices are embedded in the culture of the team.
|
Make Your IT Governance AdaptableProduce more value from IT by developing a governance framework optimized for your current needs and context, with the ability to adapt as your needs shift. Create the foundation and ability to delegate and empower governance to enable agile delivery. |
|
Build an Information Security StrategyMany security leaders struggle to decide how best to prioritize their scarce information security resources. The need to move from a reactive security approach toward a strategic planning approach is clear. The path to getting there is less so. |
|
Exploit Disruptive Infrastructure TechnologyAccurate predicting isn't easy. Most IT leaders fail to realize how quickly technology increases in capability. Even for the tech savvy, it's difficult to predict which specific technologies will become disruptive. |
Input: Core competencies; Knowledge of internal processes and capabilities
Output: Readiness assessment
Materials: Exponential Innovation Assessment Tool; Whiteboard/Flip charts
Participants: Executive leadership team, including CIO; Other internal stakeholders of vendor partnerships
Download the Exponential Innovation Assessment Tool
Once you have completed the readiness assessment, use Info-Tech's maturity ladder to identify next steps and recommendations.
It is usually very challenging to lead innovation with a total score less than 50. Lower maturity organizations should focus on maturing the foundational aspects of innovation, such as those in the Innovation Execution and Team Capabilities categories, and core IT processes.
For higher maturity organizations (those with total scores 50 or higher), first focus on getting all capabilities to a minimum of Level 3, then work on progressing maturity starting with foundational categories and working upwards:
Input: Readiness assessment
Output: Action plan to improve maturity of capabilities
Materials: Exponential Innovation Assessment Tool; Whiteboard/Flip charts
Participants: Executive leadership team, including CIO; Other internal stakeholders of vendor partnerships
Kim Osborne Rodriguez
Research Director, CIO Advisory
Info-Tech Research Group
Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach, with a track record of supporting successful projects.
Kim holds a Bachelor's degree in Honours Mechatronics Engineering and an option in Management Sciences from University of Waterloo.
Jack Hakimian
Senior Vice President
Info-Tech Research Group
Jack has more than 25 years of Technology and Management Consulting experience. He has served multi-billion-dollar organizations in multiple industries including Financial Services and Telecommunications. Jack also served many large public sector institutions.
He is a frequent speaker and panelist at technology and innovation conferences and events and holds a Master's degree in Computer Engineering and an MBA from the ESCP-EAP European School of Management.
Mark Tauschek
Vice President, Infrastructure & Operations Research
Info-Tech Research Group
Mark has hands-on network design and deployment experience across verticals including healthcare, education, manufacturing, retail, and entertainment. He has extensive knowledge in the areas of technology research, process development, vendor selection, and project management. He holds specific expertise in wireless networking and mobile technologies.
Mark holds an MBA from the Richard Ivey School of Business at the University of Western Ontario and many professional wireless technology certifications.
Michael Tweedie
Practice Lead, CIO Strategy
Info-Tech Research Group
Mike Tweedie brings over 25 years as a technology executive. He's led several large transformation projects across core infrastructure, application and IT services as the head of Technology at ADP Canada. He was also the Head of Engineering and Service Offerings for a large French IT services firm, focused on cloud adoption and complex ERP deployment and management.
Mike holds a Bachelor's degree in Architecture from Ryerson University.
Donna Bales
Principal Research Director
Info-Tech Research Group
Donna Bales is a Principal Research Director in the CIO Practice at Info-Tech Research Group specializing in research and advisory services in IT risk, governance, and compliance. She brings over 25 years of experience in strategic consulting and product development and has a history of success in leading complex, multi-stakeholder industry initiatives.
Donna has a Bachelor's degree in Economics from the University of Western Ontario.
Isabelle Hertanto
Principal Research Director, Security & Privacy
Info-Tech Research Group
Isabelle Hertanto has over 15 years of experience delivering specialized IT services to the security and intelligence community. As a former federal officer for Public Safety Canada, Isabelle trained and led teams on data exploitation and digital surveillance operations in support of Canadian national security investigations. Since transitioning into the private sector, Isabelle has held senior management and consulting roles across a variety of industry sectors, including retail, construction, energy, healthcare, and the broader Canadian public sector.
Aaron Shum
Vice President, Security, Privacy, Risk & Compliance
Info-Tech Research Group
Aaron Shum is a Vice President in the Security & Privacy Research and Advisory Practice at Info-Tech Research Group. With 25+ years of experience across IT, InfoSec, and Data Privacy, he currently specializes in helping organizations implement comprehensive information security and cybersecurity programs and comply with data privacy regulations such as the European Union's General Data Protection Regulation and the California Privacy Rights Act.
Reiaz Somji
Managing Director, Consulting
Info-Tech Research Group
As a client-focused strategist with strong organizational acumen, Reiaz leverages his 20+ years of management consulting experience to help C-suite executives and managers navigate the integration of changing technology with business goals. He is currently a managing director in Info-Tech's consulting division and leads its Infrastructure practice.
Hans Eckman
Principal Research Director, Applications
Info-Tech Research Group
Hans Eckman is a business transformation leader helping organizations connect business strategy and innovation to operational excellence. He supports Info-Tech members in SDLC optimization, Agile and DevOps implementation, CoE/CoP creation, innovation program development, application delivery, and leadership development. Hans is based out of Atlanta, Georgia.
Irina Sedenko
Research Director, Data & Analytics
Info-Tech Research Group
Irina brings more than 20 years of information management experience and demonstrated expertise in big data, advanced analytics, machine learning, and AI. Her experience includes designing and implementing enterprise content management systems, defining data and analytics strategy to support business goals and objectives, creating data governance to enable data initiatives, and providing guidance to the client teams. She led teams through data lake implementation to enable advanced analytics capabilities and has hands-on data science and machine learning experience.
Bill Macgowan
Director, Smart Building Digitization
Cisco
Barry Wiech
Chief Digital and Information Officer
Sime Darby Industrial
Tim Dunn
Chief Information Officer
Department of Energy & Public Works (Queensland)
Sudip Ghosh
Group Manager, Office of the CIO
Star Entertainment Group
Samantha Rose
Contract Manager
Department of Energy & Public Works (Queensland)
Altringer, Beth. "A New Model for Innovation in Big Companies." Harvard Business Review. 19 Nov. 2013. Accessed 15 June 2023. https://hbr.org/2013/11/a-new-model-for-innovation-in-big-companies
Bar Am, Jordan et al. "Innovation in a Crisis: Why it is More Critical Than Ever." McKinsey & Company, 17 June 2020. Accessed 15 June 2023. https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/innovation-in-a-crisis-why-it-is-more-critical-than-ever
Barsh, Joanna et al. "Leadership and Innovation." McKinsey Quarterly, 1 Jan 2008. Accessed 7 July 2023. https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/leadership-and-innovation
Borealis AI. "RBC Wins Best Use of AI for Customer Experience for NOMI Forecast." Borealis AI Blog, 28 Apr 2023. Accessed 13 June 2023. https://www.borealisai.com/news/rbc-wins-best-use-of-ai-for-customer-experience-for-nomi-forecast/
Boston Consulting Group, "Most Innovative Companies 2022." BGC, 15 Sept. 2022. Accessed 15 June 2023. https://www.bcg.com/en-ca/publications/2022/innovation-in-climate-and-sustainability-will-lead-to-green-growth
BrainyQuote. "Innovation Quotes." Accessed 19 June 2023. https://www.brainyquote.com/topics/innovation-quotes
Christensen, Clayton M. The Innovator's Dilemma: When New Technologies Cause Great Firms to Fail. Harvard Business Review Press, 2016.
Cleroux, Pierre. The "I" Word. BDC. Accessed 1 Aug 2023. https://www.bdc.ca/en/articles-tools/blog/innovation-no-1-factor-business-success
FutureCIO Editors. "Failed transformation can result in US$6 million in lost revenue." FutureCIO, 29 Apr 2022. Accessed 10 Jul 2023. https://futurecio.tech/failed-transformation-can-result-in-us6-million-in-lost-revenue/
Goodreads. "W. Edwards Deming Quotes." Accessed 19 June 2023. https://www.goodreads.com/quotes/7327935-without-data-you-re-just-another-person-with-an-opinion
Haefner, Naomi et al. "Artificial intelligence and innovation management: A review, framework, and research agenda." Technological Forecasting and Social Change, Volume 162, 2021. Accessed 15 June 2023. https://www.sciencedirect.com/science/article/pii/S004016252031218X
IBM. "The new AI innovation equation." IBM Website. 13 Oct 2016. Accessed 15 June 2023. https://www.ibm.com/watson/advantage-reports/future-of-artificial-intelligence/ai-innovation-equation.html
Isomaki, Atte. "60+ Innovation Quotes and What They Can Teach You." Viima, 19 Mar 2019. Accessed 6 July 2023. https://www.viima.com/blog/innovation-quotes
Kay, Alan. "The best way to predict the future is to invent it." Quote Park, 3 June 2021. Accessed 15 June 2023. https://quotepark.com/quotes/1893243-alan-kay-the-best-way-to-predict-the-future-is-to-invent-it/
Kirsner, Scott. "The Biggest Obstacles to Innovation in Large Companies." Harvard Business Review, 30 July 2018. Accessed 15 June 2023. https://hbr.org/2018/07/the-biggest-obstacles-to-innovation-in-large-companies
Kiyosaki, Robert. "Innovation is key. Only those who have the agility to change with the market and innovate quickly will survive." AZ Quotes, 11 Dec. 2013. Accessed 15 June 2023.
Leadership IQ. "The State Of Leadership Development." Leadership IQ, 2020. Accessed 6 July 2023. https://www.leadershipiq.com/blogs/leadershipiq/leadership-development-state
Lombard, Charl. "Defining Digital: A New Approach to Digital Transformation." Info-Tech LIVE Conference, 2022. https://tymansgrpup.com/videos/defining-digital-a-new-approach-to-digital-transformation
Murphy, Mark. "A Shocking Number Of Leaders Are Not Aligned With Their Companies' Visions." Forbes, 28 Aug 2020. Accessed 6 Jul 2023. https://www.forbes.com/sites/markmurphy/2020/08/28/a-shocking-number-of-leaders-are-not-aligned-with-their-companies-visions
Seymour, Harriet et al. "How to unlock a scientific approach to change management with powerful data insights." IBM, 11 Jan 2023. Accessed 6 July 2023. https://www.ibm.com/blog/how-to-unlock-a-scientific-approach-to-change-management-with-powerful-data-insights/
Sinek, Simon. "What good is an idea if it remains an idea? Try. Experiment. Fail. Try again. Change the world." Praxie, n.d. https://praxie.com/top-innovation-quotes/
Stobierski, Tim. "The Advantages of Data-Driven Decision-Making." Harvard Business School Online, 26 Aug 2019. Accessed 6 July 2023. https://online.hbs.edu/blog/post/data-driven-decision-making
Torres, Roberto. "How tech leaders can earn C-suite trust." CIO Dive, 1 Jul 2022. Accessed 7 Jul 2023. https://www.ciodive.com/news/C-suite-trust-CIO-executives/626476/
Tushman, Michael et al. "Change Management Is Becoming Increasingly Data-Driven. Companies Aren't Ready." Harvard Business Review, 23 Oct 2017. Accessed 6 Jul 2023. https://hbr.org/2017/10/change-management-is-becoming-increasingly-data-driven-companies-arent-ready
Weick, Karl and Kathleen Sutcliffe. Managing the Unexpected: Sustained Performance in a Complex World, Third Edition. John Wiley & Sons, 2015.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Level-set the expectations for your business-managed applications.
Identify and define your application managers and owners and build a fit-for-purpose governance model.
Build a roadmap that illustrates the key initiatives to implement your BMA and governance models.
[infographic]
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Define business-managed applications in your context.
Identify your business-managed application objectives.
State the value opportunities with business-managed applications.
A consensus definition and list of business-managed applications goals
Understanding of the business value business-managed applications can deliver
1.1 Define business-managed applications.
1.2 List your objectives and metrics.
1.3 State the value opportunities.
Grounded definition of a business-managed application
Goals and objectives of your business-managed applications
Business value opportunity with business-managed applications
Develop your application management framework.
Tailor your application delivery and ownership structure to fit business-managed applications.
Discuss the value of an applications committee.
Discuss technologies to enable business-managed applications.
Fit-for-purpose and repeatable application management selection framework
Enhanced application governance model
Applications committee design that meets your organization’s needs
Shortlist of solutions to enable business-managed applications
2.1 Develop your management framework.
2.2 Tune your delivery and ownership accountabilities.
2.3 Design your applications committee.
2.4 Uncover your solution needs.
Tailored application management selection framework
Roles definitions of application owners and managers
Applications committee design
List of business-managed application solution features and services
Build your roadmap to implement busines-managed applications and build the foundations of your optimized governance model.
Implementation initiatives
Adoption roadmap
3.1 Build your roadmap.
Business-managed application adoption roadmap
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Assess the organization’s fit for MMS technology and structure the MMS selection project.
Produce a vendor shortlist for your MMS.
Evaluate RFPs, conduct vendor demonstrations, and select an MMS.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Determine a “right-size” approach to marketing enablement applications.
Confirmation of the goals, objectives, and direction of the organization is marketing application strategy.
1.1 Assess the value and identify the organization’s fit for MMS technology.
1.2 Understand the art of the possible.
1.3 Understand CXM strategy and identify your fit for MMS technology.
1.4 Build procurement team and project customer experience management (CXM) strategy.
1.5 Identify your MMS requirements.
Project team list.
Preliminary requirements list.
Enumerate relevant marketing management suites and point solutions.
List of marketing enablement applications based on requirements articulated in the preliminary requirements list strategy.
2.1 Identify relevant use cases.
2.2 Discuss the vendor landscape.
Vendor shortlist.
Develop a rationale for selecting a specific MMS vendor.
MMS Vendor decision.
A template to communicate the decision to executives.
3.1 Create a procurement strategy.
3.2 Discuss the executive presentation.
3.3 Plan the procurement process.
Executive/stakeholder PowerPoint presentation.
Selection of an MMS.
“Marketing applications are in high demand, but it is difficult to select a suite that is right for your organization. Market offerings have grown from 50 vendors to over 800 in the past five years. Much of the process of identifying an appropriate vendor is not about the vendor at all, but rather about having a comprehensive understanding of internal needs. There are instances where a smaller-point solution is necessary to satisfy requirements and a full marketing management suite is an overinvestment.
Likewise, a partner with differentiating features such as AI-driven workflows and a mobile software development kit can act as a powerful extension of an overall customer experience management strategy. It is crucial to make the right decision; missing the mark on an MMS selection will have a direct impact on the business’ bottom line.”
Ben Dickie
Research Director, Enterprise Applications
Info-Tech Research Group
This Research Is Designed For:
|
This Research Will Help You:
|
This Research Will Also Assist:
|
This Research Will Help Them
|
The MMS market is a landscape of vendors offering campaign management, multichannel support, analytics, and publishing tools. Many vendors specialize in some of these areas but not all. Sometimes multiple products are necessary – but determining which feature sets the organization truly needs can be a challenging task. The right technology stack is critical in order to bring automation to marketing initiatives.
“When it comes to marketing automation capabilities, using CRM is like building a car from a kit. All the parts are there, but you need the time and skill to put it all together. Using marketing automation is like buying the car you want or need, with all the features you want already installed and some gas in the tank, ready to drive. In either case, you still need to know how to drive and where you want to go.” (Mac McIntosh, Marketo Inc.) | ![]() |
A master database – the central place where all up-to-the-minute data on a customer profile is stored – is essential for MMS success. This is particularly true for real-time capability effectiveness and to minimize customer fatigue. |
MMS helps marketers in two primary ways:
|
“A marketing automation solution delivers essentially all the benefits of an email marketing solution along with integrated capabilities that would otherwise need to be cobbled together using various standalone technologies.” (Marketo Inc.) |
1 |
2 |
3 |
4 |
5 |
Establish Resources | Gather Requirements | Write and Assemble RFP | Exercise Due Diligence | Evaluate Candidate Solutions |
|
|
|
|
|
Contact your account representative or email Workshops@InfoTech.com for more information.
CASE STUDY |
Industry: Professional Services | Source: Info-Tech Consulting |
ChallengeA large professional services firm specializing in knowledge development was looking to modernize an outdated marketing services stack. Previous investments in marketing tools ranging from email automation to marketing analytics led to system fragmentation. As a result, there was no 360-degree overview of marketing operations and no way to run campaigns at scale. To satisfy the organization’s aspirations, a comprehensive marketing management suite had to be selected that met needs for the foreseeable future. |
SolutionThe Info-Tech consulting team was brought in to assist in the MMS selection process. After meeting with several stakeholders, MMS requirements were developed and weighted. An RFP was then created from these requirements. Following a market scan, four vendors were selected to complete the organization’s RFP. Demonstration scripts were then developed as the RFPs were completed by vendors. Shortlisted vendors progressed to the demonstration phase. |
ResultsVendor scorecards were utilized during the two-day demonstrations with the core project team to score each vendor. During the scoring process the team also identified the need to replace the organization’s core customer repository (a legacy CRM). The decision was made to select a CRM before finalizing the MMS selection. Doing so ensured uniform system architecture and strong interoperability between the firm’s MMS and its CRM. |
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Diagnostics and consistent frameworks used throughout all four options |
1. Launch the MMS Project and Collect Requirements | 2. Shortlist Marketing Management Suites | 3. Select Vendor and Communicate Decision to Stakeholders | |
![]() Best-Practice Toolkit |
1.1 Assess the value and identify your organization’s fit for MMS technology. 1.2 Build your procurement team and project customer experience management (CXM) strategy. 1.3 Identify your MMS requirements. |
2.1 Produce your shortlist |
3.1 Select your MMS 3.2 Present selection |
Guided Implementations |
|
|
|
![]() Onsite Workshop |
Module 1:
Launch Your MMS Selection Project |
Module 2:
Analyze MMS Requirements and Shortlist Vendors |
Module 3:
Plan Your Procurement Process |
Phase 1 Outcome:
|
Phase 2 Outcome:
|
Phase 3 Outcome:
|
Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.
![]() |
This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project. |
![]() |
This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members who will come onsite to facilitate a workshop for your organization. |
![]() |
This icon denotes a slide that pertains directly to the Info-Tech vendor profiles on marketing management technology. Use these slides to support and guide your evaluation of the MMS vendors included in the research. |
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Step 1.2: Structure the Project | Step 1.3: Gather Requirements |
Start with an analyst kick-off call:
|
Review findings with analyst:
|
Then complete these activities…
|
Then complete these activities…
|
With these tools & templates:
|
With these tools & templates:
|
Phase 1 Results:
|
1.1 |
1.2 |
1.3 |
||
Understand the MMS Market | Structure the Project | Gather MMS Requirements |
Analytics | The practice of measuring marketing performance to improve return on investment (ROI). It is often carried out through the visualization of meaningful patterns in data as a result of marketing initiatives. |
Channels | The different places where marketers can reach customers (e.g. social media, print mail, television). |
Click-through rate | The percentage of individuals who proceed (click-through) from one part of a marketing campaign to the next. |
Content management | Curating, creating, editing, and keeping track of content and client-facing assets. |
Customer relationship management (CRM) | A core enterprise application that provides a broad feature set for supporting customer interaction processes. The CRM frequently serves as a core customer data repository. |
Customer experience management (CXM) | The holistic management of customer interaction processes across marketing, sales, and customer service to create valuable, mutually beneficial customer experiences. |
Engagement rate | A social media metric used to describe the amount of likes, comments, shares, etc., that a piece of content receives. |
Lead | An individual or organization who has shown interest in the product or service being marketed. |
Omnichannel | The portfolio of interaction channels you use. |
A master database – the central place where all up-to-the-minute data on a customer profile is stored – is essential for MMS success. This is particularly true for real-time capability effectiveness and to minimize customer fatigue. If you have customer records in multiple places, you risk missing customer opportunities and potentially upsetting clients. For example, if a client has communicated preferences or disinterest through one channel, and this is not effectively recorded throughout the organization, another representative is likely to contact them in the same method again – possibly alienating the customer for good. A master database requires automatic synchronization with all point solutions, POS, billing systems, agencies, etc. If you don’t have up-to-the-minute information, you can’t score prospects effectively and you lose out on the benefits of the MMS. |
![]() |
Focus on the fundamentals before proceeding. | Secure organizational readiness to reduce project risk using Info-Tech’s Build a Strong Technology Foundation for CXM and Select and Implement a CRM Platform blueprints. |
The world of marketing technology changes rapidly! Understand how modern marketing management suites are used in most organizations. An MMS helps marketers in two primary ways:
Marketing suites accomplish these tasks by:
A strong MMS provides marketers with the data they need for actionable insights about their customers. “A marketing automation solution delivers essentially all the benefits of an email marketing solution along with integrated capabilities that would otherwise need to be cobbled together using various standalone technologies.” (Marketo Inc.) | Inform your way of thinking by understanding the capabilities of modern marketing applications. |
(Source: Info-Tech Research Group; N=23)
The key drivers for MMS are business-related, not IT-related. However, this does not mean that there are no benefits to IT. In fact, the IT department will see numerous benefits, including time and resource savings. Further, not having an MMS creates more work for your IT department. IT must serve as a valued partner for selection and implementation.
Marketing management suites are ideal for large organizations with multiple product lines in complex marketing environments. IT is often more centralized than its counterparts in the business, making it uniquely positioned to encourage greater coordination by helping the business units understand the shared goals and the benefits of working together to roll out suites for marketing workflow management, intelligence, and channel management.
Cross-Segmentation | Additional Revenue Generation | Real-Time Capabilities | Lead Growth/ Conversion Rate | |
Business Value |
|
|
|
|
IT Value |
|
|
|
|
Don’t forget that MMS technologies deliver on the overarching suite value proposition: a robust solution within one integrated offering. Without an MMS in play, organizations in need of this functionality are forced to piece together point solutions (or ad hoc management). This not only increases costs but also is an integration nightmare for IT.
1.1 | 1.2 | 1.3 | ||
Understand the MMS Market | Structure the Project | Gather MMS Requirements |
Sample Project Overview[Organization] plans to select and implement a marketing management suite in order to introduce better campaign management to the business’ processes. This procurement and implementation of an MMS tool will enable the business to improve the efficiency and effectiveness of marketing campaign execution. This project will oversee the assessment and shortlisting of MMS vendors, selection of an MMS tool, the configuration of the solution, and the implementation of the technology into the business environment. Rationale Behind the ProjectConsider the business drivers behind the interest in MMS technology. Be specific to business units impacted and identify key considerations (both opportunities and risks). |
Business Drivers
|
Creating repeatable and streamlined marketing processes is a common overarching business objective that is driven by multiple factors. To ensure this objective is achieved, confirm that the primary drivers are following the implementation of the first automated marketing channels.
INPUT: Stakeholder user stories
OUTPUT: Understanding of ideal outcomes from MMS implementation
MATERIALS: Whiteboard and marker or sticky notes
PARTICIPANTS: Project sponsor, Project stakeholders, Business analysts, Business unit reps
Improve | Reduce/Eliminate | KPIs |
Multichannel marketing | Duplication of effort | Number of customer interaction channels supported |
Social integration | Process inefficiencies | Number of social signals received (likes, shares, etc.) |
… | … | … |
If you do not have a well-defined CXM strategy, leverage Info-Tech’s research to Build a Strong Technology Foundation for Customer Experience Management.
This blueprint focuses on complete, integrated marketing management suitesAn integrated suite is a single product that is designed to assist with multiple marketing processes. Information from these suites is deeply connected to the core CRM. Changing a piece of information for one process will update all affected. |
![]() |
A point solution typically interfaces with a single customer interaction channel with minimal CRM integration. Why use a marketing point solution?
Refer to Phase 2 for a bird’s-eye view of the point solution marketplace. |
Marketing Point Solutions
|
Adopt an MMS if:
|
Bypass an MMS if:
|
Using an MMS is ideal for organizations with multiple brands and product portfolios (e.g. consumer packaged goods). Ad hoc management and email marketing services are best for small organizations with a client base that requires only bare bones engagement.
Use Info-Tech’s MMS Readiness Assessment Checklist to determine if your organization has sufficient process and campaign maturity to warrant the investment in a consolidated marketing management suite.
Sections of the Tool:
|
INFO-TECH DELIVERABLE![]() Complete the MMS Readiness Assessment Checklist by following the instructions in Activity 1.2.3. |
1.2.3 30 minutes
INPUT: MMS foundation, MMS strategy
OUTPUT: Readiness remediation approach, Validation of MMS project readiness
MATERIALS: Info-Tech’s MMS Readiness Assessment Checklist
PARTICIPANTS: Project sponsor, Core project team
1.1 | 1.2 | 1.3 | ||
Understand the MMS Market | Structure the Project | Gather MMS Requirements |
USE CASES |
While an organization may be product- or service-centric, most fall into one of the three use cases described on this slide. |
1) Marketing AutomationWorkflow ManagementManaging complex marketing campaigns and building and tracking marketing workflows are the mainstay responsibilities of brand managers and other senior marketing professionals. In this category, we evaluated vendors that provide marketers with comprehensive tools for marketing campaign automation, workflow building and tracking, lead management, and marketing resource planning for campaigns that need to reach a large segment of customers. Omnichannel ManagementThe proliferation of marketing channels has created significant challenges for many organizations. In this use case, we executed a special evaluation of vendors that are well suited for the intricacies of juggling multiple channels, particularly mobile, social, and email marketing. |
2) Marketing IntelligenceSifting through data from a myriad of sources and coming up with actionable intelligence and insights remains a critical activity for marketing departments, particularly for market researchers. In this category, we evaluated solutions that aggregate, analyze, and visualize complex marketing data from multiple sources to allow decision makers to execute informed decisions. 3) Social MarketingThe proliferation of social networks, customer data, and use cases has made ad hoc social media management challenging. In this category we evaluated vendors that bring uniformity to an organization’s social media capabilities and contribute to a 360-degree customer view. |
1.3.1 30 minutes
INPUT: Use-case breakdown
OUTPUT: Project use-case alignments
Materials: Whiteboard, markers
Participants: Project manager, Core project team (optional)
The use-case view of vendor and product performance provides multiple opportunities for vendors to fit into your application architecture depending on their product and market performance. The use cases selected are based on market research and client demand.
Determining your use case is crucial for:
The following slides illustrate how the three most common use cases (marketing automation, marketing intelligence, and social marketing) align with business needs. As shown by the case studies, the right MMS can result in great benefits to your organization.
Marketing Need | Manage customer experience across multiple channels | Manage multiple campaigns simultaneously | Integrate web-enabled devices (IoT) into marketing campaigns | Run and track email marketing campaigns |
![]() |
Corresponding Feature | End-to-end management of email marketing | Visual workflow editor | Customer journey mapping | Business rules engine | A/B tracking |
CASE STUDY | Industry: Entertainment | Source: Marketo |
ChallengeThe Portland Trail Blazers, an NBA franchise, were looking to expand their appeal beyond the city of Portland and into the greater Pacific Northwest Region. The team’s management group also wanted to showcase the full range of events that were hosted in the team’s multipurpose stadium. The Trail Blazers were looking to engage fans in a more targeted fashion than their CRM allowed for. Ultimately, they hoped to move from “batch and blast” email campaigns to an automated and targeted approach. | SolutionThe Trail Blazers implemented an MMS that allowed it to rapidly build different types of campaigns. These campaigns could be executed across a variety of channels and target multiple demographics at various points in the fan journey. Contextual ads were implemented using the marketing suite’s automated customer journey mapping feature. Targeted ads were served based on a fan’s location in the journey and interactions with the Trail Blazers’ online collateral. | ResultsThe automated campaigns led to a 75% email open rate, which contributed to a 96% renewal rate for season ticket holders – a franchise record. Other benefits resulting from the improved conversion rate included an increased cohesion between the Trail Blazers’ marketing, analytics, and ticket sales operations. |
Marketing Need | Capture marketing- and customer-related data from multiple sources | Analyze large quantities of marketing data | Visualize marketing-related data in a manner that is easy for decision makers to consume | Perform trend and predictive analysis |
![]() |
Corresponding Feature | Integrate data across customer segments | Analysis through machine learning | Assign attributers to unstructured data | Displays featuring data from external sources | Create complex customer data visualizations |
CASE STUDY | Industry: Retail | Source: SAS |
ChallengeWomen’s apparel retailer Chico’s FAS was looking to capitalize on customer data from in-store and online experiences. Chico’s hoped to consolidate customer data from multiple online and brick-and-mortar retail channels to get a complete view of the customer. Doing so would satisfy Chico’s need to create more highly segmented, cost-effective marketing campaigns | SolutionChico’s selected an MMS with strong marketing intelligence, analysis, and data visualization capability. The MMS could consolidate and analyze customer and transactional information. The suite’s functionality enabled Chico’s marketing team to work directly with the data, without help from statisticians or IT staff. | ResultsThe approach to marketing indigence led to customers getting deals on products that were actually relevant to them, increasing sales and brand loyalty. Moreover, the time it took to perform data consolidation decreased dramatically, from 17 hours to two hours, allowing the process to be performed daily instead of weekly. |
Marketing Need | Understand customers' likes and dislikes | Manage and analyze social media channels like Facebook and Twitter | Foster a conversation around specific products | Engage international audiences through regional messaging apps |
![]() |
Corresponding Feature | Social listening capabilities | Tools for curating customer community content | Ability to aggregate social data | Integration with popular social networks | Ability to conduct trend reporting |
CASE STUDY | Industry: Life Sciences | Source: Adobe |
ChallengeBayer, a Fortune 500 health and life sciences company, was looking for a new way to communicate its complex medical breakthroughs to the general public. The decision was made to share the science behind its products via social channels in order to generate excitement. Bayer needed tools to publish content across a variety of social media platforms while fostering conversations that were more focused on the science behind products. | SolutionBased on the requirements, Bayer decided that an MMS would be the best fit. After conducting a market scan, the company selected an MMS with a comprehensive social media suite. The suite included tools for social listening and moderation and tools to guide conversations initiated by both marketers and customers. | ResultsThe MMS provided Bayer with the toolkit to engage its audience. Bayer took control of the conversation about its products by serving potential customers with relevant video content on social media. Its social strategy coupled with advanced engagement tools resulted in new business opportunities and more than 65,000 views on YouTube and more than 87,000 Facebook views in a single month. |
REQUIREMENTS GATHERING
Info-Tech’s requirements gathering framework is a comprehensive approach to requirements management that can be scaled to any size of project or organization. This framework ensures that the application created will capture the needs of all stakeholders and deliver business value. Develop and right-size a proven standard operating procedure for requirements gathering with Info-Tech’s blueprint Build a Strong Approach to Business Requirements Gathering. |
![]() |
Requirements Gathering Methodology
Requirements Gathering Blueprint Slide 25: Understand the best-practice framework for requirements gathering for enterprise applications projects. |
Requirements Gathering SOP
Requirements Gathering Blueprint Activities 1.2.2-1.2.5, 2.1.1, 2.1.2, 3.1.1, 3.2.1, 4.1.1-4.1.3, 4.2.2: Consolidate outputs to right-size a best-practice SOP for your organization. |
Project Level Selection Tool
Requirements Gathering Blueprint Activity 1.2.4: Determine project-level selection guidelines to inform the due diligence required in your MMS requirements gathering. |
1.3.2 Varies
INPUT: MMS tool user expertise, MMS Requirements Picklist Tool
OUTPUT: A list of needs from the MMS tool user perspective
Materials: Note-taking materials, Whiteboard or flip chart, markers
Participants: MMS users in the organization, MMS selection committee
Download the MMS Requirements Picklist Tool to help with completing this activity.
The return on investment (ROI) and perceived value of the organization’s marketing solution will be a critical indication of the likelihood of success of the suite’s selection and implementation.
EXAMPLE METRICS |
MMS and Technology AdoptionMarketing Performance Metrics |
|
Average revenue gain per campaign | Quantity and quality of marketing insights | |
Average time to execute a campaign | Customer acquisition rates | |
Savings from automated processes | Marketing cycle times | |
User Adoption and Business Feedback Metrics |
||
User satisfaction feedback | User satisfaction survey with the technology | |
Business adoption rates | Application overhead cost reduction |
Even if marketing metrics are difficult to track right now, the implementation of an MMS brings access to valuable customer intelligence from data that was once kept in silos.
![]() |
|
1.2.1 |
![]() |
Align the CXM strategy value proposition to MMS capabilities
Our facilitator will help your team identify the IT CXM strategy and marketing goals. The analyst will then work with the team to map the strategy to technological drivers available in the MMS market. |
1.3.2 |
![]() |
Define the needs of MMS users
Our facilitator will work with your team to identify user requirements for the MMS Requirements Picklist Tool. The analyst will facilitate a discussion with your team to prioritize identified requirements. |
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Step 2.1: Analyze and Shortlist MMS Vendors | |
Start with an analyst kick-off call:
|
|
Then complete these activities…
|
|
With these tools & templates:
|
|
Phase 2 Results:
|
2.1 |
Analyze and Shortlist MMS Vendors |
Loosely Tied TogetherOriginally the sales and marketing enterprise application space was highly fragmented, with disparate best-of-breed point solutions patched together. Soon after, vendors in the late 1990s started bundling automation technologies into a single suite offering. Marketing capabilities of CRM suites were minimal at best and often restricted to web and email only. Limited to Large EnterprisesMany vendors started to combine all marketing tools into a single, comprehensive marketing suite, but cost and complexity limited them to large enterprises and marketing agencies. Best-of-breed solutions targeting new channels and new goals, like closed-loop sales and marketing, continued driving new marketing software genres, like dedicated lead management suites. |
“In today’s volatile business environment, judgment built from past experience is increasingly unreliable. With consumer behaviors in flux, once-valid assumptions (e.g. ‘older consumers don’t use Facebook or send text messages’) can quickly become outdated.” (SAS Magazine) |
As the market evolves, capabilities that were once cutting edge become default and new functionality becomes differentiating. Some features, like basic CRM integration, have become table stakes capabilities. Focus on advanced analytics features and omnichannel integration capabilities to get the best fit for your requirements.
AI and Machine LearningVendors are beginning to offer AI capabilities across MMS for data-driven customer engagement scoring and social listening insights. Machine learning capability is being leveraged to determine optimal customer journey and suggest next steps to users. Marketplace FragmentationThe number of players in the marketing application space has grown exponentially. The majority of these new vendors offer point solutions rather than full-blown marketing suites. Fragmentation is leading to tougher choices when looking to augment an existing platform with specific functionality. Improving Application IntegrationMMS vendors are fostering deeper integrations between their marketing products and core CRM products, leading to improved data hygiene. At the same time, vendors are improving flexibility in the marketing suite so that new channels can be added easily. Greater Self-ServiceVendors have an increased emphasis on application usability. Their goal is to enable marketers to execute campaigns without relying on specialists. |
“There’s a firehose of customer data coming at marketers today, and with more interconnected devices emerging (wearables, smart watches, etc.), cultivating a seamless customer experience is likely to grow even more challenging. Building out a data-driven marketing strategy and technology stack that enables you to capture behaviors across channels is key.” (IBM, Ideas for Exceeding Customer Expectations) |
VENDOR PROFILESReview the MMS Vendor Evaluation |
![]() |
TABLE STAKES
| What does this mean?The products assessed in these vendor profiles meet, at the very least, the requirements outlined as table stakes. Many of the vendors go above and beyond the outlined table stakes; some even do so in multiple categories. This section aims to highlight the products’ capabilities in excess of the criteria listed here. Info-Tech InsightIf table stakes are all you need from your MMS, determine whether your existing CRM platform already satisfies your requirements. Otherwise, dig deeper to find the best price-to-value ratio for your needs. |
Almost – or equally – as important as evaluating vendor feature capabilities is the need to evaluate vendor viability and non-functional aspects of the MMS. Include an evaluation of the following criteria in your vendor scoring methodology:
Vendor Attribute | Description |
Vendor Stability and Variability | The vendor’s proven ability to execute on constant product improvement, deliberate strategic direction, and overall commitment to research and development efforts in responding to emerging trends. |
Security Model | The potential to integrate the application to existing security models and the vendor's approach to handling customer data. |
Deployment Style | The choice to deploy a single or multi-tenant SaaS environment via a perpetual license. |
Ease of Customization | The relative ease with which a system can be customized to accommodate niche or industry-specific business or functional needs. |
Vendor Support Options | The availability of vendor support options, including selection consulting, application development resources, implementation assistance, and ongoing support resources. |
Size of Partner Ecosystem | The quantity of enterprise applications and third-party add-ons that can be linked to the MMS, as well as the number of system integrators available. |
Ease of Data Integration | The relative ease with which the system can be integrated with an organization’s existing application environment, including legacy systems, point solutions, and other large enterprise applications. |
Evaluate vendor capabilities, not just product capabilities. An MMS is typically a long-term commitment; ensure that your organization is teaming up with a vendor or provider that you feel you can work well with and depend on.
Evaluation MethodologyThese product features were assessed as part of the classification of vendors into use cases. In determining use-case leaders and players, select features were considered based on best alignment with the use case. |
|
Evaluation MethodologyThese product features were assessed as part of the classification of vendors into use cases. In determining use-case leaders and players, select features were considered based on best alignment with the use case. |
|
Review the use-case scenarios relevant to your organization’s use case to identify a vendor’s fit to your organization’s MMS needs.
|
![]() |
Understand your organization’s size and whether it falls within the product’s market focus.
|
![]() |
Review the differentiating features to identify where the application performs best. | ![]() |
Colors signify a feature’s performance. | ![]() |
![]() |
FUNCTIONAL SPOTLIGHT
Creative Cloud Integration: To make for a more seamless cross-product experience, projects can be sent between Marketing Cloud and Creative Cloud apps such as Photoshop and After Effects. Sensei: Adobe has revamped its machine learning and AI platform in an effort to integrate AI into all of its marketing applications. Sensei includes data from Microsoft in a new partnership program. Anomaly Detection: Adobe’s Anomaly Detection contextualizes data and provides a statistical method to determine how a given metric has changed in relation to previous metrics. |
||||||||||
USE-CASE PERFORMANCE
|
MARKET FOCUS
|
Adobe’s goal with Marketing Cloud is to help businesses provide customers with cohesive, seamless experiences by surfacing customer profiles in relevant situations quickly. Adobe Marketing Cloud has traditionally been used in the B2C space but has seen an increase in B2C use cases driven by the finance and technology sectors. | FEATURES
![]() |
Employees (2018): 17,000 | Presence: Global | Founded: 1982 | NASDAQ: ADBE |
![]() | FUNCTIONAL SPOTLIGHT Content Optimization System (COS): The fully integrated system stores assets and serves them to their designated channels at relevant times. The COS is integrated into HubSpot's marketing platform. Email Automation: HubSpot provides basic email that can be linked to a specific part of an organization’s marketing funnel. These emails can also be added to pre-existing automated workflows. Email Deliverability Tool: HubSpot identifies HTML or content that will be flagged by spam filters. It also validates links and minimizes email load times. | ||||||||||
USE-CASE PERFORMANCE
| MARKET FOCUS
|
Hubspot’s primary focus has been on email marketing campaigns. It has put effort into developing solid “click not code” email marketing capabilities. Also, Hubspot has an official integration with Salesforce for expanded operations management and analytics capabilities. | FEATURES
![]() |
Employees (2018): 1,400 | Presence: Global | Founded: 2006 | NYSE: HUBS |
![]() | FUNCTIONAL SPOTLIGHT Watson: IBM is leveraging its popular Watson AI brand to generate marketing insights for automated campaigns. Weather Effects: Set campaign rules based on connections between weather conditions and customer behavior relative to zip code made by Watson. Real-Time Personalization: IBM has made efforts to remove campaign interaction latency and optimize live customer engagement by acting on information about what customers are doing in the current moment. | ||||||||||
USE-CASE PERFORMANCE
| MARKET FOCUS
|
IBM has remained ahead of the curve by incorporating its well-known AI technology throughout Marketing Cloud. The application’s integration with the wide array of IBM products makes it a powerful tool for users already in the IBM ecosystem. | FEATURES
![]() |
Employees (2018): 380,000 | Presence: Global | Founded: 1911 | NYSE: IBM |
![]() | FUNCTIONAL SPOTLIGHT Content AI: Marketo has leveraged its investments in machine learning to intelligently fetch marketing assets and serve them to customers based on their interactions with a campaign. Email A/B Testing: To improve lead generation from email campaigns, Marketo features the ability to execute A/B testing for customized campaigns. Partnership with Google: Marketo is now hosted on Google’s cloud platform, enabling it to provide support for larger enterprise clients and improve GDPR compliance. | ||||||||||
USE-CASE PERFORMANCE
| MARKET FOCUS
|
Marketo has strong capabilities for lead management but has recently bolstered its analytics capabilities. Marketo is hoping to capture some of the analytics application market share by offering tools with varying complexity and to cater to firms with a wide range of analytics needs. | FEATURES
![]() |
Employees (2018): 1,000 | Presence: Global | Founded: 2006 | Private Corporation |
![]() | FUNCTIONAL SPOTLIGHT Data Visualization: To make for a more seamless cross-product experience, marketing projects can be sent between Marketing Cloud and Creative Cloud apps such as Dreamweaver. ID Graph: Use ID Graph to unite disparate data sources to form a singular profile of leads, making the personalization and contextualization of campaigns more efficient. Interest-Based Messaging: Pause a campaign to update a segment or content based on aggregated customer activity and interaction data. | ||||||||||
USE-CASE PERFORMANCE
| MARKET FOCUS
|
Oracle Marketing Cloud is known for its balance between campaigns and analytics products. Oracle has taken the lead on expanding its marketing channel mix to include international options such as WeChat. Users already using Oracle’s CRM/CEM products will derive the most value from Marketing Cloud. | FEATURES
![]() |
Employees (2018): 138,000 | Presence: Global | Founded: 1977 | NYSE: ORCL |
![]() | FUNCTIONAL SPOTLIGHT Einstein: Salesforce is putting effort into integrating AI into all of its applications. The Einstein AI platform provides marketers with predictive analytics and insights into customer behavior. Mobile Studio: Salesforce has a robust mobile marketing offering that encompasses SMS/MMS, in-app engagement, and group messaging platforms. Journey Builder: Salesforce created Journey Builder, which is a workflow automation tool. Its user-friendly drag-and-drop interface makes it easy to automate responses to customer actions. | ||||||||||
USE-CASE PERFORMANCE
| MARKET FOCUS
|
Salesforce Marketing Cloud is primarily used by organizations in the B2C space. It has strong Sales Cloud CRM integration. Pardot is positioning itself as a tool for sales teams in addition to marketers. | FEATURES
![]() |
Employees (2018): 1,800 | Presence: Global | Founded: 2000 | NYSE: CRM |
![]() | FUNCTIONAL SPOTLIGHT Engagement Studio: Salesforce is putting marketing capabilities in the hands of sales reps by giving them access to a team email engagement platform. Einstein: Salesforce’s Einstein AI platform helps marketers and sales reps identify the right accounts to target with predictive lead scoring. Program Steps: Salesforce developed a distinct own workflow building tool for Pardot. Workflows are made of “Program Steps” that have the functionality to initiate campaigns based on insights from Einstein. | ||||||||||
USE-CASE PERFORMANCE
| MARKET FOCUS
|
Pardot is Salesforce’s B2B marketing solution. Pardot has focused on developing tools that enable sales teams and marketers to work in lockstep in order to achieve lead-generation goals. Pardot has deep integration with Salesforce’s CRM and customer service management products. | FEATURES
![]() |
Employees (2018): 1,800 | Presence: Global | Founded: 2000 | NYSE: CRM |
![]() | FUNCTIONAL SPOTLIGHT CMO Dashboard: The specialized dashboard is aimed at providing overviews for the executive level. It includes the ability to coordinate marketing activities and project budgets, KPIs, and timelines. Loyalty Management: SAP features in-app tools to manage campaigns specifically geared toward customer loyalty with digital coupons and iBeacons. Customer Segmentation: SAP’s predictive capabilities dynamically suggest relevant customer profiles for new campaigns. | ||||||||||
USE-CASE PERFORMANCE
| MARKET FOCUS
|
SAP Hybris Marketing Cloud optimizes marketing strategies in real time with accurate attribution and measurements. SAP’s operations management capabilities are robust, including the ability to view consolidated data streams from ongoing marketing plans, performance targets, and budgets. | FEATURES
![]() |
Employees (2018): 84,000 | Presence: Global | Founded: 1972 | NYSE: SAP |
![]() | FUNCTIONAL SPOTLIGHT Activity Map: A user-friendly workflow builder that can be used to execute campaigns. Multiple activities can be simultaneously A/B tested within the Activity Map UI. The outcome of the test can automatically adjust the workflow. Spots: A native digital asset manager that can store property that is part of existing and future campaigns. Viya: A framework for fully integrating third-party data sources into SAS Marketing Intelligence. Viya assists with pairing on-premises databases with a cloud platform for use with the SAS suite. | ||||||||||
USE-CASE PERFORMANCE
| MARKET FOCUS
|
SAS has been a leading BI and analytics provider for more than 35 years. Rooted in statistical analysis of data, SAS products provide forward-looking strategic insights. Organizations that require extensive customer intelligence capabilities and the ability to “slice and dice” segments should have SAS on their shortlist. | FEATURES
![]() |
Employees (2018): 14,000 | Presence: Global | Founded: 1976 | Private Corporation |
Additional vendors in the MMS market: |
|
![]() |
![]() |
See the next slides for suggested point solutions. |
Web experience management (WXM) and social media management platforms (SMMP) act in concert with your MMS to execute complex campaigns.
Social Media Management
Info-Tech’s SMMP selection guide enables you to find a solution that satisfies your objectives across marketing, sales, public relations, HR, and customer service. Create a unified framework for driving successful implementation and adoption of your SMMP that fully addresses CRM and marketing automation integration, end-user adoption, and social analytics with Info-Tech’s blueprint Select and Implement a Social Media Management Platform. |
![]() |
Web Experience Management
Info-Tech’s approach to WXM ensures you have the right suite of tools for web content management, experience design, and web analytics. Put your best foot forward by conducting due diligence as the selection project advances. Ensure that your organization will see quick results with Info-Tech’s blueprint Select and Implement a Web Experience Management Solution. |
![]() |
POINT SOLUTION PROFILESReview this cursory list of point solutions by use caseConsider point solutions if a full suite is not required |
![]() |
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Step 3.1: Select Your MMS | Step 3.2: Communicate the Decision to Stakeholders |
Start with an analyst kick-off call:
|
Review findings with analyst:
|
Then complete these activities…
|
Then complete these activities…
|
With these tools & templates:
|
With these tools & templates:
|
Phase 3 Results
|
3.1 |
3.2 |
|
Select Your MMS | Communicate Decision to Stakeholders |
3.1.1 30 minutes
INPUT: Organizational use-case fit
OUTPUT: MMS vendor shortlist
Materials: Info-Tech’s MMS use cases, Info-Tech’s vendor profiles, Whiteboard, markers
Participants: Core project team
3.1.2 MMS Request for Proposal Template
Use the MMS Request for Proposal Template as a step-by-step guide on how to request interested vendors to submit written proposals that meet your set of requirements. If interested in bidding for your project, vendors will respond with a description of the techniques they would employ to address your organizational challenges and meet your requirements, along with a plan of work and detailed budget for the project. The RFP is an important piece of setting and aligning your expectations with the vendors’ product offerings. Make sure to address the following elements in the RFP: Sections of the Tool:
| INFO-TECH DELIVERABLE Complete the MMS Request for Proposal Template by following the instructions in Activity 3.1.3. |
3.1.3 1-2 hours
INPUT: Business requirements document, Procurement procedures
OUTPUT: MMS RFP
Materials: Internal RFP tools or templates (if available), Info-Tech’s MMS Request for Proposal Template (optional)
Participants: Procurement SMEs, Project manager, Core project team (optional)
Vendor demonstrations are an integral part of the selection process. Having clearly defined selection criteria will help with setting up relevant demos as well as inform the vendor scorecards.
EXAMPLE EVALUATION CRITERIA | ![]() | |
Functionality (30%)
| Ease of Use (25%)
| |
Cost (15%)
| Vendor (15%)
| |
Technology (15%)
| Info-Tech InsightBase your vendor evaluations not on the capabilities of the solutions but instead on how the solutions align with your organization’s process automation requirements and considerations. |
Examine how the vendor’s solution performs against your evaluation framework.
Vendor demonstrations create a valuable opportunity for your organization to confirm that the vendor’s claims in the RFP are actually true.
A display of the vendor’s functional capabilities and its execution of the scenarios given in your demo script will help to support your assessment of whether a vendor aligns with your MMS requirements.
3.1.4 1-2 hours
INPUT: Business requirements document, Logistical considerations, Usage scenarios by functional area
OUTPUT: MMS demo script
Materials: Info-Tech’s MMS Vendor Demo Script
Participants: Procurement SMEs, Core project team
Challenge vendor project teams during product demonstrations. Asking the vendor to make adjustments or customizations on the fly will allow you to get an authentic feel of product capability and flexibility, as well as of the degree of adaptability of the vendor project team. Ask the vendor to demonstrate how to do things not listed in your user scenarios, such as change system visualizations or design, change underlying data, add additional datasets, demonstrate analytics capabilities, or channel specific automation.
MMS Vendor Demo Script
Customize and use Info-Tech’s MMS Vendor Demo Script to help identify how a vendor’s solution will fit your organization’s particular business capability needs. This tool assists with outlining logistical considerations for the demo itself and the scenarios with which the vendors should script their demonstration. Sections of the Tool:
Info-Tech Best PracticeAvoid providing vendors with a rigid script for product demonstration; instead, provide user scenarios. Part of the value of a vendor demonstration is the opportunity to assess whether or not the vendor project team has a solid understanding of your organization’s MMS challenges and requirements and can work with your team to determine the best solution possible. A rigid script may result in your inability to assess whether the vendor will adjust for and scale with your project and organization as a technology partner. | INFO-TECH DELIVERABLE Use the MMS Vendor Demo Script by following the instructions in Activity 3.1.4. |
Design a procurement process that is robust, ruthless, and reasonable. Rooting out bias during negotiation is vital to making unbiased vendor selections.
Vendor Selection
Info-Tech’s approach to vendor selection gets you to design a procurement process that is robust, ruthless, and reasonable. This approach enables you to take control of vendor communications. Implement formal processes with an engaged team to achieve the right price, the right functionality, and the right fit for the organization with Info-Tech's blueprint Implement a Proactive and Consistent Vendor Selection Process. |
![]() |
Vendor Negotiation
Info-Tech’s SaaS negotiation strategy focuses on taking control of implementation from the beginning. The strategy allows you to work with your internal stakeholders to make sure they do not team up with the vendor instead of you. Reach an agreement with your vendor that takes into account both parties’ best interests with Info-Tech’s blueprint Negotiate SaaS Agreements That Are Built to Last. |
![]() |
3.1 |
3.2 |
|
Select Your MMS | Communicate Decision to Stakeholders |
Ensure traceability from the selected tool to the needs identified in the first phase. Internal stakeholders must understand the reasoning behind the final selection and see the alignment to their defined requirements and needs.
Document the selection process to show how the selected tool aligns to stakeholder needs:
|
Documentation will assist with:
|
3.2.1 1 week
INPUT: MMS tool selection committee expertise
OUTPUT: Decision to invest or not invest in an MMS tool
Materials: Note-taking materials, Whiteboard or flip chart, markers
Participants: MMS tool selection committee
Documenting the process of how the selection decision was made will avoid major headaches down the road. Without a documented process, internal stakeholders and even vendors can challenge and discredit the selection process.
Adobe Systems Incorporated. “Bayer builds understanding, socially.” Adobe.com, 2017. Web.
IBM Corporation, “10 Key Marketing Trends for 2017.” IBM.com, 2017. Web.
Marketo, Inc. “The Definitive Guide to Marketing Automation.” Marketo.com, 2013. Web.
Marketo, Inc. “NBA franchise amplifies its message with help from Marketo’s marketing automation technology.” Marketo.com, 2017. Web.
Salesforce Pardot. “Marketing Automation & Your CRM: The Dynamic Duo.” Pardot.com, 2017. Web.
SAS Institute Inc. “Marketing Analytics: How, why and what’s next.” SAS Magazine, 2013. Web.
SAS Institute Inc. “Give shoppers offers they’ll love.” SAS.com, 2017. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Assess current state and plan the scope of the SAM program, team, and budget.
Define processes for software requests, procurement, receiving, and deployment.
Define processes for software inventory, maintenance, harvest and redeployment, and retirement.
Build processes for audits and plan the implementation.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Assess current state and plan the scope of the SAM program, team, and budget.
Current state assessment
Defined roles and responsibilities
SAM budget plan
1.1 Outline SAM challenges and objectives.
1.2 Assess current state.
1.3 Identify roles and responsibilities for SAM team.
1.4 Identify metrics and reports.
1.5 Identify SAM functions to centralize vs. decentralize.
1.6 Plan SAM budget process.
Current State Assessment
RACI Chart
Defined metrics and reports
SAM Budget Workbook
Define processes for software requests, procurement, receiving, and deployment.
Defined standards for software procurement
Documented processes for software receiving and deployment
2.1 Determine software standards.
2.2 Define procurement process for new contracts.
2.3 Define process for contract renewals and additional procurement scenarios.
2.4 Design process for receiving software.
2.5 Design deployment workflow.
2.6 Define process for non-standard software requests.
Software standards
Standard Operating Procedures
SAM Process Workflows
Define processes for software inventory, maintenance, harvest and redeployment, and retirement.
Defined process for conducting software inventory
Maintenance and patch policy
Documented workflows for software harvest and redeployment as well as retirement
3.1 Define process for conducting software inventory.
3.2 Define policies for software maintenance and patches.
3.3 Map software license harvest and reallocation process.
3.4 Define policy for retiring software.
Standard Operating Procedures
Patch management policy
SAM Process Workflows
Build processes for audits, identify tool requirements, and plan the implementation.
Defined process for internal and external audits
Tool requirements
Communication and implementation plan
4.1 Define and document the internal audit process.
4.2 Define and document the external audit process.
4.3 Document tool requirements.
4.4 Develop a communication plan.
4.5 Prepare an FAQ list.
4.6 Identify SAM policies.
4.7 Develop a SAM roadmap to plan your implementation.
Audit response templates
Tool requirements
Communication plan
End-user FAQ list
Software Asset Management Policy
Implementation roadmap
“Organizations often conflate software asset management (SAM) with license tracking. SAM is not merely knowing how many licenses you require to be in compliance; it’s asking the deeper budgetary questions to right-size your software spend.
Software audits are a growing concern for businesses, but proactive reporting and decision making supported by quality data will mitigate audit risks. Value is left on the table through underused or poor-quality data, so active data management must be in play. A dedicated ITAM tool can assist with extracting value from your license data.
Achieving an optimized SAM program is a transformative effort, but the people, processes, and technology need to be in place before that can happen.” (Sandi Conrad, Senior Director, Infrastructure & Operations Practice, Info-Tech Research Group)
A strong SAM program will benefit all aspects of the business.
Data and reports gained through SAM will enable data-driven decision making for all areas of the business.
Don’t just track licenses; manage them to create value from data.
Gathering and monitoring license data is just the beginning. What you do with that data is the real test.
Win the audit battle without fighting.
Conduct internal audits to minimize surprises when external audits are requested.
You can estimate the return even without tools or data.
Benefit | Calculate the return |
---|---|
Compliance
How many audits did you have in the past three years? How much time did you spend in audit response? |
Suppose you had two audits each year for the last three years, each with an average $250,000 in settlements.
A team of four with an average salary of $75,000 each took six months to respond each year, allocating 20% of their work time to the audit. You could argue annual audits cost on average $530,000. Increasing ITAM maturity stands to reduce that cost significantly. |
Efficiency
How much do you spend on software and maintenance by supplier? |
Suppose you spent $1M on software last year. What if you could reduce the spend by just 10% through better practices?
SAM can help reduce the annual spend by simplifying support, renegotiating contracts based on asset data, reducing redundancy, and reducing spend. |
54% — A study by 1E found that only 54% of organizations believe they can identify all unused software in their organization.
28% — On average, 28% of deployed software is unused, with a wasted cost of $224 per PC on unused software (1E, 2014).
53% — Express Metrix found that 53% of organizations had been audited within the past two years. Of those, 72% had been audited within the last 12 months.
Manage risk. If licensing terms are not properly observed, the organization is at risk of legal and financial exposure, including illegal software installation, loss of proof of licenses purchased, or breached terms and conditions.
Control and predict spend. Unexpected problems related to software assets and licenses can significantly impact cash flow.
Less operational interruptions. Poor software asset management processes could lead to failed deployments, software update interruptions, viruses, or a shutdown of unlicensed applications.
Avoid security breaches. If data is not secure through software patches and security, confidential information may be disclosed.
More informed decisions. More accurate data on software assets improves transparency and informs decision making.
Improved contract management. Automated tools can alert you to when contracts are up for renewal to allow time to plan and negotiate, then purchase the right amount of licenses.
Avoid penalties. Conduct internal audits and track compliance to avoid fees or penalties if an external audit occurs.
Reduced IT support. Employees should require less support from the service desk with proper, up to date, licensed software, freeing up time for IT Operations to focus on other work.
Enhanced productivity. By rationalizing and standardizing software offerings, more staff should be using the same software with the same versioning, allowing for better communication and collaboration.
![]() |
Configuration Management
76% more effective |
![]() |
Service Catalog
74% more effective |
![]() |
Quality Management
63% more effective |
![]() |
Data Quality
62% more effective |
![]() |
Performance Measurement
61% more effective |
![]() |
Organizational Change Management
60% more effective |
![]() |
Portfolio Management
59% more effective |
![]() |
Enterprise Architecture
58% more effective |
Why? Good SAM processes are integral to both service management and configuration management
(Source: Info-Tech Research Group, IT Management and Governance Diagnostic; N=972 organizations) (High asset management effectiveness was defined as those organizations with an effectiveness score of 8 or above.)Focus on software asset management essentials
Phase 1 Assess & Plan |
Phase 2 Procure, Receive & Deploy |
Phase 3 Manage, Redeploy & Retire |
Phase 4 Build supporting processes |
||||
1.1 |
Assess current state |
2.1 |
Request & procure |
3.1 |
Manage & maintain contracts |
4.1 |
Compliance & audits |
1.2 |
Build team and define metrics |
2.2 |
Receive & deploy |
3.2 |
Harvest or retire |
4.2 |
Communicate & build roadmap |
1.3 |
Plan & budget | ||||||
Deliverables | |||||||
Standard Operating Procedures (SOP) | |||||||
SAM maturity assessment | Process workflows | Process workflows | Audit response templates | ||||
RACI chart | Software standards | Patch management policy | Communication plan & FAQ template | ||||
SAM metrics | SAM policies | ||||||
SAM budget workbook |
Visa, Inc. is the largest payment processing company in the world, with a network that can handle over 40,000 transactions every minute.
In 2006, Visa launched a formal IT asset management program, but it was not until 2011 that it initiated a focus on SAM. Joe Birdsong, the SAM director, first addressed four major enterprise license agreements (ELAs) and compliance issues. The SAM team implemented a few dedicated SAM tools in conjunction with an aggressive approach to training.
The proactive approach taken by Visa used a three-pronged strategy: people, process, and tools. The process included ELA negotiations, audit responses, and software license rationalization exercises.
According to Birdsong, “In the past three years, SAM has been credited with saving Visa over $200 million.”
![]() SAM Standard Operating Procedures (SOP) |
![]() SAM Maturity Assessment |
![]() SAM Visio Process Workflows |
![]() SAM Budget Workbook |
![]() Additional SAM Policy Templates |
![]() Software Asset Management Policy |
![]() SAM Communication Plan |
![]() SAM FAQ Template |
GI | Measured Value (Assuming 260 workdays in a year) |
---|---|
Phase 1: Assess & Plan |
|
Phase 2: Procure, Receive & Deploy |
|
Phase 3: Manage, Redeploy & Retire |
|
Phase 4: Build Supporting Processes and Tools |
|
Total savings | $330,325 |
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Phase 1: Assess & plan | Phase 2: Procure, receive & deploy | Phase 3: Manage, redeploy & retire | Phase 4: Build supporting processes | |
---|---|---|---|---|
![]() |
Step 1.1: Assess current state Step 1.2: Build team and define metrics Step 1.3: Plan and budget |
Step 2.1: Request and procure Step 2.2: Receive and deploy |
Step 3.1: Manage and maintain contracts Step 3.2: Harvest, redeploy, or retire |
Step 4.1: Compliance and audits Step 4.2: Communicate and build roadmap |
Guided Implementations |
|
|
|
|
![]() |
Module 1:
Assess & Plan |
Module 2:
Map Core Processes: Procure, Receive & Deploy |
Module 3:
Map Core Processes: Manage, Redeploy & Retire |
Module 4:
Prepare for audit, build roadmap and communications |
Contact your account representative or email Workshops@InfoTech.com for more information.
Workshop Day 1 | Workshop Day 2 | Workshop Day 3 | Workshop Day 4 | |
---|---|---|---|---|
Activities |
Assess & Plan1.1 Outline SAM challenges and objectives 1.2 Assess current state 1.3 Identify roles and responsibilities for SAM team 1.4 Identify metrics and reports 1.5 Identify SAM functions to centralize vs. decentralize 1.6 Plan SAM budget process |
Map Core Processes: Procure, Receive & Deploy2.1 Determine software standards 2.2 Define procurement process for new contracts 2.3 Define process for contract renewals and additional procurement scenarios 2.4 Design process for receiving software 2.5 Design deployment workflow 2.6 Define process for non-standard software requests |
Map Core Processes: Manage, Redeploy & Retire3.1 Define process for conducting software inventory 3.2 Define policies for software maintenance and patches 3.3 Map software license harvest and reallocation process 3.4 Define policy for retiring software |
Build Supporting Processes4.1 Define and document the internal audit process 4.2 Define and document the external audit process 4.3 Develop a communication plan 4.4 Prepare an FAQ list 4.5 Identify SAM policies 4.6 Develop a SAM roadmap to plan your implementation |
Deliverables |
|
|
|
|
Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.
This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.
This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.
Visa implemented an IT asset management program in 2006. After years of software audit teams from large firms visiting and leaving expensive software compliance bills, the world’s leading payment processing company decided it was time for a change.
Upper management recognized that it needed to combat audits. It had the infrastructure in place and the budget to purchase SAM tools that could run discovery and tracking functions, but it was lacking the people and processes necessary for a mature SAM program.
Visa decided to fight fire with fire. It initially contracted the same third-party audit teams to help build out its SAM processes. Eventually, Visa formed a new SAM team that was led by a group of former auditors.
The former auditors recognized that their role was not technology based, so a group of technical individuals were hired to help roll out various SAM tools.
The team rolled out tools like BDNA Discover and Normalize, Flexera FlexNet Manager, and Microsoft SCCM.
To establish an effective SAM team, diverse talent is key. Visa focused on employees that were consultative but also technical. Their team needed to build relationships with teams within the organization and externally with vendors.
Most importantly, the leaders of the team needed to think like auditors to better prepare for audits. According to Joe Birdsong, SAM Director at Visa, “we want to be viewed as a team that can go in and help right-size their environment and better understand licensing to help teams make better decisions.”
The SAM team was only the beginning.
Phase 1: Assess & Plan | This step will walk you through the following activities: | This step involves the following participants: | |
1.1 | Assess current state |
|
|
1.2 | Build team and define metrics | ||
1.3 | Plan & budget |
Participants: CIO/CFO, IT Director, Asset Manager, Purchasing, Service Desk Manager, Security (optional), Operations (optional)
Drivers of effective SAM | Results of effective SAM | |
Contracts and vendor licensing programs are complex and challenging to administer without data related to assets and their environment. | → | Improved access to accurate data on contracts, licensing, warranties, installed software for new contracts, renewals, and audit requests. |
Increased need to meet compliance requires a formal approach to tracking and managing assets. | → | Encryption, software application controls, and change notifications all contribute to better asset controls and data security. |
Cost cutting is on the agenda, and management is looking to reduce overall IT spend in the organization in any possible way. | → | Reduction of software spend through data for better forecasting, planning, and licensing rationalization and harvesting. |
Audits are time consuming, disruptive to project timelines and productivity, and costly. | → | Respond to audits with a formalized process, accurate data, and minimal disruption using always-available reporting. |
Participants: CIO/CFO, IT Director, Asset Manager, Service Manager (optional)
Document: Document in the Standard Operating Procedures.
By improving how you manage your licenses and audit requests, you will not only provide benefits through a mature SAM program, you will also improve your service desk and disaster recovery functions.
Maturity | People & Policies | Processes | Technology |
---|---|---|---|
Chaos |
|
|
|
Reactive |
|
|
|
Controlled |
|
|
|
Proactive |
|
|
|
Optimized |
|
|
|
Phase 1: Assess & Plan | This step will walk you through the following activities: | This step involves the following participants: | |
1.1 | Assess current state |
|
|
1.2 | Build team and define metrics | ||
1.3 | Plan & budget |
Roles and responsibilities should be adapted to fit specific organizational requirements based on its size, structure, and distribution and the scope of the program. Not all roles are necessary and in small organizations, one or two people may fulfill multiple roles.
Senior Management Sponsor – Ensures visibility and support for the program.
IT Asset Manager – Responsible for management of all assets and maintaining asset database.
Software Asset Manager – Responsible for management of all software assets (a subset of the overall responsibility of the IT Asset Manager).
SAM Process Owner – Responsible for overall effectiveness and efficiency of SAM processes.
Asset Analyst – Maintains up-to-date records of all IT assets, including software version control.
Many organizations simply do not have a large enough staff to hire a full-time software asset manager. The role will need to be championed by an internal employee.
Avoid filling this position with a temporary contract; one of the most difficult operational factors in SAM implementation and continuity is constant turnover and organizational shifts. Hiring a software asset manager on contract might get the project going faster, but without the knowledge gained by doing the processes, the program won’t have enough momentum to sustain itself.
Make sure your SAM team is diverse. The SAM team will need to be skilled at achieving compliance, but there is also a need for technically skilled individuals to maximize the function of the SAM tool(s) at your organization.
1.2.1 Complete a RACI chart for your organization
Participants: CIO/CFO, IT Director, SAM Manager, SAM Team, Service Desk Manager
Document: Document in the Standard Operating Procedures.
Determine the roles and responsibilities for your SAM program. Record the results in a RACI (responsible, accountable, consulted, informed) chart such as the example below.
SAM Processes and Tasks | CIO | CFO | SAM Manager | IT Director | Service Management Team | IT Ops | Security | Finance | Legal | Project Manager |
---|---|---|---|---|---|---|---|---|---|---|
Policies/Governance | A | C | R | R | I | I | C | I | R | I |
Strategy | A | C | R | R | I | I | I | I | C | |
Risk Management/Asset Security | A | C | R | R | C | R | C | C | C | |
Data Entry/Quality | I | I | A | R | R | |||||
Compliance Auditing | R | C | A | R | I | I | I | I | ||
Education & Training | R | I | A | C | I | I | ||||
Contract Lifecycle Management | R | R | A | R | C | C | C | C | R | C |
Workflows | R | C | A | R | I | I | I | R | I | C/I |
Budgeting | R | R | R | A | C | R | ||||
Software Acquisition | R | I | A | R | I | C | R | C | C | |
Controls/Reporting | R | I | A | R | I | I | C | I | ||
Optimize License Harvesting | I | I | A | R | I | C | C |
Trying to achieve goals without metrics is like trying to cook without measuring your ingredients. You might succeed, but you’ll have no idea how to replicate it.
The metrics you track depend on your maturity level. As your organization shifts in maturity, the metrics you prioritize for tracking will shift to reflect that change. Example:
Metric category | Low maturity metric | High maturity metric |
---|---|---|
Compliance | % of software installed that is unauthorized | % of vendors in effective licensing position (ELP) report |
Quantity | % of licenses documented in ITAM tool | % of requests made through unauthorized channels |
CSF = Goal, or what success looks like
KPI = How achievement of goal will be defined
Metric = Numerical measure to determine if KPI has been achieved
CSF/Goal | KPI | Metrics |
---|---|---|
Improve accuracy of software budget and forecasting |
|
|
Avoid over purchasing software licenses and optimize use of existing licenses |
|
|
Improve accuracy of data |
|
|
Improved service delivery |
|
|
1.2.2 Brainstorm metrics and KPIs
Participants: CIO, IT Director, SAM Manager, SAM Team
Document: Document in the Standard Operating Procedures.
Use the table below as an example.
Goal/CSF | KPI | Metric |
---|---|---|
Improve license visibility | Increase accuracy and completeness of SAM data |
|
Reduce software costs | Reduce number of unused software licenses by 20% |
|
Reduce shadow IT | Reduce number of unauthorized software purchases and installations by 10% |
|
Asset managers require data to manage how licenses are distributed throughout the organization. Are there multiple versions of the same application deployed? What proportion of licenses deployed are assigned to employees who are no longer at the organization? What are the usage patterns for applications?
Service desk technicians need real-time data on licenses currently available to deploy to machines that need to be imaged/updated, otherwise there is a risk of breaching a vendor agreement.
Business managers and executives need reports to make strategic decisions. The reports created for business stakeholders need to help them align business projects or business processes with SAM metrics. To determine which reports will provide the most value, start by looking at business goals and determining the tactical data that will help inform and support these goals and their progress.
1.2.3 Identify reports and metrics to track regularly
Participants: CIO, IT Director, SAM Manager, SAM Team
Document: Document in the Standard Operating Procedures.
Example:
Stakeholder | Purpose | Report | Frequency |
---|---|---|---|
Asset Manager |
|
Operational budget spent to date | Monthly |
Capital budget spent to date | Monthly | ||
Contracts coming due for renewal | Quarterly | ||
Software harvested for redeployment | Quarterly | ||
Number of single applications being managed | Annually | ||
CFO |
|
Software purchased, operational & capital | Monthly |
Software accrued for future purchases | Monthly | ||
Contracts coming due for renewal
|
Quarterly | ||
CIO |
|
Software deployments and redeployments | Monthly |
Software rollouts planned | Quarterly | ||
% of applications patched | Quarterly | ||
Money saved | Annually | ||
Number of contracts & apps managed | Quarterly |
Phase 1: Assess & Plan | This step will walk you through the following activities: | This step involves the following participants: | |
1.1 | Assess current state |
|
|
1.2 | Build team and define metrics | ||
1.3 | Plan & budget |
Many infrastructure managers and business managers are unaware of how software licensing can impact projects. For example, changes in core infrastructure configuration can have big impacts from a software licensing perspective.
1.3.1 Identify functions for centralization
Participants: CIO, IT Director, SAM Manager, SAM Team
Document: Document in the Standard Operating Procedures.
Example:
Centralized Functions
|
Decentralized functions
|
After employee salaries (38%), the four next largest spend buckets have historically been infrastructure related. Adding salaries and external services, the average annual infrastructure and operations spend is over 50% of all IT spend.
The largest portion of that spend is on software license and maintenance. As of 2016, software accounted for the roughly the same budget total as voice communications, data communications, and hardware combined. Managing software contracts is a crucial part of any mature budgeting process.
A sophisticated software asset management program will be able to uncover hidden costs, identify opportunities for rationalization, save money through reharvesting unused licenses, and improve forecasting of software usage to help control IT spending.
While some asset managers may not have experience managing budgets, there are several advantages to the ITAM function owning the budget:
Finance needs to be involved. Their questions may cover:
The SAM Budget Workbook is designed to assist in developing and justifying the budget for software assets for the upcoming year.
![]() |
|
1.1.3 |
![]() |
Determine the maturity of your SAM program
Using the SAM Maturity Assessment Tool, fill out a series of questions in a survey to assess the maturity of your current SAM program. The survey assesses seven categories that will allow you to align your strategy to your results. |
1.2.3 |
![]() |
Define SAM reports to track metrics
Identify key stakeholders with reporting needs, metrics to track to fulfill reporting requirements, and a frequency for producing reports. |
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Step 1.1: Assess current state | Step 1.2: Build team and define metrics | Step 1.3: Plan and budget |
Start with an analyst kick-off call:
|
Review findings with analyst:
|
Review findings with analyst:
|
Then complete these activities…
|
Then complete these activities…
|
Then complete these activities…
|
With these tools & templates:
|
With these tools & templates:
|
With these tools & templates:
|
Visa formed a SAM team in 2011 to combat costly software audits.
The team’s first task was to use the available SAM data and reconcile licenses deployed throughout the organization.
Organizations as large as Visa constantly run into issues where they are grossly over or under licensed, causing huge financial risk.
Data collection and analysis were used as part of the license rationalization process. Using a variety of tools combined with a strong team allowed Visa to perform the necessary steps to gather license data and analyze usage.
One of the key exercises was uniting procurement and deployment data and the teams responsible for each.
End-to-end visibility allowed the data to be uniform. As a result, better decisions about license rationalization can be made.
By improving its measurement of SAM data, Visa was able to dedicate more time to analyze and reconcile its licenses. This led to improved license management and negotiations that reflected actual usage.
By improving license usage through rationalization, Visa reduced the cost of supporting additional titles.
The SAM team also performed license reclamation to harvest and redistribute licenses to further improve usage. The team’s final task was to optimize audit responses.
Phase 2: Procure, Receive & Deploy | This step will walk you through the following activities: | This step involves the following participants: | |
2.1 | Request & Procure |
|
|
2.2 | Receive & Deploy |
Procurement and SAM must collaborate on software purchases to ensure software purchases meet business requirements and take into account all data on existing software and licenses to optimize the purchase and contract. Failure to work together can lead to unnecessary software purchases, overspending on purchases, and undesirable contract terms.
SAM managers must collaborate with Procurement when purchasing software.
SAM managers should:
|
![]() |
Procurement must commit to be involved in the asset management process.
Procurement should:
|
Centralized negotiation and purchasing of software can ensure that the SAM team has visibility and control over the procurement process to help prevent overspending and uncontrolled agreements.
It may be necessary to procure some software locally if organizations have multiple locations, but try to centrally procure and manage the biggest contracts from vendors that are likely to audit the organization. Even with a decentralized model, ensure all teams communicate and that contracts remain visible centrally even if managed locally.
One of the major challenges involved in implementing SAM is uniting multiple datasets and data sources across the enterprise. A conversation with each major business unit will help with the creation of software procurement standards that are acceptable to all.
2.1.1 Identify central standard enterprise offerings
Participants: CIO, IT Director, SAM Manager, SAM Team
Document: Document in the Standard Operating Procedures.
Standard enterprise offerings
|
Localized or non-standard software |
The more prestigious the asset tier, the higher the degree of data capture, support, and maintenance required.
E.g. An enterprise application that needs to be available 24/7, such as a learning management system, should be classified as a gold tier to ensure it has 24/7 support.
2.1.2 Identify standard software images for your organization
Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)
Document: Document in the Standard Operating Procedures.
Not everyone is ready to embrace the cloud for all solutions; make sure to align cloud strategy to business requirements. Work closely with IT executives to determine appropriate contract terms, licensing options, and tracking processes.
Vendors make changes to bundles and online services terms on a regular basis. Ensure you document your agreed upon terms to save your required functionality as vendor standard offerings change.
Download the Own the Cloud: Strategy and Action Plan blueprint for more guidance
Licensed | Open Source | Shareware | |
---|---|---|---|
License Structure | A software supplier is paid for the permission to use their software. | The software is provided free of charge, but is still licensed. | The software is provided free of charge, but is still licensed. Usage may be on a trial basis, with full usage granted after purchase. |
Source Code | The source code is still owned by the supplier. | Source code is provided, allowing users to change and share the software to suit their needs. | Source code is property of the original developer/supplier. |
Technical Support | Technical support is included in the price of the contract. | Technical support may be provided, often in a community-based format from other developers of the open-source software in question. | Support may be limited during trial of software, but upgraded once a purchase is made. |
Open-source software should be managed in the same manner as commercial software to understand licensing requirements and be aware of any changes to these agreements, such as commercialization of such products, as well as any rules surrounding source code.
2.1.3 Define procurement policy
Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)
Document: Document in the Standard Operating Procedures.
Define and document policies that will apply to IT software purchases, including policies around:
Use the example below as guidance and document in the SOP.
2.1.4 Identify financial thresholds for approvals and requests
Participants: Asset Manager, Purchasing, CIO, CFO, IT Director
Document: Document in the Standard Operating Procedures.
Identify and classify financial thresholds for contracts requiring approval. For each category of contract value, identify who needs to authorize the request. Discuss and document any other approvals necessary. An example is provided below.
Example:
Requests for authorization will need to be directed based on the following financial thresholds:
Contract value | Authorization |
---|---|
<$50,000 | IT Director |
$50,000 to $250,000 | CIO |
$250,000 to $500,000 | CIO and CFO |
>$500,000 | Legal review |
A poorly defined software procurement workflow can result in overspending on unnecessary software licensing throughout the year. This can impact budgeting and any potential software refreshes, as businesses will often rely on purchasing what they can afford, not what they need.
The procurement workflow may involve the Service Desk, procurement team, and asset manager.
The following elements should be accounted for:
2.1.5 Build new contract procurement workflow
Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)
Document: Document in the Standard Operating Procedures.
Additionally, information regarding what licenses are being used for certain services may yield insight into potential redundancies. For example, two separate departments may have each have a different application deployed that supports the same service. This presents an opportunity for savings based on bulk licensing agreements, not to mention a simplified support environment by reducing the number of titles deployed in your environment.
Participants: IT Director/CIO, Asset Manager, Purchasing, Service Desk Manager, Operations (optional)
Document: Document in the Standard Operating Procedures.
2.1.6 Build additional procurement workflows
Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)
Document: Document in the Standard Operating Procedures.
Build procurement workflows and define policies and procedures for additional purchasing scenarios beyond new contracts.
This may include:
Use the sample workflows in the Standard Operating Procedures as a guide.
Contract negotiations too often come down to a question of price. While you want to avoid overpaying for licenses, a worse offense is getting a steep discount for a bundle of applications where the majority will go unused.
Vendors will try to sell a full stack of software at a steep discount to give the illusion of value. Often organizations bite off more than they can chew. | → | When auditors come knocking, the business may be in compliance, but being over-licensed is a dangerous state to be in. | → | Organizations end up over-licensed and in possession of numerous “shelfware” apps that sit on the proverbial shelf collecting dust while drawing expensive maintenance and licensing fees from the business. |
Leverage Info-Tech’s research, Master Contract Review and Negotiation for Software Agreements, to review your software contracts to leverage your unique position during negotiations and find substantial cost savings.
Phase 2: Procure, Receive & Deploy | This step will walk you through the following activities: | This step involves the following participants: | |
2.1 | Request & Procure |
|
|
2.2 | Receive & Deploy |
While most software will be received through email and download, in some cases physical software may be received through courier or mail. Ensure processes and procedures are defined for both cases.
All licenses, documentation, and digital media for authorized and supported software should be collected and stored in a central, secure location to minimize risk of theft, loss, or unauthorized installation or duplication of software.
The ITAM database should contain an up-to-date record of all software assets, including their associated:
The database allows you to view software that is installed and associated licenses.
A definitive media library (DML) is a single logical storage area, which may consist of one or more locations in which definitive authorized versions of all software configuration items are securely stored and protected.
The DML consists of file storage as well as physical storage of CDs and DVDs and must be continually updated to contain the latest information about each configuration item.
The DML is used to organize content and link to automated deployment to easily install software.
The DML will usually contain the most up-to-date versions to minimize errors created by having unauthorized, old, or problematic software releases being deployed into the live IT environment. The DML can be used for both full-packed product (FPP) software and in-house developed software, providing formalized data around releases of in-house software.
Your DML should have a way to separate archived, new, and current software to allow for optimal organization of files and code, to ensure the correct software is installed, and to prepare for automated deployment through the service catalog.
New software hasn’t been tested yet. Make it available for testing, but not widely available.
Keep a record for archived software, but do not make it available for install.
Current software is regularly used and should be available for install.
2.2.1 Identify software storage locations
Participants: Asset Manager, IT Director
Document: Document in the Standard Operating Procedures.
2.2.2 Design the workflow for receiving software
Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)
Document: Document in the Standard Operating Procedures.
Releases: A collection of authorized changes to an IT service. Releases are divided into:
Define the process for deploying software to users.
Include the following in your workflow:
Rollouts or upgrades of large quantities of software will likely be managed as projects.
These projects should include project plans, including resources, timelines, and detailed procedures.
Define the process for large-scale deployment if it will differ from the regular deployment process.
2.2.3 Document deployment workflows for desktop and large-scale deployment
Participants: Asset Manager, Service Desk Manager, Release & Deployment Manager
Document: Document in the Standard Operating Procedures.
Software should be approved and deployed based on approved standards to minimize over-deployed software and manage costs appropriately. A list of standard software improves the efficiency of the software approval process.
Additionally, create a list of unauthorized software including titles not to be installed under any circumstances. This list should be designed with feedback from your end users and technical support staff. Front-line knowledge is crucial to identifying which titles are causing major problems.
2.2.4 Determine software categories for deployment
Participants: IT Director, Asset Manager, Purchasing (optional), Service Desk Manager (optional), Release & Deployment Manager (optional)
Document: Document in the Standard Operating Procedures.
Category | Definition | Software titles |
---|---|---|
Pre-approved/standard |
|
|
Approved by role |
|
|
Unapproved/requires review |
|
|
Unauthorized |
|
|
Software requiring review will need to be managed on a case-by-case basis, with approval dependent on software evaluation and business need.
The evaluation and approval process may require input from several parties, including business analysts, Security, technical team, Finance, Procurement, and the manager of the requestor’s department.
2.2.5 Document process for non-standard software requests
Participants: Asset Manager, Service Desk Manager, Release & Deployment Manager
Document: Document in the Standard Operating Procedures.
Define the review and approval process for non-standard software requests.
Use the workflow on the previous slide as a guide to map your own workflow process and document the steps in the Standard Operating Procedures.
The following assessments may need to be included in the process:
BMW is a large German automotive manufacturer that employs over 100,000 people. It has over 7,000 software products deployed across 106,000 clients and servers in over 150 countries.
When the global recession hit in 2008, the threat of costly audits increased, so BMW decided to boost its SAM program to cut licensing costs. It sought to centralize inventory data from operations across the globe.
A new SAM office was established in 2009 in Germany. The SAM team at BMW began by processing all the accumulated license and installation data from operations in Germany, Austria, and the UK. Within six months, the team had full visibility of all licenses and software assets.
Compliance was also a priority. The team successfully identified where they could make substantial reductions in support and maintenance costs as well as remove surplus costs associated with duplicate licensing.
BMW overcame a massive data centralization project to achieve 100% visibility of its global licensing estate, an incredible achievement given the scope of the operation.
BMW experienced efficiency gains due to transparency and centralized management of licenses through the new SAM office.
Additionally, internal investment in training and technical knowledge has helped BMW continuously improve the program. This has resulted in ongoing cost reductions for the manufacturer.
![]() |
|
2.1.5 |
![]() |
Build software procurement workflow for new contracts
Use the sample workflow to document your own process for procurement of new software contracts. |
2.2.4 |
![]() |
Create a list of pre-approved, approved, and unapproved software titles
Build definitions of software categories to inform software standards and brainstorm examples of each category. |
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Step 2.1: Request and procure | Step 2.2: Receive and deploy |
Start with an analyst kick-off call:
| Review findings with analyst:
|
Then complete these activities…
| Then complete these activities…
|
With these tools & templates:
| With these tools & templates:
|
Phase 3: Manage, Redeploy & Retire | This step will walk you through the following activities: | This step involves the following participants: | |
3.1 | Manage & Maintain Software |
|
|
3.2 | Harvest, Redeploy, or Retire |
Many organizations fail to track their software inventory effectively; the focus often remains on hardware due to its more tangible nature. However, annual software purchases often account for a higher IT spend than annual hardware purchases, so it’s important to track both.
Have and maintain a list of supported software to guide what new software will be approved for purchase and what current software should be retained on the desktops, servers, and other processing devices.
A baseline inventory tells you exactly what software you have deployed and where it is being used. This can help to determine how to best optimize software and license usage.
A software inventory will allow you to:
Take preventive action to avoid unauthorized software usage through regular software inventory and license management:
3.1.1 Define process for regular software inventory
Participants: IT Director, Asset Manager
Document: Document in the Standard Operating Procedures.
While maintenance efforts are typically focused around hardware, software maintenance – including upgrades and patches – must be built into the software asset management process to ensure software remains compliant with security and regulatory requirements.
The integration between patch management and asset management is incredibly valuable from a technology point of view. IT asset management (ITAM) tools create reports on the characteristics of deployed software. By combining these reports with a generalized software updater, you can automate most simple patches to save your team’s efforts for more-critical incidents. Usage reports can also help determine which applications should be reviewed and removed from the environment.
3.1.2 Define software maintenance and patching policies
Participants: IT Director, Asset Manager, Release Manager (optional), Security (optional)
Document: Document in the Standard Operating Procedures.
Review the software maintenance guidelines in this section and in the SOP template. Discuss each policy and revise and document in accordance with your policies.
Discuss and document patch management policies:
The patch management policy helps to ensure company computers are properly patched with the latest appropriate updates to reduce system vulnerability and to enhance repair application functionality. The policy aids in establishing procedures for the identification of vulnerabilities and potential areas of functionality enhancements, as well as the safe and timely installation of patches. The patch management policy is key to identifying and mitigating any system vulnerabilities and establishing standard patch management practices.
Use Info-Tech’s Patch Management Policy template to get started.
Phase 3: Manage, Redeploy & Retire | This step will walk you through the following activities: | This step involves the following participants: | |
3.1 | Manage & Maintain Software |
|
|
3.2 | Harvest, Redeploy, or Retire |
Unused software licenses are present in nearly every organization and result in wasted resources and software spend. Recycling and reharvesting licenses is a critical process within software asset management to save your organization money.
When computers are no longer in use and retired, the software licenses installed on the machines may be able to be reused.
License recycling involves reusing these licenses on machines that are still in use or for new employees.
License harvesting involves more actively identifying machines with licenses that are either not in use or under utilized, and recovering them to be used elsewhere, thus reducing overall software spend on new licenses.
Know the stipulations of your end-user license agreement (EULA) before harvesting and reallocating licenses. There may be restrictions on how often a license can be recycled in your agreement.
Define a standard reharvest timeline. For example, every 90 days, your SAM team can perform an internal audit using your SAM tool to gather data on software usage. If a user has not used a title in that time period, your team can remove that title from that user’s machine. Depending on the terms and conditions of the contract, the license can either be retired or harvested and reallocated.
Ensure you have exception rules built in for software that’s cyclical in its usage. For example, Finance may only use tax software during tax season, so there’s no reason to lump it under the same process as other titles.
It’s important to note that in addition to this process, you will need a software usage policy that supports your license harvest process.
3.2.1 Build license harvest and reallocation workflow
Participants: IT Director, Asset Manager, Service Desk Manager
Document: Document in the Standard Operating Procedures.
“Time and time again, I keep hearing stories from schools on how IT budgets are constantly being squeezed, but when I dig a little deeper, little or no effort is being made on accounting for software that might be on the kit we are taking away.” (Phil Goldsmith, Managing Director – ScrumpyMacs)
3.2.2 Document process for software retirement
Participants: IT Director, Asset Manager, Operations
Document: Document in the Standard Operating Procedures.
![]() |
|
3.1.2 |
![]() |
Define policies for software maintenance and patches
Discuss best practices and define policies for conducting regular software maintenance and patching. |
3.2.1 |
![]() |
Map your software license harvest and reallocation process
Build a process workflow for harvesting and reallocating unused software licenses. |
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Step 3.1: Manage and maintain software | Step 3.2: Harvest, redeploy, or retire |
Start with an analyst kick-off call:
| Review findings with analyst:
|
Then complete these activities…
| Then complete these activities…
|
With these tools & templates:
| With these tools & templates:
|
The overarching goal of any SAM program is compliance to prevent costly audit fines. The SAM team at Visa was made up of many individuals who were former auditors.
To deal with audit requests from vendors, “understand how auditors do things and understand their approach,” states Joe Birdsong, SAM Director at Visa.
Vendors are always on the lookout for telltale signs of a lucrative audit. For Visa, the key was to understand these processes and learn how to prepare for them.
Vendors typically look for the following when evaluating an organization for audit:
Ultimately, an audit is an attack on the relationship between the vendor and organization. According to Birdsong: “Maybe they haven’t really touched base with your teams and had good contact and relationship with them, and they don’t really know what’s going on in your enterprise.”
By understanding the motivations behind potential audits, Visa was able to form a strategy to increase transparency with the vendor.
Regular data collection, almost real-time reporting, and open, quick communication with the vendor surrounding audits made Visa a low-risk client for vendors.
Buy-in from management is also important, and the creation of an official SAM strategy helps maintain support. Thanks to its proactive SAM program, Visa saved $200 million in just three years.
Phase 4: Build supporting processes & tools | This step will walk you through the following activities: | This step involves the following participants: | |
4.1 | Compliance & audits |
|
|
4.2 | Communicate & build roadmap |
By improving your software asset management program’s maturity, you will drive savings for the business that go beyond the negotiating table.
Recognize the classic signs of each stage of audit response maturity to identify where your organization currently stands and where it can go.
Being prepared for an audit is critical. Internal preparation will not only help your organization reduce the risk associated with an audit but will also improve daily operations through focusing on diligent documentation and data collection.
Conducting routine internal audits will help prepare your organization for the real deal and may even prevent the audit from happening altogether. Hundreds of thousands of dollars can be saved through a proactive audit strategy with routine documentation in place.
“You want to get [the] environment to a level where you’re comfortable sharing information with [a] vendor. Inviting them in to have a chat and exposing numbers means there’s no relationship there where they’re coming to audit you. They only come to audit you when they know there’s a gain to be had, otherwise what’s the point of auditing?
I want customers to get comfortable with licensing and what they’re spending, and then there’s no problem exposing that to vendors. Vendors actually appreciate that.” (Ben Brand, SAM Practice Manager, Insight)
“The supreme art of war is to subdue the enemy without fighting.” – Sun Tzu
Performing routine checks on your license compliance will drastically reduce the risk that your organization gets hit with a costly fine. Maintaining transparency and demonstrating compliance will fend off audit-hungry vendors.
4.1.1 Document process and procedures for internal audits
Participants: CIO and/or IT Director, Asset Manager, IT Managers
Document: Document in the Standard Operating Procedures.
Define and document a process for conducting internal software audits.
Include the following:
Example:
Being prepared for an audit is critical. Internal preparation will not only help your organization reduce the risk associated with an audit but will also improve daily operations through focusing on diligent documentation and data collection.
Certain triggers exist that indicate a higher risk of an audit occurring. It is important to recognize these warning signs so you can prepare accordingly.
Health of organization
If your organization is putting out fires and a vendor can sense it, they’ll see an audit as a highly lucrative exercise.
Decrease in customer spend
A decrease in spend means that an organization has a high chance of being under-licensed.
License complexity
The more complex the license, the harder it is to remain in compliance. Some vendors are infamous for their complex licensing agreements.
Taking these due diligence steps will pay dividends downstream, reducing the risk of negative results such as release of confidential information.
Even if you cannot get a third-party NDA signed, the negotiation process should delay the overall audit process by at least a month, buying your organization valuable time to gather license data.
4.1.2 Define external audit process
Participants: CIO and/or IT Director, Asset Manager, IT Managers
Document: Document in the Standard Operating Procedures.
Define and document a process for responding to external software audit requests.
Include the following:
Use the Software Audit Scoping Email Template to create an email directed at your external (or internal) auditors. Send the audit scoping email several weeks before an audit to determine the audit’s scope and objectives. The email should include:
The email will help focus your preparation efforts and initiate your relationship with the auditors.
Approximately a week before the audit, you should email the internal leadership to communicate information about the start of the audit. Use the Software Audit Launch Email Template to create this email, including:
For more guidance on preparing for a software audit, see Info-Tech’s blueprint: Prepare and Defend Against a Software Audit.
A large American financial institution with 1,300 banking centers in 12 states, 28,000 end users, and 108,000 assets needed to improve its asset management program.
The bank had employed numerous ITAM tools, but IT staff identified that its asset data was still fragmented. There was still incomplete insight into what assets the banked owned, the precise value of those assets, their location, and what they’re being used for.
The bank decided to establish an asset management program that involved internal audits to gather more-complete data sets.
With the help of a vendor, the bank implemented cradle-to-grave asset tracking and lifecycle management, which provided discovery of almost $80 million in assets.
The bank also assembled an ITAM team and a dedicated ITAM manager to ensure that routine internal audits were performed.
The team was instrumental in establishing standardization of IT policies, hardware configuration, and service requirements.
Phase 4: Build supporting processes & tools | This step will walk you through the following activities: | This step involves the following participants: | |
4.1 | Compliance & audits |
|
|
4.2 | Communicate & build roadmap |
Communication is crucial to the integration and overall implementation of your SAM program. If staff and users do not understand the purpose of processes and policies, they will fail to provide the desired value.
An effective communication plan will:
Why:
|
![]() |
When:
|
Participants: CIO, IT Director, Asset Manager, Service Desk Manager
Document: Document in the SAM Communication Plan.
Group | Benefits | Impact | Method | Timeline |
---|---|---|---|---|
Executives |
|
|
||
End Users |
|
|
||
IT |
|
|
Document: Document FAQ questions and answers in the SAM FAQ Template.
ITAM imposes changes to end users throughout the business and it’s normal to expect questions about the new program. Prepare your team ahead of time by creating a list of FAQs.
Use policy templates to jumpstart your policy development and ensure policies are comprehensive, but be sure to modify and adapt policies to suit your corporate culture or they will not gain buy-in from employees. For a policy to be successful, it must be a living document and have participation and involvement from the committees and departments to whom it will pertain.
Use Info-Tech’s Software Asset Management Policy template to define and document the purpose, scope, objectives, and roles and responsibilities for your organization's software asset management program.
The template allows you to customize policy requirements for:
…as well as consequences for non-compliance.
Asset Security Policy
End-User Devices Acceptable Use Policy
Purchasing Policy
Release Management Policy
Internet Acceptable Use Policy
|
![]() |
One of the most difficult decisions to make when implementing a SAM program is: “where do we start?”
It’s not necessary to deploy a comprehensive SAM program to start. Build on the essentials to become more mature as you grow.
To integrate SAM effectively, a clear implementation roadmap needs to be designed. Prioritize “quick wins” to demonstrate success to the business early and to gain buy-in from your team. Short-term gains should be designed to support long-term goals of your SAM program.
Q1 | Q2 | Q3 | Q4 |
|
|
|
|
Advertising the increased revenue that is gained from good SAM practices is a powerful way to gain project buy-in.
Reflect on the outcomes of implementing SAM to target areas for improvement and share knowledge gained within and beyond the SAM team. Some questions to consider include:
![]() |
|
4.2.1 |
![]() |
Develop a communication plan to convey the right messages
Identify stakeholders requiring communication and formulate a message and delivery method for each. |
4.2.5 |
![]() |
Develop a SAM roadmap to plan your implementation
Outline the tasks necessary for the implementation of this project and prioritize to build a project roadmap. |
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Step 4.1: Compliance & audits | Step 4.2: Communicate & build roadmap |
Start with an analyst kick-off call:
|
Review findings with analyst:
|
Then complete these activities…
|
Then complete these activities…
|
With these tools & templates:
|
With these tools & templates:
|
2013 Software Audit Industry Report.” Express Metrix, 2013. Web.
7 Vital Trends Disrupting Today’s Workplace: Results and Data from 2013 TINYpulse Employee Engagement Survey.” TINYpulse, 2013. Web.
Beaupoil, Christof. “How to measure data quality and protect against software audits.” Network World, 6 June 2011.
Begg, Daniel. “Effective Licence Position (ELP) – What is it really worth?” LinkedIn, 19 January 2016.
Boehler, Bernhard. “Advanced License Optimization: Go Beyond Compliance for Maximum Cost Savings.” The ITAM Review, 24 November 2014.
Bruce, Warren. “SAM Baseline – process & best practice.” Microsoft. 2013 Australia Partner Conference.
Case Study Top 20 U.S. Bank Tackles Asset Management.” Pomeroy, 2012. Web.
Cherwell Software Software Audit Industry Report.” Cherwell Software, 2015. Web.
Conrad, Sandi. “SAM starter kit: everything you need to get started with software asset management. Conrad & Associates, 2010.
Corstens, Jan, and Diederik Van der Sijpe. “Contract risk & compliance software asset management (SAM).” Deloitte, 2012.
Deas, A., T. Markowitzm and E. Black. “Software asset management: high risk, high reward.” Deloitte, 2014.
Doig, Chris. “Why you should always estimate ROI before buying enterprise software” CIO, 13 August 2015.
Fried, Chuck. “America Needs An Education On Software Asset Management (SAM).” LinkedIn. 16 June 2015.
Lyons, Gwen. “Understanding the Drivers Behind Application Rationalization Critical to Success.” Flexera Software Blog, 31 October 2012.
Metrics to Measure SAM Success: eight ways to prove your SAM program is delivering business benefits.” Snow Software White Paper, 2015.
Microsoft. “The SAM Optimization Model.” Microsoft Corporation White Paper, 2010.
Miller, D. and M. Oliver. “Engaging Stakeholders for Project Success.” Project Management Institute White Paper, 2015.
Morrison, Dan. “5 Common Misconceptions of Software Asset Management.” SoftwareOne. 12 May 2015.
O’Neill, Leslie T. “Visa Case Study: SAM in the 21st Century.” International Business Software Managers Association (IBSMA), 30 July 2014.
Reducing Hidden Operating Costs Through IT Asset Discovery.” NetSupport Inc., 2011.
SAM Summit 2014, 23-25 June 2014, University of Chicago Gleacher Center Conference Facilities, Chicago, MI.
Saxby, Heather. “20 Things Every CIO Needs to Know about Software Asset Management.” Crayon Software Experts, 13 May 2015.
The 2016 State of IT: Managing the money monsters for the coming year.” Spiceworks, 2016.
The Hidden Cost of Unused Software.” A 1E Report, 1E.com: 2014. Web.
What does it take to achieve software license optimization?” Flexera White Paper, 2013.
![]() |
Michael Dean
Director, User Support Services Des Moines University |
Simon Leuty
Co-Founder Livingstone Tech |
![]() |
![]() |
Clare Walsh
PR Consultant Adesso Tech Ltd. |
Alex Monaghan
Director, Presales EMEA Product Support Solutions |
![]() |
![]() |
Ben Brand
SAM Practice Manager Insight |
Michael Swanson
President ISAM |
![]() |
![]() |
Bruce Aboudara
SVP, Marketing & Business Development Scalable Software |
Will Degener
Senior Solutions Consultant Scalable Software |
![]() |
![]() |
Peter Gregorowicz
Associate Director, Network & Client Services Vancouver Community College |
Peter Schnitzler
Operations Team Lead Toyota Canada |
![]() |
![]() |
David Maughan
Head of Service Transition Mott MacDonald Ltd. |
Brian Bernard
Infrastructure & Operations Manager Lee County Clerk of Court |
![]() |
![]() |
Leticia Sobrado
IT Data Governance & Compliance Manager Intercept Pharmaceuticals |
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Integrate data from exit surveys and interviews, engagement surveys, and stay interviews to understand the most commonly cited reasons for employee departure in order to select and prioritize tactics that improve retention. This blueprint will help you identify reasons for regrettable turnover, select solutions, and create an action plan.
Use this tool to document and analyze turnover data to find suitable retention solutions.
The Stay Interview Guide helps managers conduct interviews with current employees, enabling the manager to understand the employee's current engagement level, satisfaction with current role and responsibilities, suggestions for potential improvements, and intent to stay with the organization.
Review best-practice solutions to identify those that are most suitable to your organizational culture and employee needs. Use the IT Retention Solutions Catalog to explore a variety of methods to improve retention, understand their use cases, and determine stakeholder responsibilities.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Identify the main drivers of turnover at the organization.
Find out what to explore during focus groups.
1.1 Review data to determine why employees join, stay, and leave.
1.2 Identify common themes.
1.3 Prepare for focus groups.
List of common themes/pain points recorded in the Retention Plan Workbook.
Conduct focus groups to explore retention drivers.
Explore identified themes.
2.1 Conduct four 1-hour focus groups with the employee segment(s) identified in the pre-workshop activities.
2.2 Info-Tech facilitators independently analyze results of focus groups and group results by theme.
Focus group feedback.
Focus group feedback analyzed and organized by themes.
Home in on employee needs that are a priority.
A list of initiatives to address the identified needs
3.1 Create an empathy map to identify needs.
3.2 Shortlist retention initiatives.
Employee needs and shortlist of initiatives to address them.
Prepare to launch your retention initiatives.
A clear action plan for implementing your retention initiatives.
4.1 Select retention initiatives.
4.2 Determine goals and metrics.
4.3 Plan stakeholder communication.
4.4 Build a high-level action plan.
Finalized list of retention initiatives.
Goals and associated metrics recorded in the Retention Plan Workbook.
Many organizations are facing an increase in voluntary turnover as low unemployment, a lack of skilled labor, and a rise in the number of vacant roles have given employees more employment choices.
Regrettable turnover is impacting organizational productivity and leading to significant costs associated with employee departures and the recruitment required to replace them.
Many organizations tackle retention from an engagement perspective: Increase engagement to improve retention. This approach doesn't consider the whole problem.
Build the case for creating retention plans by leveraging employee data and feedback to identify the key reasons for turnover that need to be addressed.
Target employee segments and work with management to develop solutions to retain top talent.
Engagement surveys mask the volatility of the employee experience and hide the reason why individual employees leave. You must also talk to employees to understand the moments that matter and engage managers to understand turnover triggers.
As the economy continues to recover from the pandemic, unemployment continues to trend downward even with a looming recession. This leaves more job openings vacant, making it easier for employees to job hop.
With more employees voluntarily choosing to leave jobs, it is more important than ever for organizations to identify key employees they want to retain and put plans in place to keep them.
The number of HR professionals citing retention/turnover as a top workforce management challenge is increasing, and it is now the second highest recruiting priority ("2020 Recruiter Nation Survey," Jobvite, 2020).
65% of employees believe they can find a better position elsewhere (Legaljobs, 2021). This is a challenge for organizations in that they need to find ways to ensure employees want to stay at the organization or they will lose them, which results in high turnover costs.
Executives and IT are making retention and turnover – two sides of the same coin – a priority because they cost organizations money.
Employees with longer tenure have an increased understanding of an organization's policies and processes, which leads to increased productivity (Indeed, 2021).
Turnover often ripples across a team or department, with employees following each other out of the organization (Mereo). Retaining even one individual can often have an impact across the organization.
Retaining key individuals allows them to pass it on to other employees through communities of practice, mentoring, or other knowledge-sharing activities.
Improving retention goes beyond cost savings: Employees who agree with the statement "I expect to be at this organization a year from now" are 71% more likely to put in extra hours and 32% more likely to accomplish more than what is expected of their role (McLean & Company Engagement Survey, 2021; N=77,170 and 97,326 respectively).
Employee engagement is a strong driver of retention, with only 25% of disengaged employees expecting to be at their organization a year from now compared to 92% of engaged employees (McLean & Company Engagement Survey, 2018-2021; N=117,307).
However, engagement surveys mask the volatility of the employee experience and hide the reason why individual employees leave.
This analysis of McLean & Company's engagement survey results shows that while an organization's average employee net promoter score (eNPS) stays relatively static, at an individual level there is a huge amount of volatility.
This demonstrates the need for an approach that is more capable of responding to or identifying employees' in-the-moment needs, which an annual engagement survey doesn't support.
Retention needs to be monitored throughout the employee lifecycle. To address the variety of issues that can appear, consider three main paths to turnover:
Engagement drivers are strong predictors of turnover.
Employees who are highly engaged are 3.6x more likely to believe they will be with the organization 12 months from now than disengaged employees (McLean & Company Engagement Survey, 2018-2021; N=117,307).
Turnover triggers are events that act as shocks or catalysts that quickly lead to an employee's departure.
Turnover triggers are a cause for voluntary turnover more often than accumulated issues (Lee et al.).
Employee experience is the employee's perception of the accumulation of moments that matter within their employee lifecycle.
Retention rates increase from 21% to 44% when employees have positive experiences in the following categories: belonging, purpose, achievement, happiness, and vigor at work. (Workhuman, 2020).
Research shows managers do not appear as one of the common reasons for employee turnover.
Top five most common reasons employees leave an organization (McLean & Company, Exit Survey, 2018-2021; N=107 to 141 companies,14,870 to 19,431 responses).
Turnover factors | Rank |
---|---|
Opportunities for career advancement | 1 |
Satisfaction with my role and responsibilities | 2 |
Base pay | 3 |
Opportunities for career-related skill development | 4 |
The degree to which my skills were used in my job | 5 |
However, managers can still have a huge impact on the turnover of their team through each of the three main paths to turnover:
Employees who believe their managers care about them as a person are 3.3x more likely to be engaged than those who do not (McLean & Company, 2021; N=105,186).
Managers who are involved with and aware of their staff can serve as an early warning system for triggers that lead to turnover too quickly to detect with data.
Managers have a direct connection with each individual and can tailor the employee experience to meet the needs of the individuals who report to them.
Gallup has found that 52% of exiting employees say their manager could have done something to prevent them from leaving (Gallup, 2019). Do not discount the power of managers in anticipating and preventing regrettable turnover.
HR traditionally seeks to examine engagement levels when faced with retention challenges, but engagement is only a part of the full picture. You must also talk to employees to understand the moments that matter and engage managers to understand turnover triggers.
After completing this step you will have:
Employee engagement | Employee engagement and moments that matter are easily tracked by data. Validating employee feedback data by speaking and empathizing with employees helps to uncover moments that matter. This step focuses on analyzing existing data and validating it through focus groups. |
---|---|
Engagement drivers such as compensation or working environment are strong predictors of turnover. | |
Moments that matter | |
Employee experience (EX) is the employee's perception of the accumulation of moments that matter with the organization. | |
Turnover triggers | |
Turnover triggers are events that act as shocks or catalysts that quickly lead to an employee's departure. | |
Turnover triggers | This step will not touch on turnover triggers. Instead, they will be discussed in step 2 in the context of the role of the manager in improving retention. |
Turnover triggers are events that act as shocks or catalysts that quickly lead to an employee's departure. |
IT managers often have insights into where and why retention is an issue through their day-to-day work. Gathering detailed quantitative and qualitative data provides credibility to these insights and is key to building a business case for action. Keep an open mind and allow the data to inform your gut feeling, not the other way around.
Start to gather and examine additional data to accurately identify the reason(s) for high turnover. Begin to uncover the story behind why these employees join, stay, and leave your organization through themes and trends that emerge.
Look for these icons throughout step 2. | Why do candidates join your organization? | |
---|---|---|
![]() | Why do employees stay with your organization? | |
![]() | Why do employees leave your organization? |
For more information on analysis, visualization, and storytelling with data, see Info-Tech's Start Making Data-Driven People Decisions blueprint.
Classify where key employee needs fall within the employee lifecycle diagram in tab 2 of the Retention Plan Workbook. This will be used in step 2 to pinpoint and prioritize solutions.
The employee lifecycle is a valuable way to analyze and organize engagement pain points, moments that matter, and turnover triggers. It ensures that you consider the entirety of an employee's tenure and the different factors that lead to turnover.
While conducting a high-level analysis of new hire data, look for these three key themes impacting retention:
Issues or pain points that occurred during the hiring process.
Reasons why employees joined your organization.
The experience of their first 90 days. This can include their satisfaction with the onboarding process and their overall experience with the organization.
Themes will help to identify areas of strength and weakness organization-wide and within key segments. Document in tab 3 of the Retention Plan Workbook.
Employees who are engaged are 3.6x more likely to believe they will be with the organization 12 months from now (McLean & Company Engagement Survey, 2018-2021; N=117,307). Given the strength of this relationship, it is essential to identify areas of strength to maintain and leverage.
If you use Info-Tech's Engagement Survey, look in detail at what are classified as "Retention Drivers": total compensation, working environment, and work-life balance.
If you use a product other than Info-Tech's Engagement Survey, your results will look different. The key is to look at areas of weakness that emerge from the data.
If you use Info-Tech's Engagement Survey, look in detail at what are classified as "Retention Drivers": total compensation, working environment, and work-life balance.
Conduct a high-level analysis of the data from your employee exit diagnostic. While analyzing this data, consider the following:
If your organization conducts exit interviews, analyze the results alongside or in lieu of exit survey data.
Determine if new hire expectations weren't met, prompting employees to leave your organization, to help identify where in the employee lifecycle issues driving turnover may be occurring.
A result where employees are leaving for the same reason they're joining the organization could signal a disconnect between your organization's employee value proposition and the lived experience.
Your employee value proposition (EVP), formal or informal, communicates the value your organization can offer to prospective employees.
If your EVP is mismatched with the lived experience of your employees, new hires will be in for a surprise when they start their new job and find out it isn't what they were expecting.
Forty-six percent of respondents who left a job within 90 days of starting cited a mismatch of expectations about their role ("Job Seeker Nation Study 2020," Jobvite, 2020).
Through focus groups, explore the themes you have uncovered with employees to discover employee needs that are not being met. Addressing these employee needs will be a key aspect of your retention plan.
Identify employee groups who will participate in focus groups:
Customize Info-Tech's Standard Focus Group Guide based on the themes you have identified in tab 3 of the Retention Plan Workbook.
The goal of the focus group is to learn from employees and use this information to design or modify a process, system, or other solution that impacts retention.
Focus questions on the employees' personal experience from their perspective.
Key things to remember:
Maintaining an open dialogue with employees will help flesh out the context behind the data you've gathered and allow you to keep in mind that retention is about people first and foremost.
Look for discrepancies between what employees are saying and doing. | 1. Say "What words or quotes did the employee use?" | 3.Think "What might the employee be thinking?" | Record feelings and thoughts discussed, body language observed, tone of voice, and words used. Look for areas of negative emotion to determine the moments that matter that drive retention. |
2. Do "What actions or behavior did the employee demonstrate?" | 4. Feel "What might the employee be feeling?" | ||
Record them in tab 3 of the Retention Plan Workbook. | 5. Identify Needs | "Needs are verbs (activities or desires), not nouns (solutions)" | Synthesize focus group findings using Info-Tech's Empathy Map Template. |
---|---|---|---|
6. Identify Insights | "Ask yourself, why?" |
(Based on Stanford d.school Empathy Map Method)
Take employee needs revealed by your data and focus groups and prioritize three to five needs.
Select a limited number of employee needs to develop solutions to ensure that the scope of the project is feasible and that the resources dedicated to this project are not stretched too thin. The remaining needs should not be ignored – act on them later.
Share the needs you identify with stakeholders so they can support prioritization and so you can confirm their buy-in and approval where necessary.
Ask yourself the following questions to determine your priority employee needs:
After completing this step, you will have:
First, select and prioritize solutions to address employee needs identified in the previous step. These solutions will address reasons for turnover that influence employee engagement and moments that matter.
Next, create a plan to launch stay interviews to increase managers' accountability in improving retention. Managers will be critical to solving issues stemming from turnover triggers.
Finally, create an action plan and present to senior leadership for approval.
Look for these icons in the top right of slides in this step.
Based on the priority needs you have identified, use the Retention Solutions Catalog to review best-practice solutions for pain points associated with each stage of the lifecycle.
Use this tool as a starting point, adding to it and iterating based on your own experience and organizational culture and goals.
Use Info-Tech's Retention Solutions Catalog to start the brainstorming process and produce a shortlist of potential solutions that will be prioritized on the next slide.
Unless you have the good fortune of having only a few pain points, no single initiative will completely solve your retention issues. Combine one or two of these broad solutions with people-leader initiatives to ensure employee needs are addressed on an individual and an aggregate level.
Target efforts accordingly
Quick wins are high-impact, low-effort initiatives that will build traction and credibility within the organization.
Long-term initiatives require more time and need to be planned for accordingly but will still deliver a large impact. Review the planning horizon to determine how early these need to begin.
Re-evaluate low-impact and low-effort initiatives and identify ones that either support other higher impact initiatives or have the highest impact to gain traction and credibility. Look for low-hanging fruit.
Deprioritize initiatives that will take a high degree of effort to deliver lower-value results.
When assessing the impact of potential solutions, consider:
It's better to master a few initiatives than under-deliver on many. Start with a few solutions that will have a measurable impact to build the case for further action in the future.
Low Impact | Medium Impact | Large Impact | |
---|---|---|---|
Large Effort | ![]() | ||
Medium Effort | |||
Low Effort |
Use tab 3 of the Retention Plan Workbook to prioritize your shortlist of solutions.
Leaders at all levels have a huge impact on employees.
Support leaders in recommitting to their role as people managers through Learning & Development initiatives with particular emphasis on coaching and building trust.
For coaching training, see Info-Tech's Build a Better Manager: Team Essentials – Feedback and Coaching training deck.
For more information on supporting managers to become better people leaders, see Info-Tech's Build a Better Manager: Manage Your People blueprint.
"HR can't fix turnover. But leaders on the front line can."
– Richard P. Finnegan, CEO, C-Suite Analytics
Managers often have the most visibility into their employees' personal and work lives and have a key opportunity to anticipate and address turnover triggers.
Stay interviews are an effective way of uncovering potential retention issues and allowing managers to act as an early warning system for turnover triggers.
Sources: Richard P. Finnegan, CEO, C-Suite Analytics; SHRM
For each initiative identified, map out timelines and actions that need to be taken.
Be clear about manager accountabilities for initiatives they will own, such as stay interviews. Plan to communicate the goals and timelines managers will be asked to meet, such as when they must conduct interviews or their responsibility to follow up on action items that come from interviews.
Insight 1 | Insight 2 | Insight 3 |
---|---|---|
Retention and turnover are two sides of the same coin. You can't fix retention without first understanding turnover. | Engagement surveys mask the volatility of the employee experience and hide the reason why individual employees leave. You must also talk to employees to understand the moments that matter and engage managers to understand turnover triggers. | Improving retention isn't just about lowering turnover, it's about discovering what healthy retention looks like for your organization. |
Insight 4 | Insight 5 | Insight 6 |
HR professionals often have insights into where and why retention is an issue. Gathering detailed employee feedback data through surveys and focus groups provides credibility to these insights and is key to building a case for action. Keep an open mind and allow the data to inform your gut feeling, not the other way around. | Successful retention plans must be owned by both IT leaders and HR. | IT leaders often have the most visibility into their employees' personal and work lives and have a key opportunity to anticipate and address turnover triggers. Stay interviews help managers anticipate potential retention issues on their teams. |
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Info-Tech Analysts | Pre-work | Post-work |
---|---|---|
Client Data Gathering and Planning | Implementation Supported Through Analyst Calls | |
1.1 Discuss participants, logistics, overview of workshop activities 1.2 Provide support to client for below activities through calls. | 2.1 Schedule follow-up calls to work through implementation of retention solutions based on identified needs. | |
Client | 1.Gather results of engagement survey, new hire survey, exit survey, and any exit and stay interview feedback. 2.Gather and analyze turnover data. 3.Identify key employee segment(s) and identify and organize participants for focus groups. 4.Complete cost of turnover analysis. 5.Review turnover data and prioritize list of employee segments. | 1.Obtain senior leader approval to proceed with retention plan. 2.Finalize and implement retention solutions. 3.Prepare managers to conduct stay interviews. 4.Communicate next steps to stakeholders. |
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Activities | Day 1 | Day 2 | Day 3 | Day 4 |
---|---|---|---|---|
Assess Current State | Conduct Focus Groups | Identify Needs and Retention Initiatives | Prepare to Communicate and Launch | |
1.1 Review data to determine why employees join, stay, and leave. 1.2 Identify common themes. 1.3 Prepare for focus groups. | 2.1 Conduct four 1-hour focus groups with the employee segment(s) identified in the pre-workshop activities.. 2.2 Info-Tech facilitators independently analyze results of focus groups and group results by theme. | 3.1 Create an empathy map to identify needs 3.2 Shortlist retention initiatives | 4.1 Select retention initiatives 4.2 Determine goals and metrics 4.3 Plan stakeholder communication4.4 Build a high-level action plan | |
Deliverables | 1.List of common themes/pain points recorded in the Retention Plan Workbook 2.Plan for focus groups documented in the Focus Group Guide | 1.Focus group feedback 2.Focus group feedback analyzed and organized by themes | 1.Employee needs and shortlist of initiatives to address them | 1.Finalized list of retention initiatives |
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
Jeff Bonnell
VP HR
Info-Tech Research Group
Phillip Kotanidis
CHRO
Michael Garron Hospital
Michael McGuire
Director, Organizational Development
William Osler Health System
Dr. Iris Ware
Chief Learning Officer
City of Detroit
Richard P. Finnegan
CEO
C-Suite Analytics
Dr. Thomas Lee
Professor of Management
University of Washington
Jane Moughon
Specialist in increasing profits, reducing turnover, and maximizing human potential in manufacturing companies
Lisa Kaste
Former HR Director
Citco
Piyush Mathur
Head of Workforce Analytics
Johnson & Johnson
Gregory P. Smith
CEO
Chart Your Course
"17 Surprising Statistics about Employee Retention." TINYpulse, 8 Sept. 2020. Web.
"2020 Job Seeker Nation Study." Jobvite, April 2020. Web.
"2020 Recruiter Nation Survey." Jobvite, 2020. Web.
"2020 Retention Report: Insights on 2019 Turnover Trends, Reasons, Costs, & Recommendations." Work Institute, 2020. Web.
"25 Essential Productivity Statistics for 2021." TeamStage, 2021. Accessed 22 Jun. 2021.
Agovino, Theresa. "To Have and to Hold." SHRM, 23 Feb. 2019. Web.
"Civilian Unemployment Rate." Bureau of Labor Statistics, June 2020. Web.
Foreman, Paul. "The domino effect of chief sales officer turnover on salespeople." Mereo, 19 July 2018. Web.
"Gross Domestic Product." U.S. Bureau of Economic Analysis, 27 May 2021. Accessed 22 Jun. 2020.
Kinne, Aaron. "Back to Basics: What is Employee Experience?" Workhuman, 27August 2020. Accessed 21 Jun. 2021.
Lee, Thomas W, et al. "Managing employee retention and turnover with 21st century ideas." Organizational Dynamics, vol 47, no. 2, 2017, pp. 88-98. Web.
Lee, Thomas W. and Terence R. Mitchell. "Control Turnover by Understanding its Causes." The Blackwell Handbook of Principles of Organizational Behaviour. 2017. Print.
McFeely, Shane, and Ben Wigert. "This Fixable Problem Costs U.S. Businesses $1 Trillion." Gallup. 13 March 2019. Web.
"Table 18. Annual Quit rates by Industry and Region Not Seasonally Adjusted." Bureau of Labor Statistics. June 2021. Web.
"The 2019 Compensation Best Practices Report: Will They Stay or Will They Go? Employee Retention and Acquisition in an Uncertain Economy." PayScale. 2019. Web.
Vuleta, Branka. "30 Troubling Employee Retention Statistics." Legaljobs. 1 Feb. 2021. Web.
"What is a Tenured Employee? Top Benefits of Tenure and How to Stay Engaged as One." Indeed. 22 Feb. 2021. Accessed 22 Jun. 2021.
A cost-optimized security budget is one that has the greatest impact on risk for the least amount of money spent.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This phase will help you assess the efficacy of your current technology and service providers.
This phase will help you assess if layoffs are necessary.
This phase will help you revise the pending process-based initiatives in your security strategy.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Parse specific technology drivers out of the formal enterprise digital strategy.
Review and understand potential enabling applications.
Use the drivers and an understanding of enabling applications to put together an execution roadmap that will support the digital strategy.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Review and validate the formal enterprise digital strategy.
Confirmation of the goals, objectives, and direction of the organization’s digital strategy.
1.1 Review the initial digital strategy.
1.2 Determine gaps.
1.3 Refine digital strategy scope and vision.
1.4 Finalize digital strategy and validate with stakeholders.
Validated digital strategy
Enumerate relevant technology drivers from the digital strategy.
List of technology drivers to pursue based on goals articulated in the digital strategy.
2.1 Identify affected process domains.
2.2 Brainstorm impacts of digital strategy on technology enablement.
2.3 Distill critical technology drivers.
2.4 Identify KPIs for each driver.
Affected process domains (based on APQC)
Critical technology drivers for the digital strategy
Relate your digital strategy drivers to specific, actionable application areas.
Understand the interplay between the digital strategy and impacted application domains.
3.1 Build and review current application inventory for digital.
3.2 Execute fit-gap analysis between drivers and current state inventory.
3.3 Pair technology drivers to specific enabling application categories.
Current-state application inventory
Fit-gap analysis
Understand how different applications support the digital strategy.
Understand the art of the possible.
Knowledge of how applications are evolving from a features and capabilities perspective, and how this pertains to digital strategy enablement.
4.1 Application spotlight: customer experience.
4.2 Application spotlight: content and collaboration.
4.3 Application spotlight: business intelligence.
4.4 Application spotlight: enterprise resource planning.
Application spotlights
Create a concrete, actionable roadmap of application and technology initiatives to move the digital strategy forward.
Clear, concise articulation of application roadmap for supporting digital that can be communicated to the business.
5.1 Build list of enabling projects and applications.
5.2 Create prioritization criteria.
5.3 Build the digital strategy application roadmap.
5.4 Socialize the roadmap.
5.5 Delineate responsibility for roadmap execution.
Application roadmap for the digital strategy
RACI chart for digital strategy roadmap execution
This research is designed to help organizations who are facing these challenges:
AI requires a high level of maturity in all data management capabilities, and the greatest challenge the CIO or CDO faces is to mature these capabilities sufficiently to ensure AI success.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Define business use cases where AI may bring value. Evaluate each use case to determine the company’s AI maturity in people, tools, and operations for delivering the correct data, model development, model deployment, and the management of models in the operational areas.
Develop a target state architecture to allow the organization to effectively deliver in the promise of AI using architecture building blocks.
Compare current state with the target state to define architecture plateaus and build a delivery roadmap.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Define business use cases where AI may add value and assess use case readiness.
Know upfront if all required data resources are available in the required velocity, veracity, and variety to service the use case.
1.1 Review the business vision.
1.2 Identify and classify business use cases.
1.3 Assess company readiness for each use case.
1.4 Review architectural principles and download and install Archi.
List of identified AI use cases
Assessment of each use case
Data sources needed for each use case
Archi installed
Define architecture building blocks that can be used across use cases and data pipeline.
The architectural building blocks ensure reuse of resources and form the foundation of a stepwise rollout.
2.1 ArchiMate modelling language overview.
2.2 Architecture building block overview
2.3 Identify architecture building blocks by use case.
2.4 Define the target state architecture.
A set of building blocks created in Archi
Defined target state architecture using architecture building blocks
Assess your current state architecture in the areas identified by the target state.
Only evaluating the current state architecture that will influence your AI implementation.
3.1 Identify the current state capabilities as required by the target state.
3.2 Assess your current state architecture.
3.3 Define a roadmap and design implementation plateaus.
Current state architecture documented in Archi
Assessed current state using assessment tool
A roadmap defined using plateaus as milestones
Assess your current state against the target state and create a plan to bridge the gaps.
Develop a roadmap that will deliver immediate results and ensure long-term durability.
4.1 Assess the gaps between current- and target-state capabilities.
4.2 Brainstorm initiatives to address the gaps in capabilities
4.3 Define architecture delivery plateaus.
4.4 Define a roadmap with milestones.
4.5 Sponsor check-in.
Current to target state gap assessment
Architecture roadmap divided into plateaus
Passwordless is the right direction even if it’s not your final destination.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Back in 2004 we were promised "the end of passwords" – why, then, are we still struggling with them today?
Users have been burdened with unrealistic expectations when it comes to their part in maintaining enterprise security. Given the massive rise in the threat landscape, it is time for Infrastructure to adopt a user-experience-based approach if we want to move the needle on improving security posture.
"If you buy the premise…you buy the bit."
Johnny Carson
Build the case, both to business stakeholders and end users, that "password" is not a synonym for "security."
Be ready for some objection handling!
"There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."
Bill Gates
A massive worm attack against ARPANET prompted the initial research into password strength
Password strength can be expressed as a function of randomness or entropy. The greater the entropy the harder for an attacker to guess the password.
Table: Modern password security for users
Ian Maddox and Kyle Moschetto, Google Cloud Solutions Architects
From this research, increasing password complexity (length, special characters, etc.) became the "best practice" to secure critical systems.
Image courtesy of Randall Munroe XKCD Comics (CC BY-NC 2.5)
It turns out that humans however are really bad at remembering complex passwords.
An Intel study (2016) suggested that the average enterprise employee needed to remember 27 passwords. A more recent study from LastPass puts that number closer to 191.
Over the course of a single year, researchers at the University of California, Berkeley identified and tracked nearly 2 billion compromised credentials.
3.8 million were obtained via social engineering, another 788K from keyloggers. That's approx. 250,000 clear text credentials harvested every week!
The entirety of the password ecosystem has significant vulnerabilities in multiple areas:
Even the 36M encrypted credentials compromised every week are just going to be stored and cracked later.
Source: Google, University of California, Berkeley, International Computer Science Institute
Image courtesy of NVIDIA, NVIDIA Grace |
|
Image: IBM Quantum System One (CES 2020) by IBM Research is licensed under CC BY-ND 2.0 |
|
"Give me a place to stand, and a lever long enough, and I will move the world."
Archimedes
Chances are you are already paying for one or more of these technologies from a current vendor:
Global Market of $12.8B
~16.7% CAGR
Source: Report Linker, 2022.
Passwordless technologies focus on alternate authentication factors to supplement or replace shared secrets.
![]() |
Something you knowShared secrets have well-known significant modern-day problems, but only when used in isolation. For end users, consider time-limited single use options, password managers, rate-limited login attempts, and reset rather than retrieval requests. On the system side, never forget strong cryptographic hashing along with a side of salt and pepper when storing passwords. Something you haveA token (now known as a cryptographic identification device) such as a pass card, fob, smartphone, or USB key that is expected to be physically under the control of the user and is uniquely identifiable by the system. Easily decoupled in the event the token is lost, but potentially expensive and time-consuming to reprovision. Something you are or doCommonly referred to as biometrics, there are two primary classes. The first is measurable physical characteristics of the user such as a fingerprint, facial image, or retinal scan. The second class is a series of behavioral traits such as expected location, time of day, or device. These traits can be linked together in a conditional access policy. Unlike other authentication factors, biometrics DO NOT provide for exact matches and instead rely on a confidence interval. A balance must be struck against the user experience of false negatives and the security risk of a false positive. |
Does the solution support the full variety of end-user devices you have in use?
Can the solution be configured with your existing single sign-on or central identity broker?
Users already want a better experience than passwords.
What new behavior are you expecting (compelling) from the user?
How often and under what conditions will that behavior occur?
Where are the points of failure in the solution?
Consider technical elements like session thresholds for reauthorization, but also elements like automation and self-service.
Understand the exact responsibilities Infra&Ops have in the event of a system or user failure.
As many solutions are based in the public cloud, manage stakeholder expectations accordingly.
"Move the goalposts…and declare victory."
Informal Fallacy (yet very effective…)
Get the easy wins in the bank and then lay the groundwork for the long campaign ahead.
You're not going to get to a passwordless world overnight. You might not even get there for many years. But an agile approach to the journey ensures you will realize value every step of the way:
"Backup Vs. Archiving: Know the Difference." Open-E. Accessed 05 Mar 2022.Web.
G, Denis. "How to Build Retention Policy." MSP360, Jan 3, 2020. Accessed 10 Mar 2022.
Ipsen, Adam. "Archive Vs. Backup: What's the Difference? A Definition Guide." BackupAssist, 28 Mar 2017. Accessed 04 Mar 2022.
Kang, Soo. "Mitigating the Expense of E-Discovery; Recognizing the Difference Between Back-Ups and Archived Data." Zasio Enterprises, 08 Oct 2015. Accessed 3 Mar 2022.
Mayer, Alex. "The 3-2-1 Backup Rule – An Efficient Data Protection Strategy." Naviko. Accessed 12 Mar 2022.
Steel, Amber. "LastPass Reveals 8 Truths about Passwords in the New Password Exposé." LastPass Blog, 1 Nov. 2017. Web.
"The Global Passwordless Authentication Market Size Is Estimated to Be USD 12.79 Billion in 2021 and Is Predicted to Reach USD 53.64 Billion by 2030 With a CAGR of 16.7% From 2022-2030." Report Linker, 9 June 2022. Web.
"What Is Data-Archiving?" Proofpoint. Accessed 07 Mar 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Review IT vendor risk fundamentals and establish a risk governance framework.
Categorize, prioritize, and assess your vendor risks. Follow up with creating effective response strategies.
Assign accountability and responsibilities to formalize ongoing risk monitoring. Communicate your findings to management and share the plan moving forward.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
To prepare the team for the workshop.
Avoids delays and interruptions once the workshop is in progress.
1.1 Send workshop agenda to all participants.
1.2 Prepare list of vendors and review any contracts provided by them.
1.3 Review current risk management process.
All necessary participants assembled
List of vendors and vendor contracts
Understanding of current risk management process
Review IT vendor risk fundamentals.
Assess current maturity and set risk management program goals.
Engage stakeholders and establish a risk governance framework.
Understanding of organizational risk culture and the corresponding risk threshold.
Obstacles to effective IT risk management identified.
Attainable goals to increase maturity established.
Understanding of the gap to achieve vendor risk readiness.
2.1 Brainstorm vendor-related risks.
2.2 Assess current program maturity.
2.3 Identify obstacles and pain points.
2.4 Develop risk management goals.
2.5 Develop key risk indicators (KRIs) and escalation protocols.
2.6 Gain stakeholders’ perspective.
Vendor risk management maturity assessment
Goals for vendor risk management
Stakeholders’ opinions
Categorize vendors.
Prioritize assessed risks.
Risk events prioritized according to risk severity – as defined by the business.
3.1 Categorize vendors.
3.2 Map vendor infrastructure.
3.3 Prioritize vendors.
3.4 Identify risk contributing factors.
3.5 Assess risk exposure.
3.6 Calculate expected cost.
3.7 Identify risk events.
3.8 Input risks into the Risk Register Tool.
Vendors classified and prioritized
Vendor risk exposure
Expected cost calculation
Determine risk threshold and contract clause relating to risk prevention.
Identify and assess risk response actions.
Thorough analysis has been conducted on the value and effectiveness of risk responses for high-severity risk events.
Risk response strategies have been identified for all key risks.
Authoritative risk response recommendations can be made to senior leadership.
4.1 Determine the threshold for (un)acceptable risk.
4.2 Match elements of the contract to related vendor risks.
4.3 Identify and assess risk responses.
Thresholds for (un)acceptable risk
Risk responses
Communicate top risks to management.
Assign accountabilities and responsibilities for risk management process.
Establish monitoring schedule.
Risk monitoring responsibilities are established.
Transparent accountabilities and established ongoing improvement of the vendor risk management program.
5.1 Create a stakeholder map.
5.2 Complete RACI chart.
5.3 Establish the reporting schedule.
5.4 Finalize the vendor risk management program.
Stakeholder map
Assigned accountability for risk management
Established monitoring schedule
Risk report
Vendor Risk Management Program Manual
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Data should be at the foundation of your organization’s evolution. The transformational insights that executives and decision makers are constantly seeking to leverage can be unlocked with a data strategy that makes high-quality, trusted, and relevant data readily available to the users who need it.
This template will help you gather insights around stakeholder business goals and objectives, current data consumption practices, the types or domains of data that are important to them in supporting their business capabilities and initiatives, the challenges they face, and opportunities for data from their perspective.
Data strategy optimization anchored in a value proposition will ensure that the data strategy focuses on driving the most valuable and critical outcomes in support of the organization’s enterprise strategy. The template will help you facilitate deep-dive sessions with key stakeholders for building use cases that are of demonstrable value not only to their relevant lines of business but also to the wider organization.
Bring data to the C-suite by creating the Chief Data Officer role. This position is designed to bridge the gap between the business and IT by serving as a representative for the organization's data management practices and identifying how the organization can leverage data as a competitive advantage or corporate asset.
Use this template to document and formulate your data strategy. Follow along with the sections of the blueprint Build a Robust and Comprehensive Data Strategy and complete the template as you progress.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Establish the business context for the business strategy.
Substantiates the “why” of the data strategy.
Highlights the organization’s goals, objectives, and strategic direction the data must align with.
1.1 Data Strategy 101
1.2 Intro to Tech’s Data Strategy Framework
1.3 Data Strategy Value Proposition: Understand stakeholder’s strategic priorities and the alignment with data
1.4 Discuss the importance of vision, mission, and guiding principles of the organization’s data strategy
1.5 Understand the organization’s data culture – discuss Data Culture Survey results
1.6 Examine Core Value Streams of Business Architecture
Business context; strategic drivers
Data strategy guiding principles
Sample vision and mission statements
Data Culture Diagnostic Results Analysis
Build use cases of demonstrable value and understand the current environment.
An understanding of the current maturity level of key capabilities.
Use cases that represent areas of concern and/or high value and therefore need to be addressed.
2.1 Conduct key business stakeholder interviews to initiate the build of high-value business-data cases
Initialized high-value business-data cases
Build out a future state plan that is aimed at filling prioritized gaps and that informs a scalable roadmap for moving forward on treating data as an asset.
A target state plan, formulated with input from key stakeholders, for addressing gaps and for maturing capabilities necessary to strategically manage data.
3.1 Understand the current data environment: data capability assessment
3.2 Understand the current data practice: key data roles, skill sets; operating model, organization structure
3.3 Plan target state data environment and data practice
Data capability assessment and roadmapping tool
Consolidate business and data needs with consideration of external factors as well as internal barriers and enablers to the success of the data strategy. Bring all the outputs together for crafting a robust and comprehensive data strategy.
A consolidated view of business and data needs and the environment in which the data strategy will be operationalized.
An analysis of the feasibility and potential risks to the success of the data strategy.
4.1 Analyze gaps between current- and target-state
4.2 Initiate initiative, milestone and RACI planning
4.3 Working session with Data Strategy Owner
Data Strategy Next Steps Action Plan
Relevant data strategy related templates (example: data practice patterns, data role patterns)
Initialized Data Strategy on-a-Page
"In the dynamic environment in which we operate today, where we are constantly juggling disruptive forces, a well-formulated data strategy will prove to be a key asset in supporting business growth and sustainability, innovation, and transformation.
Your data strategy must align with the organization’s business strategy, and it is foundational to building and fostering an enterprise-wide data-driven culture."
Crystal Singh,
Director – Research and Advisory
Info-Tech Research Group
Formulate a data strategy that stitches all of the pieces together to better position you to unlock the value in your data:
Your data strategy is the vehicle for ensuring data is poised to support your organization’s strategic objectives.
The dynamic marketplace of today requires organizations to be responsive in order to gain or maintain their competitive edge and place in their industry.
Organizations need to have that 360-degree view of what’s going on and what’s likely to happen.
Disruptive forces often lead to changes in business models and require organizations to have a level of adaptability to remain relevant.
To respond, organizations need to make decisions and should be able to turn to their data to gain insights for informing their decisions.
A well-formulated and robust data strategy will ensure that your data investments bring you the returns by meeting your organization’s strategic objectives.
Organizations need to be in a position where they know what’s going on with their stakeholders and anticipate what their stakeholders’ needs are going to be.
Most organizations today will likely have some form of data management in place, supported by some of the common roles such as DBAs and data analysts.
Most will likely have a data architecture that supports some form of reporting.
Some may even have a chief data officer (CDO), a senior executive who has a seat at the C-suite table.
These are all great assets as a starting point BUT without a cohesive data strategy that stitches the pieces together and:
you’re missing the mark – you are not fully leveraging the incredible value of your data.
Cross-industry studies show that on average, less than half of an organization’s structured data is actively used in making decisions
Your data strategy needs to align with your organizational strategy.
Main Organizational Strategic Drivers:
“The companies who will survive and thrive in the future are the ones who will outlearn and out-innovate everyone else. It is no longer ‘survival of the fittest’ but ‘survival of the smartest.’ Data is the element that both inspires and enables this new form of rapid innovation.” – Joel Semeniuk, 2016
The transformational insights that executives are constantly seeking to leverage can be unlocked with a data strategy that makes high-quality, well-integrated, trustworthy, relevant data readily available to the business users who need it.
Whether hoping to gain a better understanding of your business, trying to become an innovator in your industry, or having a compliance and regulatory mandate that needs to be met, any organization can get value from its data through a well-formulated, robust, and cohesive data strategy.
According to a leading North American bank, “More than one petabyte of new data, equivalent to about 1 million gigabytes” is entering the bank’s systems every month. – The Wall Street Journal, 2019
“Although businesses are at many different stages in unlocking the power of data, they share a common conviction that it can make or break an enterprise.”– Jim Love, ITWC CIO and Chief Digital Officer, IT World Canada, 2018
The expression “Data is an asset” or any other similar sentiment has long been heard.
With such hype, you would have expected data to have gotten more attention in the boardrooms. You would have expected to see its value reflected on financial statements as a result of its impact in driving things like acquisition, retention, product and service development and innovation, market growth, stakeholder satisfaction, relationships with partners, and overall strategic success of the organization.
The time has surely come for data to be treated as the asset it is.
“Paradoxically, “data” appear everywhere but on the balance sheet and income statement.”– HBR, 2018
“… data has traditionally been perceived as just one aspect of a technology project; it has not been treated as a corporate asset.”– “5 Essential Components of a Data Strategy,” SAS
According to Anil Chakravarthy, who is the CEO of Informatica and has a strong vantage point on how companies across industries leverage data for better business decisions, “what distinguishes the most successful businesses … is that they have developed the ability to manage data as an asset across the whole enterprise.”– McKinsey & Company, 2019
Data is being touted as the oil of the digital era…
But just like oil, if left unrefined, it cannot really be used.
"Data is the new oil." – Clive Humby, Chief Data Scientist
Source: Joel Semeniuk, 2016
Enter your data strategy.
Data is being perceived as that key strategic asset in your organization for fueling innovation and transformation.
Your data strategy is what allows you to effectively mine, refine, and use this resource.
“The world’s most valuable resource is no longer oil, but data.”– The Economist, 2017
“Modern innovation is now dependent upon this data.”– Joel Semeniuk, 2016
“The better the data, the better the resulting innovation and impact.”– Joel Semeniuk, 2016
Leveraging data as a strategic asset for the benefit of citizens.
Source: Privy Council Office, Government of Canada, 2018
Leveraging data to boost traditional profit and loss levers, find new sources of growth, and deliver the digital bank.
A European bank “turned to machine-learning algorithms that predict which currently active customers are likely to reduce their business with the bank.” The resulting understanding “gave rise to a targeted campaign that reduced churn by 15 percent” (McKinsey & Company, 2017).
A leading Canadian bank has built a marketplace around their data – they have launched a data marketplace where they have productized the bank’s data. They are providing data – as a product – to other units within the bank. These other business units essentially represent internal customers who are leveraging the product, which is data.
Through the use of data and advanced analytics, “a top bank in Asia discovered unsuspected similarities that allowed it to define 15,000 microsegments in its customer base. It then built a next-product-to-buy model that increased the likelihood to buy three times over.” Several sets of big data were explored, including “customer demographics and key characteristics, products held, credit-card statements, transaction and point-of-sale data, online and mobile transfers and payments, and credit-bureau data” (McKinsey & Company, 2017).
Leveraging data and analytics to prevent deadly infections
The fifth-largest health system in the US and the largest hospital provider in California uses a big data and advanced analytics platform to predict potential sepsis cases at the earliest stages, when intervention is most helpful.
Using the Sepsis Bio-Surveillance Program, this hospital provider monitors 120,000 lives per month in 34 hospitals and manages 7,500 patients with potential sepsis per month.
Collecting data from the electronic medical records of all patients in its facilities, the solution uses natural language processing (NLP) and a rules engine to continually monitor factors that could indicate a sepsis infection. In high-probability cases, the system sends an alarm to the primary nurse or physician.
Since implementing the big data and predictive analytics system, this hospital provider has seen a significant improvement in the mortality and the length of stay in ICU for sepsis patients.
At 28 of the hospitals which have been on the program, sepsis mortality rates have dropped an average of 5%.
With patients spending less time in the ICU, cost savings were also realized. This is significant, as sepsis is the costliest condition billed to Medicare, the second costliest billed to Medicaid and the uninsured, and the fourth costliest billed to private insurance.
Source: SAS, 2019
Leveraging data to better understand customer preferences, predict purchasing, drive customer experience, and optimize supply and demand planning.
Netflix is an example of a big brand that uses big data analytics for targeted advertising. With over 100 million subscribers, the company collects large amounts of data. If you are a subscriber, you are likely familiar with their suggestions messages of the next series or movie you should catch up on. These suggestions are based on your past search data and watch data. This data provides Netflix with insights into your interests and preferences for viewing (Mentionlytics, 2018).
“For the retail industry, big data means a greater understanding of consumer shopping habits and how to attract new customers.”– Ron Barasch, Envestnet | Yodlee, 2019
“We’re the converted … We see the value in data. The battle is getting executive teams to see it our way.”– Ted Maulucci, President of SmartONE Solutions Inc. IT World Canada, 2018
Info-Tech’s IT Maturity Ladder denotes the different levels of maturity for an IT department and its different functions. What is the current state of your data management capability?
You are best positioned to successfully execute on a data strategy if you are currently at or above the Trusted Operator level. If you find yourself still at the Unstable or Firefighter stage, your efforts are best spent on ensuring you can fulfill your day-to-day data and data management demands. Improving this capability will help build a strong data management foundation.
“Organizational culture can accelerate the application of analytics, amplify its power, and steer companies away from risky outcomes.”– McKinsey, 2018
Some say it’s the new oil. Or the currency of the new business landscape. Others describe it as the fuel of the digital economy. But we don’t need platitudes — we need real ways to extract the value from our data. – Jim Love, CIO and Chief Digital Officer, IT World Canada, 2018
Our practical step-by-step approach helps you to formulate a data strategy that delivers business value.
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
Business and IT leaders aiming to recruit and select the best talent need to:
To create a great candidate experience, IT departments must be involved in the process at key points, recruitment and selection is not a job for HR alone!
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Train your IT department to get involved in the recruitment process to attract and select the best talent.
Use this tool in conjunction with the Improve you IT Recruitment Process to document your action plans
To get useful information from an interview, the interviewer should be focused on what candidates are saying and how they are saying it, not on what the next question will be, what probes to ask, or how they will score the responses. This Interview Guide Template will help interviewers stay focused and collect good information about candidates.
Hiring managers can choose from a comprehensive collection of core, functional, and leadership competency-based behavioral interview questions.
Use this template to develop a well-written job posting that will attract the star candidates and, in turn, deflect submission of irrelevant applications by those unqualified.
The most innovative technology isn’t necessarily the right solution. Review talent acquisition (TA) solutions and evaluate the purpose each option serves in addressing critical challenges and replacing critical in-person activities.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Establish the employee value proposition (EVP) and employer brand.
Have a well-defined EVP that you communicate through your employer brand.
1.1 Gather feedback.
1.2 Build key messages.
1.3 Assess employer brand.
Content and themes surrounding the EVP
Draft EVP and supporting statements
A clearer understanding of the current employer brand and how it could be improved
Develop job postings and build a strong sourcing program.
Create the framework for an effective job posting and analyze existing sourcing methods.
2.1 Review and update your job ads.
2.2 Review the effectiveness of existing sourcing programs.
2.3 Review job ads and sourcing methods for bias.
Updated job ad
Low usage sourcing methods identified for development
Minimize bias present in ads and sourcing methods
Create a high-quality interview process to improve candidate assessment.
Training on being an effective interviewer.
3.1 Create an ideal candidate scorecard.
3.2 Map out your interview process.
3.3 Practice behavioral interviews.
Ideal candidate persona
Finalized interview and assessment process
Practice interviews
Drive employee engagement and retention with a robust program that acclimates, guides, and develops new hires.
Evaluation of current onboarding practice.
4.1 Evaluate and redesign the onboarding program.
Determine new onboarding activities to fill identified gaps.
Follow this blueprint to:
|
|
Effective Interviewing |
Onboarding: Setting up New Hires For Success |
|||||||||
Awareness | → | Research | → | Application | → | Screening | → | Interview and Assessment | → | Follow Up | → | Onboarding |
Talent is a priority for the entire organization:
Respondents rated “recruitment” as the top issue facing organizations today (McLean & Company 2022 HR Trends Report).
37% of IT departments are outsourcing roles to fill internal skill shortages (Info-Tech Talent Trends 2022 Survey).
Yet bad hires are alarmingly common:
Hiring is one of the least successful business processes, with three-quarters of managers reporting that they have made a bad hire (Robert Half, 2021).
48% of survey respondents stated improving the quality of hires was the top recruiting priority for 2021 (Jobvite, 2021).
Prework |
Day 1 |
Day 2 |
Day 3 |
Day 4 |
Post work |
|
---|---|---|---|---|---|---|
Current Process and Job Descriptions Documented |
Establish the Employee Value Proposition (EVP) and Employer Brand |
Develop Job Postings and Build a Strong Sourcing Program |
Effective Interviewing |
Onboarding and Action Planning |
Putting the Action Plan Into Action! |
|
Activities |
|
1.1 Introduce the Concept of an EVP 1.2 Brainstorm Unique Benefits of Working at Your Organization 1.2 Employer Brand Introduction |
2.1 What Makes an Attractive Job Posting 2.2 Create the Framework for Job Posting 2.3 Improve the Sourcing Process 2.4 Review Process for Bias |
3.1 Creating an Interview Process 3.2 Selecting Interview Questions 3.3 Avoiding Bias During Interviews 3.4 Practice Interviews |
4.1 Why Onboarding Matters 4.2 Acclimatize New Hires and Set Them Up for Success 4.3 Action Plan |
5.1 Review Outputs and Select Priorities 5.2 Consult With HR and Senior Management to Get Buy-In 5.3 Plan to Avoid Relapse Behaviors |
Deliverables |
|
|
|
|
Develop a strong employee value proposition
The employee value proposition is your opportunity to showcase the unique benefits and opportunities of working at your organization, allowing you to attract a wider pool of candidates.
AN EMPLOYEE VALUE PROPOSITION IS: |
AN EMPLOYEE VALUE PROPOSITION IS NOT: |
||
|
|
||
THE FOUR KEY COMPONENTS OF AN EMPLOYEE VALUE PROPOSITION |
|||
Rewards |
Organizational Elements |
Working Conditions |
Day-to-Day Job Elements |
|
|
|
|
Creating a compelling EVP that presents a picture of your employee experience, with a focus on diversity, will attract a wide pool of diverse candidates to your team. This can lead to many internal and external benefits for your organization.
Existing Employee Value Proposition: If your organization or IT department has an existing employee value proposition, rather than starting from scratch, we recommend leveraging that and moving to the testing phase to see if the EVP still resonates with staff and external parties.
Employee Engagement Results: If your organization does an employee engagement survey, review the results to identify the areas in which the IT organization is performing well. Identify and document any key comment themes in the report around why employees enjoy working for the organization or what makes your IT department a great place to work.
Social Media Sites. Prepare for the good, the bad, and the ugly. Social media websites like Glassdoor and Indeed make it easier for employees to share their experiences at an organization honestly and candidly. While postings on these sites won’t relate exclusively to the IT department, they do invite participants to identify their department in the organization. You can search these to identify any positive things people are saying about working for the organization and potentially opportunities for improvement (which you can use as a starting point in the retention section of this report).
Download the Recruitment Workbook
Input |
Output |
|
|
Materials |
Participants |
|
|
Examples below.
Input | Output |
|
|
Materials | Participants |
|
|
Shopify |
“We’re Shopify. Our mission is to make commerce better for everyone – but we’re not the workplace for everyone. We thrive on change, operate on trust, and leverage the diverse perspectives of people on our team in everything we do. We solve problems at a rapid pace. In short, we get shit done.” |
---|---|
Bettercloud |
“At Bettercloud, we have a smart, ambitious team dedicated to delighting our customers. Our culture of ownership and transparency empowers our team to achieve goals they didn’t think possible. For all those on board, it’s going to be a challenging and rewarding journey – and we’re just getting started.” |
Ellevest |
“As a team member at Ellevest, you can expect to make a difference through your work, to have a direct impact on the achievement of a very meaningful mission, to significantly advance your career trajectory, and to have room for fun and fulfillment in your daily life. We know that achieving a mission as critical as ours requires incredible talent and teamwork, and team is the most important thing to us.” |
INTERNAL TEST REVOLVES AROUND THE 3A’s |
EXTERNAL TEST REVOLVES AROUND THE 3C’s |
---|---|
ALIGNED: The EVP is in line with the organization’s purpose, vision, values, and processes. Ensure policies and programs are aligned with the organization’s EVP. |
CLEAR: The EVP is straightforward, simple, and easy to understand. Without a clear message in the market, even the best intentioned EVPs can be lost in confusion. |
ACCURATE: The EVP is clear and compelling, supported by proof points. It captures the true employee experience, which matches the organization’s communication and message in the market. |
COMPELLING: The EVP emphasizes the value created for employees and is a strong motivator to join this organization. A strong EVP will be effective in drawing in external candidates. The message will resonate with them and attract them to your organization. |
ASPIRATIONAL: The EVP inspires both individuals and the IT organization as a whole. Identify and invest in the areas that are sure to generate the highest returns for employees. |
COMPREHENSIVE: The EVP provides enough information for the potential employee to understand the true employee experience and to self-assess whether they are a good fit for your organization. If the EVP lacks depth, the potential employee may have a hard time understanding the benefits and rewards of working for your organization. |
Market your EVP to potential candidates: Employer Brand
The employer brand is the perception internal and external stakeholders hold of the organization and exists whether it has been curated or not. Curating the employer brand involves marketing the organization and employee experience. Grounding your employer brand in your EVP enables you to communicate and market an accurate portrayal of your organization and employee experience and make you desirable to both current and potential employees.
![]() |
The unique offering an employer provides to employees in return for their effort, motivating them to join or remain at the organization. The perception internal and external stakeholders hold of the organization. |
Alignment between the EVP, employer brand, and corporate brand is the ideal branding package. An in-sync marketing strategy ensures stakeholders perceive and experience the brand the same way, creating brand ambassadors.
How you present your employer brand is just as important as the content. Ideally, you want the viewer to connect with and personalize the material for the message to have staying power. Use Marketing’s expertise to help craft impactful promotional materials to engage and excite the viewer.
Visuals
Images are often the first thing viewers notice. Use visuals that connect to your employer brand to engage the viewer’s attention and increase the likelihood that your message will resonate. However, if there are too many visuals this may detract from your content – balance is key!
Language
Wordsmithing is often the most difficult aspect of marketing. Your message should be accurate, informative, and engaging. Work with Marketing to ensure your wording is clever and succinct – the more concise, the better.
Composition
Integrate visuals and language to complete your marketing package. Ensure that the text and images are balanced to draw in the viewer.
This case study is happening in real time. Please check back to learn more as Goddard continues to recruit for the position.
Goddard Space Center is the largest of NASA’s space centers with approximately 11,000 employees. It is currently recruiting for a senior technical role for commercial launches. The position requires consulting and working with external partners and vendors.
NASA is a highly desirable employer due to its strong culture of inclusivity, belonging, teamwork, learning, and growth. Its culture is anchored by a compelling vision, “For the betterment of Humankind,” and amplified by a strong leadership team that actively lives their mission and vision daily.
Firsthand lists NASA as #1 on the 50 most prestigious internships for 2022.
The position is in a rural area of Eastern Shore Virginia with a population of approximately 60,000 people, which translates to a small pool of candidates. Any hire from outside the area will be expected to relocate as the senior technician must be onsite to support launches twice a month. Financial relocation support is not offered and the position is a two-year assignment with the option of extension that could eventually become permanent.
“Looking for a Talent Unicorn: a qualified, experienced candidate with both leadership skills and deep technical expertise that can grow and learn with emerging technologies.”
Steve Thornton
Acting Division Chief, Solutions Division, Goddard Space Flight Center, NASA
Culture takes the lead in NASA's job postings, which attract a high number of candidates. Postings begin with a link to a short video on working at NASA, its history, and how it lives its vision. The video highlights NASA's diversity of perspectives, career development, and learning opportunities.
NASA's company brand and employer brand are tightly intertwined, providing a consistent view of the organization.
The employer vision is presented in the best place to reach NASA's ideal candidate: usajobs.gov, the official website of the United States Government and the “go-to” for government job listings. NASA also extends its postings to other generic job sites as well as LinkedIn and professional associations.
Interview with Robert Leahy
Chief Information Officer, Goddard Space Flight Center, NASA
You can use sites like:
Input | Output |
|
|
Materials | Participants |
|
|
Create engaging job ads to attract talent to the organization
A job description is an internal document that includes sections such as general job information, major responsibilities, key relationships, qualifications, and competencies. It communicates job expectations to incumbents and key job data to HR programs.
A job ad is an externally facing document that advertises a position with the intent of attracting job applicants. It contains key elements from the job description as well as information on the organization and its EVP.
A job description informs a job ad, it doesn’t replace it. Don’t be lulled into using a job description as a posting when there’s a time crunch to fill a position. Refer to job postings as job advertisements to reinforce that their purpose is to attract attention and talent.
Position Title |
|
---|---|
Company |
|
Summary Description |
|
Responsibilities |
|
Position Characteristics |
|
Position Requirements |
|
Work Conditions |
|
Process to Apply |
|
Bottom Line: A truly successful job posting ferrets out those hidden stars that may be over cautious and filters out hundreds of applications from the woefully under qualified.
DON’T overlook the power of words. Avoid phrases like “strong English language skills” as this may deter non-native English speakers from applying and a “clean-shaven” requirement can exclude candidates whose faith requires them to maintain facial hair. DON’T post a long requirements list. A study showed that the average jobseeker spends only 49.7 seconds reviewing a listing before deciding it's not a fit.* DON’T present a toxic work culture; phrases such as “work hard, play hard” can put off many candidates and play into the “bro- culture” stereotype in tech. |
Position Title: Senior Lorem Ipsum Salary Band: $XXX to $XXX Diversity is a core value at ACME Inc. We believe that diversity and inclusion is our strength, and we’re passionate about building an environment where all employees are valued and can perform at their best. As a … you will … Our ideal candidate …. Required Education and Experience
Required Skills
Preferred Skills
At ACME Inc. you will find … |
DO promote pay equity by being up front and honest about salary expectations. DO emphasize your organization’s commitment to diversity and an inclusive workplace by adding an equity statement. DO limit your requirements to “must haves” or at least showcase them first before the “nice-to-haves.” DO involve current employees or members of your employee resource groups when creating job descriptions to ensure that they ask for what you really need. DO focus on company values and criteria that are important to the job, not just what’s always been done. |
☑ | Does the job posting highlight your organization’s EVP |
☐ | Does the job posting avoid words that might discourage women, people of color, and other members of underrepresented groups from applying? |
☑ | Has the position description been carefully reviewed and revised to reflect current and future expectations for the position, rather than expectations informed by the persons who have previously held the job? |
☐ | Has the hiring committee eliminated any unnecessary job skills or requirements (college degree, years or type of previous experience, etc.) that might negatively impact recruitment of underrepresented groups? |
☑ | Has the hiring committee posted the job in places (job boards, websites, colleges, etc.) where applicants from underrepresented groups will be able to easily view or access it? |
☐ | Have members of the hiring committee attended job fairs or other events hosted by underrepresented groups? |
☐ | Has the hiring committee asked current employees from underrepresented groups to spread the word about the position? |
☐ | Has the hiring committee worked with the marketing team to ensure that people from diverse groups are featured in the organization’s website, publications, and social media? |
☐ | es the job description clearly demonstrate the organization’s and leadership’s commitment to DEI? |
Input | Output |
|
|
Materials | Participants |
|
|
Get involved with sourcing to get your job ad seen
Social Media |
Social media has trained candidates to expect:
|
While the focus on the candidate experience is important throughout the talent acquisition process, social media, technology, and values have made it a critical component of sourcing. |
Technology |
Candidates expect to be able to access job ads from all platforms.
Job ads must be clear, concise, and easily viewed on a mobile device. |
|
Candidate Values |
Job candidate’s values are changing.
Authenticity remains important.
|
Internal Talent Mobility (ITM) Program
Social Media Program
Employee Referral Program
Alumni Program
Campus Recruiting Program
Other Sourcing Tactics
What is it?
Positioning the right talent in the right place, at the right time, for the right reasons, and supporting them appropriately.
Internal Talent Mobility (ITM) Program Social Media Program Employee Referral Program Alumni Program Campus Recruiting Program Other Sourcing Tactics | ITM program benefits:
Provide opportunities to develop professionally, whether in the current role or through promotions/lateral moves. Keep strong performers and high-potential employees committed to the organization. Address rapid change, knowledge drain due to retiring Baby Boomers, and frustration associated with time to hire or time to productivity. Reduce spend on talent acquisition, severance, time to productivity, and onboarding. Increase motivation and productivity by providing increased growth and development opportunities. Align with the organization’s offering and what is important to the employees from a development perspective. Support and develop employees from all levels and job functions. |
Internal Talent Mobility (ITM) Program Social Media Program Employee Referral Program Alumni Program Campus Recruiting Program Other Sourcing Tactics | What is it? The widely accessible electronic tools that enable anyone to publish and access information, collaborate on common efforts, and build relationships. Learning to use social media effectively is key to sourcing the right talent.
(Ku, 2021) | |
Benefits of social media:
| Challenges of social media: With the proliferation of social media and use by most organizations, social media platforms have become overcrowded. As a result:
|
“It is all about how we can get someone’s attention and get them to respond. People are becoming jaded.”
– Katrina Collier, Social Recruiting Expert, The Searchologist
Internal Talent Mobility (ITM) Program Social Media Program Employee Referral Program Alumni Program Campus Recruiting Program Other Sourcing Tactics | What is it? Employees recommend qualified candidates. If the referral is hired, the referring employee typically receives some sort of reward. Benefits of an employee referral program:
55% of organizations report that hiring a referral is less expensive that a non-referred candidate (Clutch, 2020). The average recruiting lifecycle for an employee referral is 29 days, compared with 55 days for a non referral (Betterup, 2022). 46% percent of employees who were referred stay at their organization for a least one year, compared to 33% of career site hires (Betterup, 2022). High performers are more likely to refer other high performers to an organization (The University of Chicago Press, 2019). |
Avoid the Like Me Bias: Continually evaluate the diversity of candidates sourced from the employee referral program. Unless your workforce is already diverse, referrals can hinder diversity because employees tend to recommend people like themselves.
Internal Talent Mobility (ITM) Program Social Media Program Employee Referral Program Alumni Program Campus Recruiting Program Other Sourcing Tactics | What is it? An alumni referral program is a formalized way to maintain ongoing relationships with former employees of the organization. Successful organizations use an alumni program:
Benefits of an alumni program:
|
Internal Talent Mobility (ITM) Program Social Media Program Employee Referral Program Alumni Program Campus Recruiting Program Other Sourcing Tactics | What is it? A formalized means of attracting and hiring individuals who are about to graduate from schools, colleges, or universities. Almost 70% of companies are looking to employ new college graduates every year (HR Shelf, 2022). Campus recruitment benefits:
|
Target schools that align with your culture and needs. Do not just focus on the most prestigious schools: they are likely more costly, have more intense competition, and may not actually provide the right talent.
Internal Talent Mobility (ITM) Program Social Media Program Employee Referral Program Alumni Program Campus Recruiting Program Other Sourcing Tactics | 1. Professional industry associations
| 5. Not-for-profit intermediaries
| American Expresscreated a boot camp for software engineers in partnership with Year Up and Gateway Community College to increase entry-level IT hires. Results:
(HBR, 2016) |
2. Special interest groups
| 6. Gamification
| ||
3. Customers
| PwC (Hungary) created Multiploy, a two-day game that allows students to virtually experience working in accounting or consulting at the organization. Results:
(Zielinski, 2015) | ||
4. Exit interviews
|
Use knowledge that already exists in the organization to improve talent sourcing capabilities.
Marketing |
HR |
---|---|
Marketing knows how to:
|
HR knows how to:
|
To successfully partner with other departments in your organization:
Encourage your team to seek out, and learn from, employees in different divisions. Training sessions with the teams may not always be possible but one-on-one chats can be just as effective and may be better received.
Input | Output |
|
|
Materials | Participants |
|
|
Create a high-quality interview process to improve candidate assessment
If you…
…then stop. Use this research!
Step 5: Define decision rights
Establish decision-making authority and veto power to mitigate post-interview conflicts over who has final say over a candidate’s status.
Follow these steps to create a positive interview experience for all involved.
Define the attributes of the ideal candidate…
Ideal candidate = Ability to do the job + Motivation to do the job + Fit |
|||
Competencies
|
|
|
|
Experiences
|
Data for these come from:
|
||
Data for these come from:
|
Caution: Evaluating for “organizational or cultural fit” can lead to interviewers falling into the trap of the “like me” bias, and excluding diverse candidates.
Non-negotiable = absolutely required for the job! Usually attributes that are hard to train, such as writing skills, or expensive to acquire after hire, such as higher education or specific technical skills. |
An Asset Usually attributes that can be trained, such as computer skills. It’s a bonus if the new hire has it. |
Nice-to-have Attributes that aren’t necessary for the job but beneficial. These could help in breaking final decision ties. |
Deal Breakers: Also discuss and decide on any deal breakers that would automatically exclude a candidate. |
“The hardest work is accurately defining what kind of person is going to best perform this job. What are their virtues? If you’ve all that defined, the rest is not so tough.”
– VP, Financial Services
Input | Output |
|
|
Materials | Participants |
|
|
The Screening Interview Template will help you develop a screening interview by providing:
Once completed, this template will help you or HR staff conduct candidate screening interviews with ease and consistency. Always do screening interviews over the phone or via video to save time and money.
Determine the goal of the screening interview – do you want to evaluate technical skills, communication skills, attitude, etc.? – and create questions based on this goal. If evaluating technical skill, have someone with technical competency conduct the interview.
Unstructured: A traditional method of interviewing that involves no constraints on the questions asked, no requirements for standardization, and a subjective assessment of the candidate. This format is the most prone to bias. |
Semi-Structured: A blend of structured and unstructured, where the interviewer will ask a small list of similar questions to all candidates along with some questions pertaining to the resume. |
Structured: An interview consisting of a standardized set of job-relevant questions and a scoring guide. The goal is to reduce interviewer bias and to help make an objective and valid decision about the best candidate. |
Components of a highly structured interview include:
The more of these components your interview has, the more structured it is, and the more valid it will be.
The purpose of interviewing is to assess, not just listen. Questions are what help you do this.
Use the Interview Question Planning Guide tab in the Candidate Interview Strategy and Planning Guide to prepare your interview questions.
Introduce yourself and ask if now is a good time to talk. (Before calling, prepare your sales pitch on the organization and the position.) |
You want to catch candidates off guard so that they don’t have time to prepare scripted answers; however, you must be courteous to their schedule. |
Provide an overview of the position, then start asking pre-set questions. Take a lot of notes. |
It is important to provide candidates with as much information as possible about the position – they are deciding whether they are interested in the role as much as you are deciding whether they are suitable. |
Listen to how the questions are answered. Ask follow-up questions when appropriate and especially if the candidate seems to be holding something back. |
If there are long pauses or the candidate’s voice changes, there may be something they aren’t telling you that you should know. |
Be alert to inconsistencies between the resume and answers to the questions and address them. |
It’s important to get to the bottom of issues before the in-person interview. If dates, titles, responsibilities, etc. seem to be inconsistent, ask more questions. |
Ask candidates about their salary expectations. |
It’s important to ensure alignment of the salary expectations early on. If the expectations are much higher than the range, and the candidate doesn’t seem to be open to the lower range, there is no point interviewing them. This would be a waste of everyone’s time. |
Answer the applicant’s questions and conclude the interview. |
|
Wait until after the interview to rate the applicant. |
Don’t allow yourself to judge throughout the interview, or it could skew questions. Rate the applicant once the interview is complete. |
When you have a shortlist of candidates to invite to an in-person interview, use the Candidate Communication Template to guide you through proper phone and email communications.
Question (traditional): “What would you identify as your greatest strength?” Answer: Ability to work on a team. |
Top-level interview questions set the stage for probing. Your interview script should contain the top two levels of questions in the pyramid and a few probes that you will likely need to ask. You can then drill down further depending on the candidate’s answers. |
|
Follow-Up Question: “Can you outline a particular example when you were able to exercise your teamwork skills to reach a team goal?” |
||
Probing questions start with asking what, when, who, why, and how, and gain insight into a candidate’s thought process, experiences, and successes. |
Probing Level 1: Probe around the what, how, who, when, and where. “How did you accomplish that?” |
How to develop probes? By anticipating the kinds of responses that candidates from different backgrounds or with different levels of experience are likely to give as a response to an interview question. Probes should provide a clear understanding of the situation, the behavior, and the outcome so that the response can be accurately scored. Common probes include:
|
Tailor probes to the candidate’s answers to evoke meaningful and insightful responses. |
Probing Level 2: Allow for some creativity. “What would you do differently if you were to do it again?” |
Consider leveraging behavioral interview questions in your interview to reduce bias.
Assessments are created by people that have biases. This often means that assessments can be biased, especially with preferences towards a Western perspective. Even if the same assessments are administered, the questions will be interpreted differently by candidates with varying cultural backgrounds and lived experiences. If assessments do not account for this, it ultimately leads to favoring the answers of certain demographic groups, often ones similar to those who developed the assessment.
Attribute you are evaluating Probing questions prepared Area to take notes |
![]() |
Exact question you will ask Place to record score Anchored scale with definitions of a poor, ok and great answer |
The must-haves:
“At the end of the day, it’s the supervisor that has to live with the person, so any decision that does not involve the supervisor is a very flawed process.” – VP, Financial Services
The nice-to-haves:
Record the interview team details in the Candidate Interview Strategy and Planning Guide template.
Who Should… Contact candidates to schedule interviews or communicate decisions?
Who Should… Be responsible for candidate welcomes, walk-outs, and hand-offs between interviews?
Who Should… Define and communicate each stakeholder’s role?
Who Should… Chair the preparation and debrief meetings and play the role of the referee when trying to reach a consensus?
“Unless you’ve got roles within the panel really detailed and agreed upon, for example, who is going to take the lead on what area of questions, you end up with a situation where nobody is in charge or accountable for the final interview assessment." – VP, Financial Services
Try a Two Lens Assessment: One interviewer assesses the candidate as a project leader while another assesses them as a people leader for a question such as “Give me an example of when you exercised your leadership skills with a junior team member.”
It is typical and acceptable that you, as the direct reporting manager, should have veto power, as do some executives. |
Veto Power Direct Supervisor or Manager |
Decision Makers: Must Have Consensus Other Stakeholders Direct Supervisor’s Boss Direct Supervisor |
Contributes Opinion HR Representative Peer |
After the preliminary interview, HR should not be involved in making the decision unless they have a solid understanding of the position. Peers can make an unfair assessment due to perceived competition with a candidate. Additionally, if a peer doesn’t want a candidate to be hired and the direct supervisor does hire the candidate, the peer may hold resentment against that candidate and set the team up for conflict. |
The decision should rest on those who will interact with the candidate on a daily basis and who manage the team or department that the candidate will be joining. |
The decisions being made can include whether or not to move a candidate onto the next phase of the hiring process or a final hiring decision. Deciding decision rights in advance defines accountability for an effective interview process.
Download the Behavioral Interview Question Library
Input | Output |
|
|
Materials | Participants |
|
|
Give candidates a warm, genuine greeting. Introduce them to other interviewers present. Offer a drink. Make small talk. |
“There are some real advantages to creating a comfortable climate for the candidate; the obvious respect for the individual, but people really let their guard down.” – HR Director, Financial Services |
Give the candidate an overview of the process, length, and what to expect of the interview. Indicate to the candidate that notes will be taken during the interview. |
If shorter than an hour, you probably aren’t probing enough or even asking the right questions. It also looks bad to candidates if the interview is over quickly. |
Start with the first question in the interview guide and make notes directly on the interview guide (written or typed) for each question. |
Take lots of notes! You think you’ll remember what was said, but you won’t. It also adds transparency and helps with documentation. |
Ask the questions in the order presented for interview consistency. Probe and clarify as needed (see next slide). |
Keep control of the interview by curtailing any irrelevant or long-winded responses. |
After all interview questions are complete, ask candidates if there was anything about their qualifications that was missed that they want to highlight. |
Lets you know they understand the job and gives them the feeling they’ve put everything on the table. |
Ask if the candidate has any questions. Respond to the questions asked. |
Answer candidate questions honestly because fit works both ways. Ensure candidates leave with a better sense of the job, expectations, and organizational culture. |
Review the compensation structure for the position and provide a realistic preview of the job and organization. |
Provide each candidate with a fair chance by maintaining a consistent interview process. |
Tell interviewees what happens next in the process, the expected time frame, and how they will be informed of the outcome. Escort them out and thank them for the interview. |
The subsequent slides provide additional detail on these eight steps to conducting an effective interview.
Like-me effect: An often-unconscious preference for, and unfairly positive evaluation of, a candidate based on shared interests, personalities, and experiences, etc.
Status effect: Overrating candidates based on the prestige of previously held positions, titles, or schools attended.
Recency bias: Placing greater emphasis on interviews held closer to the decision-making date.
Contrast effect: Rating candidates relative to those who precede or follow them during the interview process, rather than against previously determined data.
Solution
Assess candidates by using existing competency-based criteria.
Negative tone: Starting the interview on a negative or stressful note may derail an otherwise promising candidate.
Poor interview management: Letting the candidate digress may leave some questions unanswered and reduce the interview value.
Reliance of first impressions: Basing decisions on first impressions undermines the objectivity of competency-based selection.
Failure to ask probing questions: Accepting general answers without asking follow-up questions reduces the evidentiary value of the interview.
Solution
Follow the structured interview process you designed and practiced.
Do... |
Don’t… |
---|---|
Take control of the interview by politely interrupting to clarify points or keep the interviewee on topic. Use probing to drill down on responses and ask for clarification. Ask who, what, when, why, and how. Be cognizant of confidentiality issues. Ask for a sample of work from a past position. Focus on knowledge or information gaps from previous interviews that need to be addressed in the interview. Ensure each member of a panel interview speaks in turn and the lead is given due respect to moderate. |
Be mean when probing. Intimidation actually works against you and is stressful for candidates. When you’re friendly, candidates will actually open up more. Interrupt or undermine other panel members. Their comments and questions are just as valid as yours are, and treating others unprofessionally gives a bad impression to the candidate. Ask illegal questions. Questions about things like religion, disability, and marital and family status are off limits. |
Do... |
While listening to responses, also watch out for red and yellow flags. |
|
Listen to how candidates talk about their previous bosses – you want it to be mainly positive. If their discussion of past bosses reflects a strong sense of self-entitlement or a consistent theme of victimization, this could be a theme in their behavior and make them hard to work with. |
Red Flag A concern about something that would keep you from hiring the person. |
Yellow Flag A concern that needs to be addressed, but wouldn’t keep you from hiring the person. |
Pay attention to body language and tone. They can tell you a lot about candidate motivation and interest. |
↓ |
|
Listen to what candidates want to improve. It’s an opportunity to talk about development and advancement opportunities in the organization. |
Not all candidates have red flags, but it is important to keep them in mind to identify potential issues with the candidate before they are hired. | |
Don’t… |
||
Talk too much! You are there to listen. Candidates should do about 80% of the talking so you can adequately evaluate them. Be friendly, but ensure to spend the time allotted assessing, not chatting. If you talk too much, you may end up hiring a weak candidate because you didn’t perceive weaknesses or not hire a strong candidate because you didn’t identify strengths. |
What if you think you sense a red or yellow flag? Following the interview, immediately discuss the situation with others involved in the recruitment process or those familiar with the position, such as HR, another hiring manager, or a current employee in the role. They can help evaluate if it’s truly a matter of concern. |
When the interviewer makes a positive impression on a candidate and provides a positive impression of the organization it carries forward after they are hired.
In addition, better candidates can be referred over the course of time due to higher quality networking.
As much as choosing the right candidate is important to you, make sure the right candidate wants to choose you and work for your organization.
Believe everything candidates say. Most candidates embellish and exaggerate to find the answers they think you want. Use probing to drill down to specifics and take them off their game. |
Ask gimmicky questions like “what color is your soul?” Responses to these questions won’t give you any information about the job. Candidates don’t like them either! |
Focus too much on the resume. If the candidate is smart, they’ve tailored it to match the job posting, so of course the person sounds perfect for the job. Read it in advance, highlight specific things you want to ask, then ignore it. |
Oversell the job or organization. Obviously you want to give candidates a positive impression, but don’t go overboard because this could lead to unhappy hires who don’t receive what you sold them. Candidates need to evaluate fit just as much as you. |
Get distracted by a candidate’s qualifications and focus only on their ability to do the job. Just because they are qualified does not mean they have the attitude or personality to fit the job or culture. |
Show emotion at any physical handicap. You can’t discriminate based on physical disability, so protect the organization by not drawing attention to it. Even if you don’t say anything, your facial expression may. |
Bring a bad day or excess baggage into the interview, or be abrupt, rushed, or uninterested in the interview. This is rude behavior and will leave a negative impression with candidates, which could impact your chances of hiring them. |
Submit to first impression bias because you’ll spend the rest of the interview trying to validate your first impression, wasting your time and the candidate’s. Remain as objective as possible and stick to the interview guide to stay focused on the task at hand. |
“To the candidate, if you are meeting person #3 and you’re hearing questions that person #1 and #2 asked, the company doesn’t look too hot or organized.” – President, Recruiting Firm
Input | Output |
|
|
Materials | Participants |
|
|
Download the Behavioral Interview Question Library
Strategic Planning
Professional Development
Onboarding should pick up where candidate experience leaves off
Onboarding ≠ Orientation
Onboarding is more than just orientation. Orientation is typically a few days of completing paperwork, reading manuals, and learning about the company’s history, strategic goals, and culture. By contrast, onboarding is three to twelve months dedicated to welcoming, acclimating, guiding, and developing new employees – with the ideal duration reflecting the time to productivity for the role.
A traditional orientation approach provides insufficient focus on the organizational identification, socialization, and job clarity that a new hire requires. This is a missed opportunity to build engagement, drive productivity, and increase organizational commitment. This can result in early disengagement and premature departure.
Over the long term, effective onboarding has a positive impact on revenue and decreases costs.
The benefits of onboarding:
Help new hires feel connected to the organization by clearly articulating the mission, vision, values, and what the company does. Help them understand the business model, the industry, and who their competitors are. Help them feel connected to their new team members by providing opportunities for socialization and a support network. |
Help put new hires on the path to high performance by clearly outlining their role in the organization and how their performance will be evaluated. |
Help new hires receive the experience and training they require to become high performers by helping them build needed competencies. |
We recommend a three-to-twelve-month onboarding program, with the performance management aspect of onboarding extending out to meet the standard organizational performance management cycle.
The length of the onboarding program should align with the average time to productivity for the role(s). Consider the complexity of the role, the industry, and the level of the new hire when determining program length.
For example, call center workers who are selling a straight-forward product may only require a three-month onboarding, while senior leaders may require a year-long program.
Our primary and secondary research identified the following as the most commonly stated reasons why employees leave organizations prematurely. These issues will be addressed throughout the next section.
Acclimate |
Guide |
Develop |
|
|
|
“Onboarding is often seen as an entry-level HR function. It needs to rise in importance because it’s the first impression of the organization and can be much more powerful than we sometimes give it credit for. It should be a culture building and branding program.” – Doris Sims, SPHR, The Succession Consultant, and Author, Creative Onboarding Programs
Input | Output |
|
|
Materials | Participants |
|
|
![]() |
Sample challenges |
Potential solutions |
---|---|---|
Some paperwork cannot be completed digitally (e.g. I-9 form in the US). |
Where possible, complete forms with digital signatures (e.g. DocuSign). Where not possible, begin the process earlier and mail required forms to employees to sign and return, or scan and email for the employee to print and return. |
|
Required compliance training material is not available virtually. |
Seek online training options where possible. Determine the most-critical training needs and prioritize the replication of materials in audio/video format (e.g. recorded lecture) and distribute virtually. |
|
Employees may not have access to their equipment immediately due to shipping or supply issues. |
Delay employee start dates until you can set them up with the proper equipment and access needed to do their job. |
|
New hires can’t get answers to their questions about benefits information and setup. |
Schedule a meeting with an HR representative or benefits vendor to explain how benefits will work and how to navigate employee self-service or other tools and resources related to their benefits. |
One of the biggest challenges for remote new hires is the inability to casually ask questions or have conversations without feeling like they’re interrupting. Until they have a chance to get settled, providing formal opportunities for questions can help address this.
![]() | Sample challenges | Potential solutions |
---|---|---|
Key company information such as organizational history, charts, or the vision, mission, and values cannot be clearly learned by employees on their own. | Have the new hire’s manager call to walk through the important company information to provide a personal touch and allow the new hire to ask questions and get to know their new manager. | |
Keeping new hires up to date on crisis communications is important, but too much information may overwhelm them or cause unnecessary stress. | Sharing the future of the organization is a critical part of the company information stage of onboarding and the ever-changing nature of the COVID-19 crisis is informing many organizations’ future right now. Be honest but avoid over-sharing plans that may change. | |
New hires can’t get answers to their questions about benefits information and setup. | Schedule a meeting with an HR representative or benefits vendor to explain how benefits will work and how to navigate employee self-service or other tools and resources related to their benefits. |
![]() | Sample challenges | Potential solutions |
---|---|---|
Team introductions via a team lunch or welcome event are typically done in person. | Provide managers with a calendar of typical socialization events in the first few weeks of onboarding and provide instructions and ideas for how to schedule replacement events over videoconferencing. | |
New hires may not have a point of contact for informal questions or needs if their peers aren’t around them to help. | If it doesn’t already exist, create a virtual buddy program and provide instructions for managers to select a buddy from the new hire’s team. Explain that their role is to field informal questions about the company, team, and anything else and that they should book weekly meetings with the new hire to stay in touch. | |
New hires will not have an opportunity to learn or become a part of the informal decision-making networks at the organization. | Hiring managers should consider key network connections that new hires will need by going through their own internal network and asking other team members for recommendations. | |
New hires will not be able to casually meet people around the office. | Provide the employee with a list of key contacts for them to reach out to and book informal virtual coffee chats to introduce themselves. |
![]() | Sample challenges | Potential solutions |
---|---|---|
Performance management (PM) processes have been paused given the current crisis. | Communicate to managers that new hires still need to be onboarded to the organization’s performance management process and that goals and feedback need to be introduced and the review process outlined even if it’s not currently happening. | |
Goals and expectations differ or have been reprioritized during the crisis. | Ask managers to explain the current situation at the organization and any temporary changes to goals and expectations as a result of new hires. | |
Remote workers often require more-frequent feedback than is mandated in current PM processes. | Revamp PM processes to include daily or bi-weekly touchpoints for managers to provide feedback and coaching for new hires for at least their first six months. | |
Managers will not be able to monitor new hire work as effectively as usual. | Ensure there is a formal approach for how employees will keep their managers updated on what they're working on and how it's going, for example, daily scrums or task-tracking software. |
For more information on adapting performance management to a virtual environment, see Info-Tech’s Performance Management for Emergency Work-From-Home research.
Categorize the different types of formal and informal training in the onboarding process into the following three categories. For departmental and individual training, speak to managers to understand what is required on a department and role basis:
Organizational |
Departmental |
Individual |
---|---|---|
For example:
|
For example:
|
For example:
|
In a crisis, not every training can be translated to a virtual environment in the short term. It’s also important to focus on critical learning activities versus the non-critical. Prioritize the training activities by examining the learning outcomes of each and asking:
Lower priority or non-critical activities can be used to fill gaps in onboarding schedules or as extra activities to be completed if the new hire finds themselves with unexpected downtime to fill.
If there is a lack of resources, expertise, or time, outsource digital training to a content provider or through your LMS.
2021 Recruiter Nation Report. Survey Analysis, Jobvite, 2021. Web.
“5 Global Stats Shaping Recruiting Trends.” The Undercover Recruiter, 2022. Web.
Barr, Tavis, Raicho Bojilov, and Lalith Munasinghe. "Referrals and Search Efficiency: Who Learns What and When?" The University of Chicago Press, Journal of Labor Economics, vol. 37, no. 4, Oct. 2019. Web.
“How to grow your team better, faster with an employee referral program.” Betterup, 10 Jan. 2022. Web.
“Employee Value Proposition: How 25 Companies Define Their EVP.” Built In, 2021. Web.
Global Leadership Forecast 2021. Survey Report, DDI World, 2021. Web.
“Connecting Unemployed Youth with Organizations That Need Talent.” Harvard Business Review, 3 November 2016. Web.
Ku, Daniel. “Social Recruiting: Everything You Need To Know for 2022.” PostBeyond, 26 November 2021. Web.
Ladders Staff. “Shedding light on the job search.” Ladders, 20 May 2013. Web.
Merin. “Campus Recruitment – Meaning, Benefits & Challenges.” HR Shelf, 1 February 2022. Web.
Mobile Recruiting. Smart Recruiters, 2020. Accessed March 2022.
Roddy, Seamus. “5 Employee Referral Program Strategies to Hire Top Talent.” Clutch, 22 April 2020. Web.
Sinclair, James. “What The F*dge: That's Your Stranger Recruiting Budget?” LinkedIn, 11 November 2019. Web.
“Ten Employer Examples of EVPs.” Workology, 2022. Web
“The Higher Cost of a Bad Hire.” Robert Half, 15 March 2021. Accessed March 2022.
Trost, Katy. “Hiring with a 90% Success Rate.” Katy Trost, Medium, 8 August 2022. Web.
“Using Social Media for Talent Acquisition.” SHRM, 20 Sept. 2017. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
A step-by-step approach to walk you through understanding your current state related to accessibility maturity, identifying your desired future state, and building your business case to seek buy-in. This storyboard will help you figure out what’s right for your organization and build the accessibility business case for IT.
The business case for accessibility is strong. Use this template to communicate to senior leaders the benefits, challenges, and risks of inaction.
This tool uses a capability maturity model framework to evaluate your current state of accessibility. Maturity level is assessed on three interconnected aspects (people, process, and technology) across six dimensions proven to impact accessibility. Complete the assessment to get recommendations based on where you’re at.
Accessibility is important for individuals, businesses, and society. Diverse populations need diverse access, and it’s essential to provide access and opportunity to everyone, including people with diverse abilities. In fact, access to information and communications technologies (ICT) is a basic human right according to the United Nations.
The benefits of ICT accessibility go beyond compliance. Many innovations that we use in everyday life, such as voice activation, began as accessibility initiatives and ended up creating a better lived experience for everyone. Accessibility can improve user experience and satisfaction, and it can enhance your brand, drive innovation, and extend your market reach (WAI, 2022).
Although your organization might be required by law to ensure accessibility, understanding your users’ needs and incorporating them into your processes early will determine success beyond just compliance.
Heather Leier-Murray
Senior Research Analyst, People and Leadership
Info-Tech Research Group
Your Challenge | Common Obstacles | Info-Tech’s Approach |
Global IT and business leaders are challenged to make digital products and services accessible because inaccessibility comes with increasing risk to brand reputation, legal ramifications, and constrained market reach.
|
Understanding where to start, where accessibility lives, and if or when you’re done can be overwhelmingly difficult.
Conventional approaches to accessibility often fail because users are expected to do the hard work. You have to be doing 80% of the hard work.1 |
Use Info-Tech’s research and resources to do what’s right for your organization. This framework takes away the overwhelm that many feel when they hear “accessibility” and makes the steps for your organization approachable.
|
1. Harvard Business Review, 2021
Info-Tech Insight
The longer you put off accessibility, the more tech debt you accumulate and the more you risk losing access to new and existing markets. The longer you wait to adopt standards and best practices, the more interest you’ll accumulate on accessibility barriers and costs for remediation.
The cost of inaction related to accessibility is rising. Preparing for accessibility earlier helps prevent tech debt; the longer you wait to address your accessibility obligations, the more costly it gets.
More than 3,500 digital accessibility lawsuits were filed in the US in 2020, up more than 50% from 2018.
Source: UsableNet. Inc.
These barriers make accessibility difficult to address for many organizations:
1. Smashing Magazine
2. Harvard Business Review, 2021
90% of companies claim to prioritize diversity.
Source: Harvard Business Review, 2020
Only 4% of those that claim to prioritize diversity consider disability in those initiatives.
Source: Harvard Business Review, 2020
WCAG (Web Content Accessibility Guidelines) identifies four principles of accessibility. WCAG is the most referenced standard in website accessibility lawsuits.
Source: eSSENTIAL Accessibility, 2022
Top three reasons:
61% | 62% | 78% |
---|---|---|
To comply with laws | To provide the best UX | To include people with disabilities |
Source: Level Access
Still, most businesses aren’t meeting compliance standards. Even though legislation has been in place for over 30 years, a 2022 study by WebAIM of 1,000,000 homepages returned a 96.8% WCAG 2.0 failure rate.
Source: Institute for Disability Research, Policy, and Practice
43% rated it as a top priority.
36% rated it as important.
Fewer than 5% rated as either low priority or not even on the radar.
More than 65% agreed or strongly agreed it’s a higher priority than last year.
Source: Angel Business Communications
Source: Statistics Canada
Merriam-Webster defines disability as a “physical, mental, cognitive, or developmental condition that impairs, interferes with, or limits a person’s ability to engage in certain tasks or actions or participate in typical daily activities and interactions.”1
The World Health Organization (WHO) points out that a crucial part of the definition of disability is that it’s not just a health problem, but the environment impacts the experience and extent of disability. Inaccessibility creates barriers for full participation in society.2
The likelihood of you experiencing a disability at some point in your life is very high, whether a physical or mental disability, seen or unseen, temporary or permanent, severe or mild.2
Many people acquire disabilities as they age yet may not identify as “a person with a disability.”3 Where life expectancies are over 70 years of age, 11.5% of life is spent living with a disability. 4
“Extreme personalization is becoming the primary difference in business success, and everyone wants to be a stakeholder in a company that provides processes, products, and services to employees and customers with equitable, person-centered experiences and allows for full participation where no one is left out.”
– Paudie Healy, CEO, Universal Access
1. Merriam-Webster
2. World Health Organization
3. Digital Leaders, as cited in WAI, 2018
4. Disabled World, as cited in WAI, 2018
Common myths about people with disabilities:
These assumptions prevent organizations from hiring valuable people into the workforce and retaining them.
Source: Forbes
50% to 70% of people with disabilities are unemployed in industrialized countries. In the US alone, 61 million adults have a disability.
Source: United Nations, as cited in Forbes
1. Understand Current State | 2. Plan for Buy-in | 3. Prepare Your Business Case | |
Phase Steps |
|
|
|
Phase Outcomes |
|
|
|
Insight 1 | The longer you put off accessibility, the more tech debt you accumulate and the more you risk losing access to new and existing markets. The longer you wait to adopt standards and best practices, the more interest you’ll accumulate on accessibility barriers and costs for remediation. | |
Insight 2 | Implementing accessibility feels counterintuitive to IT departments. IT always wants to optimize and move forward, but with accessibility you may stay at one level for what feels like an uncomfortably long period. Don’t worry; building consistency and shifting culture takes time. | |
Insight 3 | Accessibility goes beyond compliance, which should be an outcome, not the objective. With 1 billion people worldwide with some form of disability, nearly everyone likely has a connection to disability, whether it be in themselves, family, or colleagues. The market of people with disabilities has a spending power of more than $6 trillion.1 |
1. WAI, 2018
This blueprint is accompanied by supporting deliverables to help you accomplish your goals.
Accessibility Business Case Template
The business case for accessibility is strong. Use this template to communicate to senior leaders the benefits and challenges of accessibility and the risks of inaction.
Accessibility Maturity Assessment
Use this assessment to understand your current accessibility maturity.
Business Benefits | IT Benefits |
---|---|
|
|
In phase 2 of this blueprint, we will help you establish current-state and target-state metrics for your organization.
Suggested Metrics
Overall end-customer satisfaction
Monies saved through cost optimization efforts
Employee engagement
Monies save through application rationalization and standardization
For more metrics ideas, see the Info-Tech IT Metrics Library.
INDUSTRY
Technology
SOURCE
W3C Web Accessibility Initiative (WAI), 2018
Investing in accessibility
With an innovative edge, Google invests in accessibility with the objective of making life easier for everyone. Google has created a broad array of accessibility innovations in its products and services so that people with disabilities get as much out of them as anyone else.
Part of Google’s core mission, accessibility means more to Google than implementing fixes. It is viewed positively by the organization and drives it to be more innovative to make information available to everyone. Google approaches accessibility problems not as barriers but as ways to innovate and discover breakthroughs that will become mainstream in the future.
Results
Among Google’s innovations are contrast minimums, auto-complete, voice-control, AI advances, and machine learning auto-captioning. All of these were created for accessibility purposes but have positively impacted the user experience in general for Google.
DIY Toolkit | Guided Implementation | Workshop | Consulting |
---|---|---|---|
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Diagnostics and consistent frameworks are used throughout all four options.
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 4 to 6 calls over the course of 2 to 4 months.
Phase 1 | Phase 2 | Phase 3 |
---|---|---|
Call #1: Discuss motivation for the initiative and foundational knowledge requirements. Call #2: Discuss next steps to assess current accessibility maturity. |
Call #3: Discuss stakeholder engagement and future-state analysis. Call #4: Discuss defining goals and objectives, along with roles and responsibilities. |
Call #5: Review draft business case presentation. Call #6: Discuss post-approval steps and timelines. |
Phase 1
1.1 Understand standards and legislation
1.2 Build awareness
1.3 Understand maturity level
Phase 2
2.1 Define desired future state
2.2 Define goals and objectives
2.3 Document roles and responsibilities
Phase 3
3.1 Prepare business case template for presentation and approval
3.2 Validate post-approval steps and establish timelines
The Accessibility Business Case for IT
This phase will walk you through the following activities:
Activities
1.1.1 Make a list of the legislation you need to comply with
1.1.2 Seek legal and/or professional services’ input on compliance
1.1.3 Detail the risks of inaction for your organization
Understand Your Current State
Outcomes of this step
You will gain foundational understanding of the breadth of the regulation requirements for your organization. You will have reviewed and understand what is applicable to your organization.
Canada
Europe
United States
New Zealand
Australia
Regulatory systems are moving toward an international standard.
a) | Start by looking at your local legislation. |
b) | Then consider any other regions you conduct business in. |
c) | Also account for the various industries you are in. |
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Download the Accessibility Business Case Template
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Download the Accessibility Business Case Template
Beyond the costs resulting from a claim, noncompliance can damage your organization in several ways.
Financial Impact ADA Warning Shot: A complaint often indicates pending legal action to come. Addressing issues on a reactive, ad hoc basis can be quite expensive. It can cost almost $10,000 to address a single complaint, and chances are if you have one complaint, you have many. Lawsuit Costs: In the US, 265,000 demand letters were sent in 2020 under the ADA for inaccessible websites. On average, a demand letter could cost the company $25,000 (conservatively). These are low-end numbers; another estimate is that a small, quickly settled digital accessibility lawsuit could cost upwards of $350,000 for the defendant. |
Non-Financial Impact Reputational Impact: Claims brought upon a company can bring negative publicity with them. In contrast, having a clear commitment to accessibility demonstrates inclusion and can enhance brand image and reputation. Stakeholder expectations are changing, and consumers, investors, and employees alike want to support businesses with a purpose. Technology Resource Strains: Costly workarounds and ad hoc accommodation processes take away from efficiency and effectiveness. Updates and redesigns for accessibility and best practices will reduce costs associated with maintenance and service, including overall stakeholder satisfaction improvements. Access to Talent: 2022 saw a record high number of job openings, over 11.4 million in the US alone. Ongoing labor shortages require eliminating bias and keeping an open mind about who is qualified. |
Source: May Hopewell
In the last four years, 83% of the retail 500 have been sued. Since 2018, 417 of the top 500 have received ADA-based digital lawsuits.
Source: UsableNet
a) | Consider legal risks, consumer risks, brand risks, and employee risks. (Remember, risks aren’t just monetary.) |
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Download the Accessibility Business Case Template
Activities
1.2.1 Identify gaps in understanding
1.2.2 Brainstorm how to reframe accessibility positively
Understand Your Current State
Outcomes of this step
You’ll have a better understanding of accessibility so that you can effectively implement and promote it.
First-hand experience of how people with disabilities interact with your organization is often eye-opening. It will help you understand the benefits and value of accessibility.
Where to look for understanding
Source: WAI, 2016
* Remember, people with disabilities aren't obligated to discuss or explain their disabilities and may not be comfortable sharing. If you're asking for their time, be respectful, only ask if appropriate, and accept a "no" answer if the person doesn't wish to assist.
Find out what accessibility is and why it is important. Learn the basics.
a) | What is accessibility? Why is it important? |
b) | From the legislation and standards identified in step 1.1, what gaps exist? |
c) | What is the definition of disability? |
d) | How does your organization currently address accessibility? |
e) | What are your risks? |
f) | Do you have any current employees who have disabilities? |
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Download the Accessibility Business Case Template
A clear understanding of accessibility and the related standards and regulations can turn accessibility from something big and scary to an achievable part of the business.
The benefits of accessibility are:
Market Reach | Minimized Legal Risks | Innovation | Retention |
---|---|---|---|
Over 1 billion people with a spending power of $6 trillion make up the global market of people with disabilities.1 Accessibility improves the experience for all users. In addition, many organizations require you to provide proof you meet accessibility standards during the RFP process. | Accessibility regulations are changing, and claims are rising. Costs associated with legal proceedings can be more than just financial. Many countries have laws you need to follow. | People with disabilities bring diversity of thought, have different lived experiences, and benefit inclusivity, which helps drive engagement. Plus accessibility features often solve unanticipated problems. | Employing and supporting people with disabilities can reduce turnover and improve retention, reliability, company image, employee loyalty, ability awareness, and more. |
Source 1: WAI, 2018
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Download the Accessibility Business Case Template
A first step to disability and accessibility awareness is to talk about it. When it is talked about as freely as other things are in the workplace, this can create a more welcoming workplace.
Accessibility goes beyond physical access and includes technological access and support as well as our attitudes.
Accessibility is making sure everyone (disabled or abled) can access the workplace equally.
Adjustments in the workplace are necessary to create an accessible and welcoming environment. Understanding the three dimensions of accessibility in the workplace is a good place to start.
Source: May Hopewell
Three dimensions of accessibility in the workplace
INDUSTRY
Professional Services
SOURCE
Accenture
Accenture takes an inclusive approach to increase accessibility.
Accessibility is more than tools Employee experience was the focus of embarking on the accessibility journey, ensuring inclusivity was built in and every employee was able to use the tools they needed and could achieve their goals. "We are removing barriers in technology to make all of our employees, regardless of their ability, more productive.” |
Accessibility is inclusive The journey began with formalizing a Global IT Accessibility practice and defining an accessibility program charter. This provided direction and underpinned the strategy used to create a virtual Accessibility Center of Excellence and map out a multiyear plan of initiatives. The team then identified all the technologies they wanted to enhance by prioritizing ones that were high use and high impact. Involving disability champions gave insight into focus areas. |
Accessibility is innovation Working with partners like Microsoft and over 100 employees, Accenture continues toward the goal of 75% accessibility for all its global high-traffic internal platforms. Achievements thus far include:
|
Activities
1.3.1 Complete the Accessibility Maturity Assessment
Understand Your Current State
Outcomes of this step
Completed Accessibility Maturity Assessment to inform planning for and building your business case in Phases 2 and 3.
Accessibility Maturity
People
Process
Technology
INITIAL | DEVELOPING | DEFINED | MANAGED | OPTIMIZE |
---|---|---|---|---|
At this level, accessibility processes are mostly undocumented, if they exist. Accessibility is most likely happening on a reactive, ad hoc basis. No one understands who is responsible for accessibility or what their role is. At this stage the organization is driven by the need for compliance. | At the developing level, the organization is taking steps to increase accessibility but still has a lot of opportunity for improvements. The organization is defining and refining processes and is working toward building a library of assistive tools. | At this level, processes related to accessibility are repeatable. However, there’s a tendency to resort to old habits under stress. The organization has tools in place to facilitate accommodation requests and technology is compatible with assistive technologies. Accessibility initiatives are driven by the desire to make the user experience better. | The managed level is defined by its effective accessibility controls, processes, and metrics. The organization can mostly anticipate preferences of customers, employees, and users. The roles and responsibilities are defined, and disability is included as part of the organization’s diversity, equity, and inclusion (DEI) initiatives. | This level is not the goal for all organizations. At this level there is a shift in the organization’s culture to a feeling of belonging. The organization also demonstrates ongoing process improvements. Everyone can experience a seamless interaction with the organization. The focus is on continuous improvement and using feedback to inform future initiatives. |
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Download the Accessibility Business Case Template
Phase 1
1.1 Understand standards and legislation
1.2 Build awareness
1.3 Understand maturity level
Phase 2
2.1 Define desired future state
2.2 Define goals and objectives
2.3 Document roles and responsibilities
Phase 3
3.1 Prepare business case template for presentation and approval
3.2 Validate post-approval steps and establish timelines
The Accessibility Business Case for IT
This phase will walk you through the following activities:
This phase involves the following participants:
Activities
2.1.1 Identify key stakeholders
2.1.2 Hold a key stakeholder focus group
2.1.3 Conduct a future-state analysis
Outcomes of this step
Following this step, you will have identified your aspirational maturity level and what your accessibility future state looks like for your organization.
Plan for Senior Leader Buy-In
Ask stakeholders, “Who else should I be talking to?” to discover additional stakeholders and ensure you don’t miss anyone.
Identify stakeholders through the following questions: |
---|
|
Take a 360-degree view of potential internal and external stakeholders who might be impacted by the initiative. |
---|
|
A stakeholder prioritization map helps teams categorize their stakeholders by their level of influence and ownership.
There are four areas in the map, and the stakeholders within each area should be treated differently.
Players – Players have a high interest in the initiative and the influence to effect change over the initiative. Their support is critical, and a lack of support can cause significant impediment to the objectives.
Mediators – Mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.
Noisemakers – Noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.
Spectators – Generally, spectators are apathetic and have little influence over or interest in the initiative.
Each group of stakeholders draws attention and resources away from critical tasks.
By properly identifying your stakeholder groups, you can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy Spectators and Noisemakers while ensuring the needs of the Mediators and Players are met.
Type | Quadrant | Actions |
---|---|---|
Players | High influence, high interest | Actively Engage Keep them engaged through continuous involvement. Maintain their interest by demonstrating their value to its success. |
Mediators | High influence, low interest | Keep Satisfied They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust, and include them in important decision-making steps. In turn, they can help you influence other stakeholders. |
Noisemakers | Low influence, high interest | Keep Informed Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using Mediators to help them. |
Spectators | Low influence, low interest | Monitor They are followers. Keep them in the loop by providing clarity on objectives and status updates. |
Collect this information by:
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Involve key stakeholders to determine the organizational drivers of accessibility, identify target maturity and key performance indicators (KPIs), and ultimately build the project charter.
Building the project charter as a group will help you to clarify your key messages and secure buy-in from critical stakeholders up-front, which is key.
Executing the business case for accessibility requires significant involvement from your IT leadership team. The challenge is that accessibility can be overwhelming because of inherent bias. Members of your IT leadership team will also need to participate in knowledge transfer, so get them involved up-front. The focus group will help stakeholders feel more engaged in the project, which is pivotal for success.
You may feel like a full project charter isn’t necessary, and depending on your organizational size, it might not be. However, the exercise of building the charter is important regardless. No matter your current climate, some level of socializing the value of and plans for accessibility will be necessary.
Meeting Agenda
Identify the pain points you want to resolve and some of the benefits that you’d like to see from a program. By doing so, you’ll get a holistic view of what you need to achieve and what your drivers are.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
The Info-Tech Accessibility Maturity Framework identifies three key strategic drivers: compliance, experience, and incorporation.
Even though 90% of companies claim to prioritize diversity,1 over 30% are focused on compliance.2
1. Harvard Business Review, 2020
2. Harvard Business Review, 2022
31.6% of companies remain in the Compliant stage, where they are focused on DEI compliance and not on integrating DEI throughout the organization or on creating continual improvement.
Source: Harvard Business Review, 2022
Although there will be various motivating factors, aligning the drivers of your accessibility program provides direction to the program. Connecting the advantages of program drivers to organizational goals builds the confidence of senior leaders and decision makers, increasing the continued commitment to invest in accessibility programming.
Drivers | Compliance | Experience | Incorporation | ||
---|---|---|---|---|---|
Maturity level | Initial | Developing | Defined | Managed | Optimized |
Description | Any accessibility initiative is to comply with the minimum legislated requirement. Desire to avoid/decrease legal risk. | Accessibility initiatives are focused on improving the experience of everyone from the start. Most organizations will be experience driven. Desire to increase accessibility and engagement. | Accessibility is a seamless part of the whole organization and initiatives are focused on impacting social issues. | ||
Advantages | Compliance is a good starting place for accessibility. It will reduce legal risk. | Being people focused from the start of processes enables the organization to reduce tech debt, provide the best user experience, and realize other benefits of accessibility. | There is a sense of belonging in the organization. The entire organization experiences the benefits of accessibility. | ||
Disadvantages | Accessibility is about more than just compliance. Being compliance driven won’t give you the full benefits of accessibility. | This can mean a culture change for the organization, which can take a long time. IT is used to moving quickly – it might feel counterintuitive to slow down and take time. | It takes much longer to reach the associated level of maturity. Not possible for all organizations. |
After initially ensuring your organization is compliant with regulations and standards, you will progress to building disciplined process and consistent standardized processes. Eventually you will build the ability for predictable process, and lastly, you’ll optimize by continuously improving.
Depending on the level of maturity you are trying to achieve, it could take months or even years to implement. The important thing to understand, however, is that accessibility work is never done.
At all levels of the maturity framework, you must consider the interconnected aspects of people, process, and technology. However, as the organization progresses, the impact will shift from largely being focused on process and technology improvement to being focused on people.
Info-Tech Insight
IT typically works through maturity frameworks from the bottom to the top, progressing at each level until they reach the end. When it comes to digital accessibility initiatives, being especially thorough, thoughtful, and collaborative is critical to success. This will mean spending more time in the Developing, Defined, and Managed levels of maturity rather than trying to reach Optimized as quickly as you can. This may feel contrary to what IT historically considers as a successful implementation.
Driver | Description | Benefits | |
---|---|---|---|
Initial | Compliance |
|
|
Developing | Experience |
|
|
Defined | Experience |
|
|
Managed | Experience |
|
|
Optimized | Incorporation |
|
|
Identify your target state of maturity
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Download the Accessibility Business Case Template
Accessibility as a differentiator
INDUSTRY
Financial
SOURCE
WAI-Engage
Accessibility inside and out As a financial provider, Barclays embarked on the accessibility journey to engage customers and employees with the goal of equal access for all. One key statement that provided focus was “Essential for some, easier for all. ” “It's about helping everyone to work, bank and live their lives regardless of their age, situation, abilities or circumstances.” |
Embedding into experiences “The Barclays Accessibility team [supports] digital teams to embed accessibility into our services and culture through effective governance, partnering, training and tools. Establishing an enterprise-wide accessibility strategy, standards and programmes coupled with senior sponsorship helps support our publicly stated ambition of becoming the most accessible and inclusive FTSE company.” – Paul Smyth, Head of Digital Accessibility, Barclays |
It’s a circle, not a roadmap
|
Activities
2.2.1 Create a list of goals and objectives
2.2.2 Finalize key metrics
Plan for Senior Leader Buy-In
Outcomes of this step
You will have clear measurable goals and objectives to respond to identified accessibility issues and organizational goals.
Use the SMART framework to build effective goals.
S | Specific: Is the goal clear, concrete, and well defined? |
M | Measurable: How will you know when the goal is met? |
A | Achievable: Is the goal possible to achieve in a reasonable time? |
R | Relevant: Does this goal align with your responsibilities and with departmental and organizational goals? |
T | Time-based: Have you specified a time frame in which you aim to achieve the goal? |
SMART is a common framework for setting effective goals. Make sure your goals satisfy these criteria to ensure you can achieve real results.
Use the outcomes from activity 2.1.2.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Download the Accessibility Business Case Template
Use the outcomes from activity 2.1.2.
Baseline metrics will be improved through:
Metric | Current | Goal |
Overall end-customer satisfaction | 90 | 120 |
Monies saved through cost optimization efforts | ||
Employee engagement | ||
Monies save through application rationalization and standardization |
For more metrics ideas, see the Info-Tech IT Metrics Library.
Finalize key metrics the organization will use to measure accessibility success
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Download the Accessibility Business Case Template
Activities
2.3.1 Populate a RACI chart
Plan for Senior Leader Buy-In
Outcomes of this step
At the end of this step, you will have a completed RACI chart documenting the roles and responsibilities related to accessibility for your accessibility business case.
Populate a RACI chart to identify who should be responsible, accountable, consulted, and informed for each key activity.
Define who is responsible, accountable, consulted, and informed for the project team:
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Download the Accessibility Business Case Template
Phase 1
1.1 Understand standards and legislation
1.2 Build awareness
1.3 Understand maturity level
Phase 2
2.1 Define desired future state
2.2 Define goals and objectives
2.3 Document roles and responsibilities
Phase 3
3.1 Prepare business case template for presentation and approval
3.2 Validate post-approval steps and establish timelines
The Accessibility Business Case for IT
This phase will walk you through the following activities:
This phase involves the following participants:
Source: WAI, 2018
“Many organizations are waking up to the fact that embracing accessibility leads to multiple benefits – reducing legal risks, strengthening brand presence, improving customer experience and colleague productivity.”
– Paul Smyth, Head of Digital Accessibility, Barclays
Source: WAI, 2018
Activities
3.1.1 Prepare your business case template for presentation and approval
Build Your Business Case
Outcomes of this step
Following this step, you will have a customized business case presentation that you can present to senior leaders.
Obtain approval for your accessibility program by customizing Info-Tech’s Accessibility Business Case Template, which is designed to effectively convey your key messages. Tailor the template to suit your needs.
It includes:
Info-Tech Insight
The support of senior leaders is critical to the success of your accessibility program development. Remind them of the benefits and impact and the risks associated with inaction.
Download the Accessibility Business Case Template
Now that you understand your current and desired accessibility maturity, the next step is to get sign-off to begin planning your initiatives.
Know your audience:
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Download the Accessibility Business Case Template
Activities
3.2.1 Prepare for implementation: Complete the implementation prep to-do list and assign proposed timelines
Build Your Business Case
Outcomes of this step
This step will help you gain leadership’s approval to move forward with building and implementing the accessibility program.
Complete the to-do list to ensure you are ready to move your accessibility program forward.
To Do | Proposed Timeline |
Reach out to your change management team for assistance. | |
Discuss your plan with HR. | |
Build a project team. | |
Incorporate any necessary changes from senior leaders into your business case. | |
[insert your own addition here] | |
[insert your own addition here] | |
[insert your own addition here] | |
[insert your own addition here] |
Use the implementation prep to-do list to make sure you have gathered relevant information and completed critical steps to be ready for success.
Use the list on the previous slide to make sure you are set up for implementation success and that you’re ready to move your accessibility program forward.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Implement and Mature Your User Experience Design Practice
Modernize Your Corporate Website to Drive Business Value
IT Diversity & Inclusion Tactics
“2021 State of Digital Accessibility.” Level Access, n.d. Accessed 10 Aug. 2022
”2022 Midyear Report: ADA Digital Accessibility Lawsuits.” UsableNet, 2022. Accessed 9 Nov. 2022
“Barclay’s Bank Case Study.” WAI-Engage, 12 Sept. 2018. Accessed 7 Nov. 2022.
Bilodeau, Howard, et al. “StatCan COVID-19 Data to Insights for a Better Canada.” Statistics Canada, 24 June 2021. Accessed 10 Aug. 2022.
Casey, Caroline. “Do Your D&I Efforts Include People With Disabilities?” Harvard Business Review, 19 March 2020. Accessed 28 July 2022.
Digitalisation World. “Organisations failing to meet digital accessibility standards.” Angel Business Communications, 19 May 2022. Accessed Oct. 2022.
“disability.” Merriam-Webster.com Dictionary, Merriam-Webster, https://www.merriam-webster.com/dictionary/disability. Accessed 10 Aug. 2022.
“Disability.” World Health Organization, 2022. Accessed 10 Aug 2022.
“Driving the Accessibility Advantage at Accenture.” Accenture, 2022. Accessed 7 Oct. 2022.
eSSENTIAL Accessibility. The Must-Have WCAG 2.1 Checklist. 2022
Hopewell, May. Accessibility in the Workplace. 2022.
“Initiate.” W3C Web Accessibility Initiative (WAI), 31 March 2016. Accessed 18 Aug. 2022.
Kalcevich, Kate, and Mike Gifford. “How to Bake Layers of Accessibility Testing Into Your Process.” Smashing Magazine, 26 April 2021. Accessed 31 Aug. 2022.
Noone, Cat. “4 Common Ways Companies Alienate People with Disabilities.” Harvard Business Review, 29 Nov. 2021. Accessed Jul. 2022.
Taylor, Jason. “A Record-Breaking Year for ADA Digital Accessibility Lawsuits.” UsableNet, 21 December 2020. Accessed Jul. 2022.
“The Business Case for Digital Accessibility.” W3C Web Accessibility Initiative (WAI), 9 Nov. 2018. Accessed 4 Aug. 2022.
“The WebAIM Million.” Web AIM, 31 March 2022. Accessed 28 Jul. 2022.
Washington, Ella F. “The Five Stages of DEI Maturity.” Harvard Business Review, November - December 2022. Accessed 7 Nov. 2022.
Wyman, Nicholas. “An Untapped Talent Resource: People With Disabilities.” Forbes, 25 Feb. 2021. Accessed 14 Sep. 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
State the success criteria of your SDLC practice through the definition of product quality and organizational priorities. Define your SDLC current state.
Build your SDLC diagnostic framework based on your practice’s product and process objectives. Root cause your improvement opportunities.
Learn of today’s good SDLC practices and use them to address the root causes revealed in your SDLC diagnostic results.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Discuss your quality and product definitions and how quality is interpreted from both business and IT perspectives.
Review your case for strengthening your SDLC practice.
Review the current state of your roles, processes, and tools in your organization.
Grounded understanding of products and quality that is accepted across the organization.
Clear business and IT objectives and metrics that dictate your SDLC practice’s success.
Defined SDLC current state people, process, and technologies.
1.1 Define your products and quality.
1.2 Define your SDLC objectives.
1.3 Measure your SDLC effectiveness.
1.4 Define your current SDLC state.
Product and quality definitions.
SDLC business and technical objectives and vision.
SDLC metrics.
SDLC capabilities, processes, roles and responsibilities, resourcing model, and tools and technologies.
Discuss the components of your diagnostic framework.
Review the results of your SDLC diagnostic.
SDLC diagnostic framework tied to your SDLC objectives and definitions.
Root causes to your SDLC issues and optimization opportunities.
2.1 Build your diagnostic framework.
2.2 Diagnose your SDLC.
SDLC diagnostic framework.
Root causes to SDLC issues and optimization opportunities.
Discuss the SDLC practices used in the industry.
Review the scope and achievability of your SDLC optimization initiatives.
Knowledge of good practices that can improve the effectiveness and efficiency of your SDLC.
Realistic and achievable SDLC optimization roadmap.
3.1 Learn and adopt SDLC good practices.
3.2 Build your optimization roadmap.
Optimization initiatives and target state SDLC practice.
SDLC optimization roadmap, risks and mitigations, and stakeholder communication flow.
There are four key scenarios or entry points for IT as the acquiring organization in M&As:
Consider the ideal scenario for your IT organization.
Acquisitions are inevitable in modern business, and IT’s involvement in the process should be too. This progression is inspired by:
Prepare for a growth/integration transaction by:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Be an innovative IT leader by suggesting how and why the business should engage in an acquisition or divestiture.
Create a standardized approach for how your IT organization should address acquisitions.
Evaluate the target organizations to minimize risk and have an established integration project plan.
Deliver on the integration project plan successfully and communicate IT’s transaction value to the business.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Establish the transaction foundation.
Discover the motivation for acquiring.
Formalize the program plan.
Create the valuation framework.
Strategize the transaction and finalize the M&A strategy and approach.
All major stakeholders are on the same page.
Set up crucial elements to facilitate the success of the transaction.
Have a repeatable transaction strategy that can be reused for multiple organizations.
1.1 Conduct the CIO Business Vision and CEO-CIO Alignment Diagnostics.
1.2 Identify key stakeholders and outline their relationship to the M&A process.
1.3 Identify the rationale for the company's decision to pursue an acquisition.
1.4 Assess the IT/digital strategy.
1.5 Identify pain points and opportunities tied to the acquisition.
1.6 Create the IT vision and mission statements and identify IT guiding principles and the transition team.
1.7 Document the M&A governance.
1.8 Establish program metrics.
1.9 Create the valuation framework.
1.10 Establish the integration strategy.
1.11 Conduct a RACI.
1.12 Create the communication plan.
1.13 Prepare to assess target organization(s).
Business perspectives of IT
Stakeholder network map for M&A transactions
Business context implications for IT
IT’s acquiring strategic direction
Governance structure
M&A program metrics
IT valuation framework
Integration strategy
RACI
Communication plan
Prepared to assess target organization(s)
Establish the transaction foundation.
Discover the motivation for integration.
Assess the target organization(s).
Create the valuation framework.
Plan the integration roadmap.
All major stakeholders are on the same page.
Methodology identified to assess organizations during due diligence.
Methodology can be reused for multiple organizations.
Integration activities are planned and assigned.
2.1 Gather and evaluate the stakeholders involved, M&A strategy, future-state operating model, and governance.
2.2 Review the business rationale for the acquisition.
2.3 Establish the integration strategy.
2.4 Create the due diligence charter.
2.5 Create a list of IT artifacts to be reviewed in the data room.
2.6 Conduct a technical debt assessment.
2.7 Assess the current culture and identify the goal culture.
2.8 Identify the needed workforce supply.
2.9 Create the valuation framework.
2.10 Establish the integration roadmap.
2.11 Establish and align project metrics with identified tasks.
2.12 Estimate integration costs.
Stakeholder map
IT strategy assessment
IT operating model and IT governance structure defined
Business context implications for IT
Integration strategy
Due diligence charter
Data room artifacts
Technical debt assessment
Culture assessment
Workforce supply identified
IT valuation framework
Integration roadmap and associated resourcing
Establish the transaction foundation.
Discover the motivation for integration.
Plan the integration roadmap.
Prepare employees for the transition.
Engage in integration.
Assess the transaction outcomes.
All major stakeholders are on the same page.
Integration activities are planned and assigned.
Employees are set up for a smooth and successful transition.
Integration strategy and roadmap executed to benefit the organization.
Review what went well and identify improvements to be made in future transactions.
3.1 Identify key stakeholders and determine IT transaction team.
3.2 Gather and evaluate the M&A strategy, future-state operating model, and governance.
3.3 Review the business rationale for the acquisition.
3.4 Establish the integration strategy.
3.5 Prioritize integration tasks.
3.6 Establish the integration roadmap.
3.7 Establish and align project metrics with identified tasks.
3.8 Estimate integration costs.
3.9 Assess the current culture and identify the goal culture.
3.10 Identify the needed workforce supply.
3.11 Create an employee transition plan.
3.12 Create functional workplans for employees.
3.13 Complete the integration by regularly updating the project plan.
3.14 Begin to rationalize the IT environment where possible and necessary.
3.15 Confirm integration costs.
3.16 Review IT’s transaction value.
3.17 Conduct a transaction and integration SWOT.
3.18 Review the playbook and prepare for future transactions.
M&A transaction team
Stakeholder map
IT strategy assessed
IT operating model and IT governance structure defined
Business context implications for IT
Integration strategy
Integration roadmap and associated resourcing
Culture assessment
Workforce supply identified
Employee transition plan
Employee functional workplans
Updated integration project plan
Rationalized IT environment
SWOT of transaction
M&A Buy Playbook refined for future transactions
IT has always been an afterthought in the M&A process, often brought in last minute once the deal is nearly, if not completely, solidified. This is a mistake. When IT is brought into the process late, the business misses opportunities to generate value related to the transaction and has less awareness of critical risks or inaccuracies.
To prevent this mistake, IT leadership needs to develop strong business relationships and gain respect for their innovative suggestions. In fact, when it comes to modern M&A activity, IT should be the ones suggesting potential transactions to meet business needs, specifically when it comes to modernizing the business or adopting digital capabilities.
IT needs to stop waiting to be invited to the acquisition or divestiture table. IT needs to suggest that the table be constructed and actively work toward achieving the strategic objectives of the business.
There are four key scenarios or entry points for IT as the acquiring organization in M&As:
Consider the ideal scenario for your IT organization.
Some of the obstacles IT faces include:
These obstacles often arise when IT waits to be invited into the transaction process and misses critical opportunities.
Prepare for a growth/integration transaction by:
As the number of merger, acquisition, and divestiture transactions continues to increase, so too does IT’s opportunity to leverage the growing digital nature of these transactions and get involved at the onset.
The total value of transactions in the year after the pandemic started was $1.3 billion – a 93% increase in value compared to before the pandemic. (Nasdaq)
Virtual deal-making will be the preferred method of 55% of organizations in the post-pandemic world. (Wall Street Journal, 2020)
Only half of M&A deals involve IT (Source: IMAA Institute, 2017)
In hindsight, it’s clear to see: Involving IT is just good business.
47% of senior leaders wish they would have spent more time on IT due diligence to prevent value erosion. (Source: IMAA Institute, 2017)
“40% of acquiring businesses discovered a cybersecurity problem at an acquisition.” (Source: Okta)
Acquisitions and divestitures are inevitable in modern business, and IT’s involvement in the process should be too. This progression is inspired by:
A merger looks at the equal combination of two entities or organizations. Mergers are rare in the M&A space, as the organizations will combine assets and services in a completely equal 50/50 split. Two organizations may also choose to divest business entities and merge as a new company.
The most common transaction in the M&A space, where an organization will acquire or purchase another organization or entities of another organization. This type of transaction has a clear owner who will be able to make legal decisions regarding the acquired organization.
An organization may decide to sell partial elements of a business to an acquiring organization. They will separate this business entity from the rest of the organization and continue to operate the other components of the business.
A true merger does not exist, as there is always someone initiating the discussion. As a result, most M&A activity falls into acquisition or divestiture categories.
This blueprint is only focused on the buy side:
The sell side is focused on:
For more information on divestitures or selling your entire organization, check out Info-Tech’s Mergers & Acquisitions: The Sell Blueprint.
1. Proactive |
2. Discovery & Strategy |
3. Due Diligence & Preparation |
4. Execution & Value Realization |
|
Phase Steps |
|
|
|
|
Phase Outcomes |
Be an innovative IT leader by suggesting how and why the business should engage in an acquisition or divestiture. |
Create a standardized approach for how your IT organization should address acquisitions. |
Evaluate the target organizations successfully and establish an integration project plan. |
Deliver on the integration project plan successfully and communicate IT’s transaction value to the business. |
1. Proactive | 2. Discovery & Strategy | 3. Due Diligence & Preparation | 4. Execution & Value Realization |
|
|
|
|
As an IT executive, take control of when you get involved in a growth transaction. Do this by proactively identifying acquisition targets, demonstrating the value of IT, and ensuring that integration of IT environments does not lead to unnecessary and costly decisions.
CIOs on the forefront of digital transformation need to actively look for and suggest opportunities to acquire or partner on new digital capabilities to respond to rapidly changing business needs.
IT organizations that have an effective M&A program plan are more prepared for the buying transaction, enabling a successful outcome. A structured strategy is particularly necessary for organizations expected to deliver M&As rapidly and frequently.
Most IT synergies can be realized in due diligence. It is more impactful to consider IT processes and practices (e.g. contracts and culture) in due diligence rather than later in the integration.
IT needs to realize synergies within the first 100 days of integration. The most successful transactions are when IT continuously realizes synergies a year after the transaction and beyond.
The M&A Buy Playbook should be a reusable document that enables your IT organization to successfully deliver on any acquisition transaction.
See a one-page overview of each phase of the transaction.
Read a one-page case study for each phase of the transaction.
Manage the integration process of the acquisition using this SharePoint template.
Manage the integration process of the acquisition using this Excel tool if you can’t or don’t want to use SharePoint.
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 6 to 10 calls over the course of 2 to 4 months.
Phase 1 |
Phase 2 | Phase 3 | Phase 4 |
|
|
|
|
As the number of merger, acquisition, or divestiture transactions driven by digital means continues to increase, IT has an opportunity to not just be involved in a transaction but actively seek out potential deals.
In the Proactive phase, the business is not currently considering a transaction. However, the business could consider one to reach its strategic goals. IT organizations that have developed respected relationships with the business leaders can suggest these potential transactions.
Understand the business’ perspective of IT, determine who the critical M&A stakeholders are, valuate the IT environment, and examine how it supports the business goals in order to suggest an M&A transaction.
In doing so, IT isn’t waiting to be invited to the transaction table – it’s creating it.
Goal: To support the organization in reaching its strategic goals by suggesting M&A activities that will enable the organization to reach its objectives faster and with greater-value outcomes.
Before coming into the Proactive phase, you should have addressed the following:
Review the Executive Brief for more information on mergers, acquisitions, and divestitures for purchasing organizations.
Understand how the business perceives IT and establish strong relationships with critical M&A stakeholders.
Misalignment in target state requires further communication between the CIO and CEO to ensure IT is striving toward an agreed-upon direction.
The core services of IT are important when determining what IT should focus on. The most important services with the lowest satisfaction offer the largest area of improvement for IT to drive business value.
Input: IT organization expertise and the CEO-CIO Alignment diagnostic
Output: An understanding of an executive business stakeholder’s perception of IT
Materials: CEO-CIO Alignment diagnostic, M&A Buy Playbook
Participants: IT executive/CIO, Business executive/CEO
Download the sample report.
Record the results in the M&A Buy Playbook.
2 weeks
Input: IT organization expertise, CIO BV diagnostic
Output: An understanding of business stakeholder perception of certain IT capabilities and services
Materials: CIO Business Vision diagnostic, Computer, Whiteboard and markers, M&A Buy Playbook
Participants: IT executive/CIO, Senior business leaders
Download the sample report.
Record the results in the M&A Buy Playbook.
Example:
Your stakeholder map defines the influence landscape that the M&A transaction will occur within. This will identify who holds various levels of accountability and decision-making authority when a transaction does take place.
Use connectors to determine who may be influencing your direct stakeholders. They may not have any formal authority within the organization, but they may have informal yet substantial relationships with your stakeholders.
1-3 hours
Input: List of M&A stakeholders
Output: Relationships among M&A stakeholders and influencers
Materials: M&A Buy Playbook
Participants: IT executive leadership
Record the results in the M&A Buy Playbook.
There are four areas in the map, and the stakeholders within each area should be treated differently.
Players – players have a high interest in the initiative and the influence to effect change over the initiative. Their support is critical, and a lack of support can cause significant impediment to the objectives.
Mediators – mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.
Noisemakers – noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.
Spectators – generally, spectators are apathetic and have little influence over or interest in the initiative.
30 minutes
Input: Stakeholder map, Stakeholder list
Output: Categorization of stakeholders and influencers
Materials: Flip charts, Markers, Sticky notes, M&A Buy Playbook
Participants: IT executive leadership, Stakeholders
How much are the stakeholder’s individual performance and goals directly tied to the success or failure of the product?
Record the results in the M&A Buy Playbook.
Level of Support | |||||
Supporter |
Evangelist |
Neutral |
Blocker |
||
Stakeholder Category | Player | Critical | High | High | Critical |
Mediator | Medium | Low | Low | Medium | |
Noisemaker | High | Medium | Medium | High | |
Spectator | Low | Irrelevant | Irrelevant | Low |
Consider the three dimensions for stakeholder prioritization: influence, interest, and support. Support can be determined by answering the following question: How significant is that stakeholder to the M&A or divestiture process?
These parameters are used to prioritize which stakeholders are most important and should receive your focused attention.
30 minutes
Input: Stakeholder matrix
Output: Stakeholder and influencer prioritization
Materials: Flip charts, Markers, Sticky notes, M&A Buy Playbook
Participants: IT executive leadership, M&A/divestiture stakeholders
Stakeholder |
Category |
Level of Support |
Prioritization |
CMO | Spectator | Neutral | Irrelevant |
CIO | Player | Supporter | Critical |
Record the results in the M&A Buy Playbook.
Type |
Quadrant |
Actions |
Players | High influence, high interest – actively engage | Keep them updated on the progress of the project. Continuously involve Players in the process and maintain their engagement and interest by demonstrating their value to its success. |
Mediators | High influence, low interest – keep satisfied | They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust and including them in important decision-making steps. In turn, they can help you influence other stakeholders. |
Noisemakers | Low influence, high interest – keep informed | Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using Mediators to help them. |
Spectators | Low influence, low interest – monitor | They are followers. Keep them in the loop by providing clarity on objectives and status updates. |
Each group of stakeholders draws attention and resources away from critical tasks. By properly identifying stakeholder groups, the IT executive leader can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy Spectators and Noisemakers while ensuring the needs of Mediators and Players are met.
30 minutes
Input: Stakeholder priority, Stakeholder categorization, Stakeholder influence
Output: Stakeholder communication plan
Materials: Flip charts, Markers, Sticky notes, M&A Buy Playbook
Participants: IT executive leadership, M&A/divestiture stakeholders
The purpose of this activity is to make a communication plan for each of the stakeholders identified in the previous activities, especially those who will have a critical role in the M&A transaction process.
Record the results in the M&A Buy Playbook.
Identify critical opportunities to optimize IT and meet strategic business goals through a merger, acquisition, or divestiture.
Four ways to create value through digital
1 day
Input: Valuation of data, Valuation of applications, Valuation of infrastructure and operations, Valuation of security and risk
Output: Valuation of IT
Materials: Relevant templates/tools listed on the following slides, Capital budget, Operating budget, M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership
The purpose of this activity is to demonstrate that IT is not simply an operational functional area that diminishes business resources. Rather, IT contributes significant value to the business.
Consistency is key when valuating your IT organization as well as other IT organizations throughout the transaction process.
Record the results in the M&A Buy Playbook.
Data valuation identifies how you monetize the information that your organization owns.
When valuating the information and data that exists in an organization, there are many things to consider.
Info-Tech has two tools that can support this process:
Data Collection |
Insight Creation |
Value Creation |
Data Valuation |
01 Data Source
02 Data Collection Method 03 Data |
04 Data Analysis
05 Insight 06 Insight Delivery |
07 Consumer
08 Value in Data |
09 Value Dimension
10 Value Metrics Group 11 Value Metrics |
When valuating the applications and their users in an organization, consider using a business process map. This shows how business is transacted in the company by identifying which IT applications support these processes and which business groups have access to them. Info-Tech has a business process mapping tool that can support this process:
User Costs |
Total User Costs |
Derived Productivity Ratio (DPR) |
Total DPR |
Application Value |
|||
# of users | % time spent using IT | Fully burdened salary | Multiply values from the 3 user costs columns | Revenue per employee | Average cost per employee | (Revenue P.E) ÷ (Average cost P.E) | (User costs) X (DPR) |
IT and Business Costs |
Total IT and Business Costs |
Net Value of Applications |
|||
Application maintenance | Downtime costs (include disaster exposure) | Common costs allocated to applications | Fully loaded costs of active (FTE) users | Sum of values from the four IT and business costs columns | (Application value) – (IT and business costs) |
(Source: CSO)
The purpose of this exercise is to provide a high-level infrastructure valuation that will contribute to valuating your IT environment.
Calculating the value of the infrastructure will require different methods depending on the environment. For example, a fully cloud-hosted organization will have different costs than a fully on-premises IT environment.
Item |
Costs/Value |
Hardware Assets Total Value | +$3.2 million |
Hardware Leased/Service Agreement | -$ |
Software Purchased | +$ |
Software Leased/Service Agreement | -$ |
Operational Tools | |
Network | |
Disaster Recovery | |
Antivirus | |
Data Centers | |
Service Desk | |
Other Licenses | |
Total: |
For additional support, download the M&A Runbook for Infrastructure and Operations.
The purpose of this exercise is to provide a high-level risk assessment that will contribute to valuating your IT environment. For a more in-depth risk assessment, please refer to the Info-Tech tools below:
Probability of Risk Occurrence |
Occurrence Criteria
|
Negligible | Very Unlikely; ‹20% |
Very Low | Unlikely; 20 to 40% |
Low | Possible; 40 to 60% |
Moderately Low | Likely; 60 to 80% |
Moderate | Almost Certain; ›80% |
Note: If needed, you can customize this scale with the severity designations that you prefer. However, make sure you are always consistent with it when conducting a risk assessment.
Financial & Reputational Impact |
Budgetary and Reputational Implications
|
Negligible | (‹$10,000; Internal IT stakeholders aware of risk event occurrence) |
Very Low | ($10,000 to $25,000; Business customers aware of risk event occurrence) |
Low | ($25,000 to $50,000; Board of directors aware of risk event occurrence) |
Moderately Low | ($50,000 to $100,000; External customers aware of risk event occurrence) |
Moderate | (›$100,000; Media coverage or regulatory body aware of risk event occurrence) |
Risk Category Details |
Probability of Occurrence |
Estimated Financial Impact |
Estimated Severity (Probability X Impact) |
Capacity Planning | |||
Enterprise Architecture | |||
Externally Originated Attack | |||
Hardware Configuration Errors | |||
Hardware Performance | |||
Internally Originated Attack | |||
IT Staffing | |||
Project Scoping | |||
Software Implementation Errors | |||
Technology Evaluation and Selection | |||
Physical Threats | |||
Resource Threats | |||
Personnel Threats | |||
Technical Threats | |||
Total: |
4 hours
Input: IT strategy, Digital strategy, Business strategy
Output: An understanding of an executive business stakeholder’s perception of IT, Alignment of IT/digital strategy and overall organization strategy
Materials: Computer, Whiteboard and markers, M&A Buy Playbook
Participants: IT executive/CIO, Business executive/CEO
The purpose of this activity is to review the business and IT strategies that exist to determine if there are critical capabilities that are not being supported.
Ideally, the IT and digital strategies would have been created following development of the business strategy. However, sometimes the business strategy does not directly call out the capabilities it requires IT to support.
For additional support, see Build a Business-Aligned IT Strategy.
Record the results in the M&A Buy Playbook.
Establish strong relationships with critical M&A stakeholders and position IT as an innovative business partner that can suggest growth opportunities.
1-2 hours
Input: CEO-CIO Alignment diagnostic, CIO Business Vision diagnostic, Valuation of IT environment, IT-business goals cascade
Output: List of pain points or opportunities that IT can address
Materials: Computer, Whiteboard and markers, M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, Business stakeholders
The purpose of this activity is to determine the pain points and opportunities that exist for the organization. These can be external or internal to the organization.
Opportunities and pain points can be trends, other departments’ initiatives, business perspectives of IT, etc.
Record the results in the M&A Buy Playbook.
1-2 hours
Input: CEO-CIO Alignment diagnostic, CIO Business Vision diagnostic, Valuation of IT environment, IT-business goals cascade, List of pain points and opportunities
Output: An understanding of an executive business stakeholder’s perception of IT, Foundations for growth strategy
Materials: Computer, Whiteboard and markers, M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, Business stakeholders
The purpose of this activity is to determine whether a growth or separation strategy might be a good suggestion to the business in order to meet its business objectives.
Record the results in the M&A Buy Playbook.
1-2 hours
Input: Growth or separation strategy opportunities to support business goals, Stakeholder communication plan, Rationale for the suggestion
Output: M&A transaction opportunities suggested
Materials: M&A Buy Playbook
Participants: IT executive/CIO, Business executive/CEO
The purpose of this activity is to recommend a merger, acquisition, or divestiture to the business.
With technology and digital driving many transactions, leverage this opening and begin the discussions with your business on how and why an acquisition would be a great opportunity.
Record the results in the M&A Buy Playbook.
Develop progressive relationships and strong communication with key stakeholders to suggest or be aware of transformational opportunities that can be achieved through growth or reduction strategies such as mergers, acquisitions, or divestitures.
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|
|
|
|
Pre-Work | Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
Establish the Transaction Foundation | Discover the Motivation for Acquiring | Formalize the Program Plan | Create the Valuation Framework | Strategize the Transaction | Next Steps and Wrap-Up (offsite) | |
Activities |
|
|
|
|
|
|
Deliverables |
|
|
|
|
|
|
The Discovery & Strategy phase during an acquisition is a unique opportunity for many IT organizations. IT organizations that can participate in the acquisition transaction at this stage are likely considered a strategic partner of the business.
For one-off acquisitions, IT being invited during this stage of the process is rare. However, for organizations that are preparing to engage in many acquisitions over the coming years, this type of strategy will greatly benefit from IT involvement. Again, the likelihood of participating in an M&A transaction is increasing, making it a smart IT leadership decision to, at the very least, loosely prepare a program plan that can act as a strategic pillar throughout the transaction.
During this phase of the pre-transaction state, IT will also be asked to participate in ensuring that the potential organization being sought will be able to meet any IT-specific search criteria that was set when the transaction was put into motion.
Goal: To identify a repeatable program plan that IT can leverage when acquiring all or parts of another organization’s IT environment, ensuring customer satisfaction and business continuity
Before coming into the Discovery & Strategy phase, you should have addressed the following:
Establish an M&A program plan that can be repeated across acquisitions.
Vision Statements |
Mission Statements |
|
Characteristics |
|
|
Samples |
To be a trusted advisor and partner in enabling business innovation and growth through an engaged IT workforce. (Source: Business News Daily) | IT is a cohesive, proactive, and disciplined team that delivers innovative technology solutions while demonstrating a strong customer-oriented mindset. (Source: Forbes, 2013) |
2 hours
Input: Business objectives, IT capabilities, Rationale for the transaction
Output: IT’s mission and vision statements for growth strategies tied to mergers, acquisitions, and divestitures
Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, Company M&A team
The purpose of this activity is to create mission and vision statements that reflect IT’s intent and method to support the organization as it pursues a growth strategy.
Record the results in the M&A Buy Playbook.
IT guiding principles are shared, long-lasting beliefs that guide the use of IT in constructing, transforming, and operating the enterprise by informing and restricting IT investment portfolio management, solution development, and procurement decisions.
Info-Tech has identified a set of characteristics that IT principles should possess. These characteristics ensure the IT principles are relevant and followed in the organization.
Approach focused. IT principles should be focused on the approach – how the organization is built, transformed, and operated – as opposed to what needs to be built, which is defined by both functional and non-functional requirements.
Business relevant. Create IT principles that are specific to the organization. Tie IT principles to the organization’s priorities and strategic aspirations.
Long lasting. Build IT principles that will withstand the test of time.
Prescriptive. Inform and direct decision making with actionable IT principles. Avoid truisms, general statements, and observations.
Verifiable. If compliance can’t be verified, people are less likely to follow the principle.
Easily Digestible. IT principles must be clearly understood by everyone in IT and by business stakeholders. IT principles aren’t a secret manuscript of the IT team. IT principles should be succinct; wordy principles are hard to understand and remember.
Followed. Successful IT principles represent a collection of beliefs shared among enterprise stakeholders. IT principles must be continuously communicated to all stakeholders to achieve and maintain buy-in.
In organizations where formal policy enforcement works well, IT principles should be enforced through appropriate governance processes.
IT Principle Name |
IT Principle Statement |
1. Risk Management | We will ensure that the organization’s IT Risk Management Register is properly updated to reflect all potential risks and that a plan of action against those risks has been identified. |
2. Transparent Communication | We will ensure employees are spoken to with respect and transparency throughout the transaction process. |
3. Integration for Success | We will create an integration strategy that enables the organization and clearly communicates the resources required to succeed. |
4. Managed Data | We will handle data creation, modification, integration, and use across the enterprise in compliance with our data governance policy. |
5. Establish a single IT Environment | We will identify, prioritize, and manage the applications and services that IT provides in order to eliminate redundant technology and maximize the value that users and customers experience. |
6. Compliance With Laws and Regulations | We will operate in compliance with all applicable laws and regulations for both our organization and the potentially purchased organization. |
7. Defined Value | We will create a plan of action that aligns with the organization’s defined value expectations. |
8. Network Readiness | We will ensure that employees and customers have immediate access to the network with minimal or no outages. |
9. Operating to Succeed | We will bring all of IT into a central operating model within two years of the transaction. |
2 hours
Input: Business objectives, IT capabilities, Rationale for the transaction, Mission and vision statements
Output: IT’s guiding principles for growth strategies tied to mergers, acquisitions, and divestitures
Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, Company M&A team
The purpose of this activity is to create the guiding principles that will direct the IT organization throughout the growth strategy process.
Record the results in the M&A Buy Playbook.
Consider the following capabilities when looking at who should be a part of the M&A transaction team.
Employees who have a significant role in ensuring that these capabilities are being delivered will be a top priority.
An operating model is an abstract visualization, used like an architect’s blueprint, that depicts how structures and resources are aligned and integrated to deliver on the organization’s strategy.
It ensures consistency of all elements in the organizational structure through a clear and coherent blueprint before embarking on detailed organizational design.
The visual should highlight which capabilities are critical to attaining strategic goals and clearly show the flow of work so that key stakeholders can understand where inputs flow in and outputs flow out of the IT organization.
As you assess the current operating model, consider the following:
Info-Tech Insight
Investing time up-front getting the operating model right is critical. This will give you a framework to rationalize future organizational changes, allowing you to be more iterative and allowing your model to change as the business changes.
4 hours
Input: Current operating model, IT strategy, IT capabilities, M&A-specific IT capabilities, Business objectives, Rationale for the transaction, Mission and vision statements
Output: Future-state operating model
Materials: Operating model, Capability overlay, Flip charts/whiteboard, Markers, M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, Company M&A team
The purpose of this activity is to establish what the future-state operating model will be if your organization needs to adjust to support a growth transaction.
An example operating model is included in the M&A Buy Playbook. This process benefits from strong reference architecture and capability mapping ahead of time.
Record the results in the M&A Buy Playbook.
Input: IT capabilities, Future-state operating model, M&A-specific IT capabilities, Business objectives, Rationale for the transaction, Mission and vision statements
Output: Transition team
Materials: Reference architecture, Organizational structure, Flip charts/whiteboard, Markers
Participants: IT executive/CIO, IT senior leadership, Company M&A team
The purpose of this activity is to create a team that will support your IT organization throughout the transaction. Determining which capabilities and therefore which roles will be required ensures that the business will continue to get the operational support it needs.
For more information, see Redesign Your Organizational Structure
1-2 hours
Input: List of governing bodies, Governing body committee profiles, Governance structure
Output: Documented method on how decisions are made as it relates to the M&A transaction
Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, Company M&A team
The purpose of this activity is to determine the method in which decisions are made throughout the M&A transaction as it relates to IT. This will require understanding both governing bodies internal to IT and those external to IT.
Record the results in the M&A Buy Playbook.
Strategy: These groups will focus on decisions that directly connect to the strategic direction of the organization.
Design & Build: The second tier of groups will oversee prioritization of a certain area of governance as well as design and build decisions that feed into strategic decisions.
Run: The lowest level of governance will be oversight of more-specific initiatives and capabilities within IT.
Expect tier overlap. Some committees will operate in areas that cover two or three of these governance tiers.
Upper management will measure IT’s success based on your ability to support the underlying reasons for the M&A. Using business metrics will help assure business stakeholders that IT understands their needs and is working with the business to achieve them.
S pecific | Make sure the objective is clear and detailed. |
M easurable | Objectives are measurable if there are specific metrics assigned to measure success. Metrics should be objective. |
A ctionable | Objectives become actionable when specific initiatives designed to achieve the objective are identified. |
R ealistic | Objectives must be achievable given your current resources or known available resources. |
T ime-Bound | An objective without a timeline can be put off indefinitely. Furthermore, measuring success is challenging without a timeline. |
1. Proactive | 2. Discovery & Strategy | 3. Valuation & Due Diligence | 4. Execution & Value Realization |
|
|
|
|
1-2 hours
Input: IT capabilities, Mission, vision, and guiding principles, Rationale for the acquisition
Output: Program metrics to support IT throughout the M&A process
Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, Company M&A team
The purpose of this activity is to determine how IT’s success throughout a growth transaction will be measured and determined.
Record the results in the M&A Buy Playbook.
Identify IT’s plan of action when it comes to the acquisition and align IT’s integration strategy with the business’ M&A strategy.
The approach IT takes will depend on the business objectives for the M&A.
Key considerations when choosing an IT integration strategy include:
1-2 hours
Input: Business integration strategy, Guiding principles, M&A governance
Output: IT’s integration strategy
Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, Company M&A team
The purpose of this activity is to determine IT’s approach to integration. The approach might differ slightly from transaction to transaction. However, the business’ approach to transactions should give insight into the general integration strategy IT should adopt.
Record the results in the M&A Buy Playbook.
Business M&A Strategy |
Resultant Technology Strategy |
M&A Magnitude (% of Acquirer Assets, Income, or Market Value) |
IT Integration Posture |
A. Horizontal | Adopt One Model | ‹10% | Absorption |
10 to 75% | Absorption or Best-of-Breed | ||
›75% | Best-of-Breed | ||
B. Vertical | Create Links Between Critical Systems | Any |
|
C. Conglomerate | Independent Model | Any | Preservation |
D. Hybrid: Horizontal & Conglomerate | Independent Model | Any | Preservation |
1-2 hours
Input: IT capabilities, Transition team, Integration strategy
Output: Completed RACI for transition team
Materials: Reference architecture, Organizational structure, Flip charts/whiteboard, Markers, M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, Company M&A team
The purpose of this activity is to identify the core accountabilities and responsibilities for the roles identified as critical to your transition team. While there might be slight variation from transaction to transaction, ideally each role should be performing certain tasks.
Record the results in the M&A Buy Playbook.
Three key dimensions determine the appetite for cultural change:
1-2 hours
Input: IT’s M&A mission, vision, and guiding principles, M&A transition team, IT integration strategy, RACI
Output: IT’s M&A communication plan
Materials: Flip charts/whiteboard, Markers, RACI, M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, Company M&A team
The purpose of this activity is to create a communication plan that IT can leverage throughout the initiative.
Record the results in the M&A Buy Playbook.
As soon as you have identified organizations to consider, it’s imperative to assess critical risks. Most IT leaders can attest that they will receive little to no notice when they have to assess the IT organization of a potential purchase. As a result, having a standardized template to quickly gauge the value of the business can be critical.
1-2 hours
Input: Publicized historical risk events, Solutions and vendor contracts likely in the works, Trends
Output: IT’s valuation of the potential organization(s) for acquisition
Materials: M&A Buy Playbook
Participants: IT executive/CIO
The purpose of this activity is to assess the organization(s) that your organization is considering purchasing.
Record the results in the M&A Buy Playbook.
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|
|
|
|
Pre-Work | Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
Establish the Transaction Foundation | Discover the Motivation for Integration | Assess the Target Organization(s) | Create the Valuation Framework | Plan the Integration Roadmap | Next Steps and Wrap-Up (offsite) | |
Activities |
|
|
|
|
|
|
Deliverables |
|
|
|
|
|
|
The Due Diligence & Preparation phase during an acquisition is a critical time for IT. If IT fails to proactively participate in this phase, IT will have to merely react to integration expectations set by the business.
While not all IT organizations are able to participate in this phase, the evolving nature of M&As to be driven by digital and technological capabilities increases the rationale for IT being at the table. Identifying critical IT risks, which will inevitably be business risks, begins during the due diligence phase.
This is also the opportunity for IT to plan how it will execute the planned integration strategy. Having access to critical information only available in data rooms will further enable IT to successfully plan and execute the acquisition to deliver the value the business is seeking through a growth transaction.
Goal: To thoroughly evaluate all potential risks associated with the organization(s) being pursued and create a detailed plan for integrating the IT environments
Before coming into the Due Diligence & Preparation phase, you must have addressed the following:
Before coming into the Due Diligence & Preparation phase, we recommend addressing the following:
All three elements of the Technology Value Trinity work in harmony to deliver business value and achieve strategic needs. As one changes, the others need to change as well.
Too often strategy, operating model and organizational design, and governance are considered separate practices. As a result, “strategic documents” end up being wish lists, and projects continue to be prioritized based on who shouts the loudest – not based on what is in the best interest of the organization.
This step of the process is when IT should actively evaluate the target organization being pursued for acquisition.
1-2 hours
Input: Key roles for the transaction team, M&A governance, Target metrics, Selected integration strategy framework, RACI of key transaction tasks for the transaction team
Output: IT Due Diligence Charter
Materials: M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, Company M&A team
The purpose of this activity is to create a charter leveraging the items completed in the previous phase, as listed on the Due Diligence Prerequisite Checklist slide, to gain executive sign-off.
Record the results in the M&A Buy Playbook.
4 hours
Input: Future-state operating model, M&A governance, Target metrics, Selected integration strategy framework, RACI of key transaction tasks for the transaction team
Output: List of items to acquire and review in the data room
Materials: Critical domain lists on following slides, M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, Company M&A team, Transition team
The purpose of this activity is to create a list of the key artifacts that should be asked for and reviewed during the due diligence process.
Record the results in the M&A Buy Playbook.
Each critical domain will likely have different stakeholders who know that domain best. Communicate with these stakeholders throughout the M&A process to make sure you are getting accurate information and interpreting it correctly.
Domain |
Stakeholders |
Key Artifacts |
Key Information to request |
Business |
|
|
|
Leadership/IT Executive |
|
|
|
Data & Analytics |
|
|
|
Applications |
|
|
|
Infrastructure |
|
|
|
Products and Services |
|
|
|
Domain | Stakeholders | Key Artifacts | Key Information to request |
Operations |
|
|
|
IT Processes |
|
|
|
IT People |
|
|
|
Security |
|
|
|
Projects |
|
|
|
Vendors |
|
|
|
Focus on solving the problems you need to address.
Analyzing technical debt has value in that the analysis can help your organization make better risk management and resource allocation decisions.
Do you have any of these challenges?
“This isn’t a philosophical exercise. Knowing what you want to get out of this analysis informs the type of technical debt you will calculate and the approach you will take.” (Scott Buchholz, CTO, Deloitte Government & Public Services Practice, The Wall Street Journal, 2015)
1-2 hours
Input: Participant views on organizational tech debt, Five to ten key technical debts, Business impact scoring scales, Reasonable next-quarter scenarios for each technical debt, Technical debt business impact analysis
Output: Initial list of tech debt for the target organization
Materials: Whiteboard, Sticky notes, Technical Debt Business Impact Analysis Tool, M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, Business leaders, Transition team
The purpose of this activity is to assess the technical debt of the other IT organization. Taking on unnecessary technical debt is one of the biggest risks to the IT environment
Record the results in the M&A Buy Playbook.
The IT valuation conducted during due diligence can have a significant impact on the final financials of the transaction for the business.
1 day
Input: Valuation of data, Valuation of applications, Valuation of infrastructure and operations, Valuation of security and risk
Output: Valuation of target organization’s IT
Materials: Relevant templates/tools, Capital budget, Operating budget, M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, Prospective IT organization
The purpose of this activity is to valuate the other IT organization.
Consistency is key when valuating your IT organization as well as other IT organizations throughout the transaction process.
Record the results in the M&A Buy Playbook.
The culture that the target organization is currently embracing. Their established and undefined governance practices will lend insight into this.
The culture that your organization is currently embracing. Examine people’s attitudes and behaviors within IT toward their jobs and the organization.
What will the future culture of the IT organization be once integration is complete? Are there aspects that your current organization and the target organization embrace that are worth considering?
Competitive
|
Innovative
|
Traditional
|
Cooperative
|
3-4 hours
Input: Cultural assessments for current IT organization, Cultural assessment for target IT organization
Output: Goal for IT culture
Materials: IT Culture Diagnostic, M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, IT employees of current organization, IT employees of target organization, Company M&A team
The purpose of this activity is to assess the different cultures that might exist within the IT environments of both organizations. More importantly, your IT organization can select its desired IT culture for the long term if it does not already exist.
Record the results in the M&A Buy Playbook.
Have an established plan of action toward integration across all domains and a strategy toward resources.
80% of integration should happen within the first two years. (Source: CIO Dive)
70% of M&A IT integrations fail due to components that could and should be addressed at the beginning. (Source: The Wall Street Journal, 2019)
Integration is not rationalization. Once the organization has integrated, it can prepare to rationalize the IT environment.
Set up a meeting with your IT due diligence team to:
Use this opportunity to:
Domain | Independent Models | Create Links Between Critical Systems | Move Key Capabilities to Common Systems | Adopt One Model |
Data & Analytics |
|
|
|
|
Applications |
|
|
|
|
Domain | Independent Models | Create Links Between Critical Systems | Move Key Capabilities to Common Systems | Adopt One Model |
Infrastructure |
|
|
|
|
IT People & Processes |
|
|
|
|
Domain | Independent Models | Create Links Between Critical Systems | Move Key Capabilities to Common Systems | Adopt One Model |
Leadership/IT Executive |
|
|
|
|
Vendors |
|
|
|
|
Domain | Independent Models | Create Links Between Critical Systems | Move Key Capabilities to Common Systems | Adopt One Model |
Security |
|
|
|
|
Projects |
|
|
|
|
2 hours
Input: Integration tasks, Transition team, M&A RACI
Output: Prioritized integration list
Materials: Integration task checklist, Integration roadmap
Participants: IT executive/CIO, IT senior leadership, Company M&A team
The purpose of this activity is to prioritize the different integration tasks that your organization has identified as necessary to this transaction. Some tasks might not be relevant for this particular transaction, and others might be critical.
Record the updates in the M&A Integration Project Management Tool (SharePoint).
Record the updates in the M&A Integration Project Management Tool (Excel).
Input: Prioritized integration tasks, Employee transition plan, Integration RACI, Costs for activities, Activity owners
Output: Integration roadmap
Materials: M&A Integration Project Plan Tool (SharePoint), M&A Integration Project Plan Tool (Excel)
Participants: IT executive/CIO, IT senior leadership, Transition team, Company M&A team
The purpose of this activity is to create a roadmap to support IT throughout the integration process. Using the information gathered in previous activities, you can create a roadmap that will ensure a smooth integration.
Record the updates in the M&A Integration Project Management Tool (SharePoint).
Record the updates in the M&A Integration Project Management Tool (Excel).
For more information, check out the SharePoint Template: Step-by-Step Deployment Guide.
Don’t be a short-term thinker when it comes to workforce planning! IT teams that only consider the headcount needed on day one of the new entity will end up scrambling to find skilled resources to fill workforce gaps later in the transition period.
Input: IT strategy, Prioritized integration tasks
Output: A clear indication of how many resources are required for each role and the number of resources that the organization actually has
Materials: Resource Management Supply-Demand Calculator
Participants: IT executive/CIO, IT senior leadership, Target organization employees, Company M&A team, Transition team
The purpose of this activity is to determine the anticipated amount of work that will be required to support projects (like integration), administrative, and keep-the-lights-on activities.
Record the results in the Resource Management Supply-Demand Calculator.
Resource Capacity Confidence. This figure is based on your confidence in supply confidence, demand stability, and the supply-demand ratio.
Integration costs are more related to the degree of change required than the size of the transaction.
3-4 hours
Input: Integration tasks, Transition team, Valuation of current IT environment, Valuation of target IT environment, Outputs from data room, Technical debt, Employees
Output: List of anticipated costs required to support IT integration
Materials: Integration task checklist, Integration roadmap, M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, Company M&A team, Transition team
The purpose of this activity is to estimate the costs that will be associated with the integration. It’s important to ensure a realistic figure is identified and communicated to the larger M&A team within your company as early in the process as possible. This ensures that the funding required for the transaction is secured and budgeted for in the overarching transaction.
Record the results in the M&A Buy Playbook.
Being transparent throughout the process is critical. Do not hesitate to tell employees the likelihood that their job may be made redundant. This will ensure a high level of trust and credibility for those who remain with the organization after the transaction.
3-4 hours
Input: IT strategy, IT organizational design, Resource Supply-Demand Calculator output
Output: Employee transition plans
Materials: M&A Buy Playbook, Whiteboard, Sticky notes, Markers
Participants: IT executive/CIO, IT senior leadership, Company M&A team, Transition team
The purpose of this activity is to create a transition plan for employees.
**Note that if someone’s future role is a layoff, then there is no need to record anything for skills needed or method for skill development.
Record the results in the M&A Buy Playbook.
3-4 hours
Input: Prioritized integration tasks, Employee transition plan, Integration RACI, Costs for activities, Activity owners
Output: Employee functional workplans
Materials: M&A Buy Playbook, Learning and development tools
Participants: IT executive/CIO, IT senior leadership, IT management team, Company M&A team, Transition team
The purpose of this activity is to create a functional workplan for the different employees so that they know what their key role and responsibilities are once the transaction occurs.
It is recommended that each employee have a functional workplan. Leverage the IT managers to support this task.
Record the results in the M&A Buy Playbook.
3-4 hours
Input: Prioritized integration tasks, Employee transition plan, Integration RACI, Costs for activities, Activity owners, M&A goals
Output: Integration-specific metrics to measure success
Materials: Roadmap template, M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, Transition team
The purpose of this activity is to understand how to measure the success of the integration project by aligning metrics to each identified task.
Record the results in the M&A Buy Playbook.
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|
|
|
|
Pre-Work | Day 1 | Day 2 | Day 3 | Engage in Integration | Day 4 | |
Establish the Transaction Foundation | Discover the Motivation for Integration | Plan the Integration Roadmap | Prepare Employees for the Transition | Engage in Integration | Assess the Transaction Outcomes (Must be within 30 days of transaction date) | |
Activities |
|
|
|
|
|
|
Deliverables |
|
|
|
|
|
|
Once the transaction comes to a close, it’s time for IT to deliver on the critical integration tasks. Set the organization up for success by having an integration roadmap. Retaining critical IT staff throughout this process will also be imperative to the overall transaction success.
Throughout the integration process, roadblocks will arise and need to be addressed. However, by ensuring that employees, technology, and processes are planned for ahead of the transaction, you as IT will be able to weather those unexpected concerns with greater ease.
Now that you as an IT leader have engaged in an acquisition, demonstrating the value IT was able to provide to the process is critical to establishing a positive and respected relationship with other senior leaders in the business. Be prepared to identify the positives and communicate this value to advance the business’ perception of IT.
Goal: To carry out the planned integration activities and deliver the intended value to the business
Before coming into the Execution & Value Realization phase, you must have addressed the following:
Before coming into the Execution & Value Realization phase, we recommend addressing the following:
Successfully execute on the integration and strategize how to rationalize the two (or more) IT environments and update the project plan, strategizing against any roadblocks as they might come.
Input: RACI chart, List of critical applications, List of vendor contracts, List of infrastructure assets, List of data assets
Output: Rationalized IT environment
Materials: Software Terms & Conditions Evaluation Tool
Participants: IT executive/CIO, IT senior leadership, Vendor management
The purpose of this activity is to rationalize the IT environment to reduce and eliminate redundant technology.
This will not be a quick and easy activity to complete. It will require strong negotiation on the behalf of the vendor management team.
For additional information and support for this activity, see the blueprint Master Contract Review and Negotiations for Software Agreements.
Input: Prioritized integration tasks, Integration RACI, Activity owners
Output: Updated integration project plan
Materials: M&A Integration Project Management Tool
Participants: IT executive/CIO, IT senior leadership, IT transaction team, Company M&A team
The purpose of this activity is to ensure that the project plan is continuously updated as your transaction team continues to execute on the various components outlined in the project plan.
Record the updates in the M&A Integration Project Management Tool (SharePoint).
Record the updates in the M&A Integration Project Management Tool (Excel).
Review the value that IT was able to generate around the transaction and strategize on how to improve future acquisition transactions.
3-4 hours
Input: Integration tasks, Transition team, Previous RACI, Estimated costs
Output: Actual integration costs
Materials: M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, IT transaction team, Company M&A team
The purpose of this activity is to confirm the associated costs around integration. While the integration costs would have been estimated previously, it’s important to confirm the costs that were associated with the integration in order to provide an accurate and up-to-date report to the company’s M&A team.
Record the results in the M&A Buy Playbook.
The ultimate goal of the M&A is to achieve and deliver deal objectives. Early in the M&A, IT must identify, prioritize, and execute upon synergies that deliver value to the business and its shareholders. Continue to measure IT’s contribution toward achieving the organization’s M&A goals throughout the integration by keeping track of cost savings and synergies that have been achieved. When these achievements happen, communicate them and celebrate success.
Once 80% of the necessary synergies are realized, executive pressure will diminish. However, IT must continue to work toward the technology end state to avoid delayed progression.
3-4 hours
Input: Prioritized integration tasks, Integration RACI, Activity owners, M&A company goals
Output: Transaction value
Materials: M&A Buy Playbook
Participants: IT executive/CIO, IT senior leadership, Company's M&A team
The purpose of this activity is to track how your IT organization performed against the originally identified metrics.
Record the results in the M&A Buy Playbook.
2 hours
Input: Integration costs, Retention rates, Value IT contributed to the transaction
Output: Strengths, weaknesses, opportunities, and threats
Materials: Flip charts, Markers, Sticky notes
Participants: IT executive/CIO, IT senior leadership, Business transaction team
The purpose of this activity is to assess the positive and negative elements of the transaction.
Record the results in the M&A Buy Playbook.
4 hours
Input: Transaction and integration SWOT
Output: Refined M&A playbook
Materials: M&A Buy Playbook
Participants: IT executive/CIO
The purpose of this activity is to revise the playbook and ensure it is ready to go for future transactions.
Record the results in the M&A Buy Playbook.
Congratulations, you have completed the M&A Buy Blueprint!
Rather than reacting to a transaction, you have been proactive in tackling this initiative. You now have a process to fall back on in which you can be an innovative IT leader by suggesting how and why the business should engage in an acquisition. You now have:
Now that you have done all of this, reflect on what went well and what can be improved in case if you have to do this all again in a future transaction.
Ibrahim Abdel-Kader
Research Analyst | CIO Info-Tech Research Group |
Brittany Lutes
Senior Research Analyst | CIO Info-Tech Research Group |
|
John Annand
Principal Research Director | Infrastructure Info-Tech Research Group |
Scott Bickley
Principal Research Director | Vendor Management Info-Tech Research Group |
|
Cole Cioran
Practice Lead | Applications Info-Tech Research Group |
Dana Daher
Research Analyst | Strategy & Innovation Info-Tech Research Group |
|
Eric Dolinar
Manager | M&A Consulting Deloitte Canada |
Christoph Egel
Director, Solution Design & Deliver Cooper Tire & Rubber Company |
|
Nora Fisher
Vice President | Executive Services Advisory Info-Tech Research Group |
Larry Fretz
Vice President | Industry Info-Tech Research Group |
David Glazer
Vice President of Analytics Kroll |
Jack Hakimian
Senior Vice President | Workshops and Delivery Info-Tech Research Group |
|
Gord Harrison
Senior Vice President | Research & Advisory Info-Tech Research Group |
Valence Howden
Principal Research Director | CIO Info-Tech Research Group |
|
Jennifer Jones
Research Director | Industry Info-Tech Research Group |
Nancy McCuaig
Senior Vice President | Chief Technology and Data Office IGM Financial Inc. |
|
Carlene McCubbin
Practice Lead | CIO Info-Tech Research Group |
Kenneth McGee
Research Fellow | Strategy & Innovation Info-Tech Research Group |
|
Nayma Naser
Associate Deloitte |
Andy Neill
Practice Lead | Data & Analytics, Enterprise Architecture Info-Tech Research Group |
Rick Pittman
Vice President | Research Info-Tech Research Group |
Rocco Rao
Research Director | Industry Info-Tech Research Group |
|
Mark Rosa
Senior Vice President & Chief Information Officer Mohegan Gaming and Entertainment |
Tracy-Lynn Reid
Research Lead | People & Leadership Info-Tech Research Group |
|
Jim Robson
Senior Vice President | Shared Enterprise Services (retired) Great-West Life |
Steven Schmidt
Senior Managing Partner Advisory | Executive Services Info-Tech Research Group |
|
Nikki Seventikidis
Senior Manager | Finance Initiative & Continuous Improvement CST Consultants Inc. |
Allison Straker
Research Director | CIO Info-Tech Research Group |
|
Justin Waelz
Senior Network & Systems Administrator Info-Tech Research Group |
Sallie Wright
Executive Counselor Info-Tech Research Group |
“5 Ways for CIOs to Accelerate Value During Mergers and Acquisitions.” Okta, n.d. Web.
Altintepe, Hakan. “Mergers and acquisitions speed up digital transformation.” CIO.com, 27 July 2018. Web.
“America’s elite law firms are booming.” The Economist, 15 July 2021. Web.
Barbaglia, Pamela, and Joshua Franklin. “Global M&A sets Q1 record as dealmakers shape post-COVID world.” Nasdaq, 1 April 2021. Web.
Boyce, Paul. “Mergers and Acquisitions Definition: Types, Advantages, and Disadvantages.” BoyceWire, 8 Oct. 2020. Web.
Bradt, George. “83% Of Mergers Fail -- Leverage A 100-Day Action Plan For Success Instead.” Forbes, 27 Jan. 2015. Web.
Capgemini. “Mergers and Acquisitions: Get CIOs, IT Leaders Involved Early.” Channel e2e, 19 June 2020. Web.
Chandra, Sumit, et al. “Make Or Break: The Critical Role Of IT In Post-Merger Integration.” IMAA Institute, 2016. Web.
Deloitte. “How to Calculate Technical Debt.” The Wall Street Journal, 21 Jan. 2015. Web.
Ernst & Young. “IT As A Driver Of M&A Success.” IMAA Institute, 2017. Web.
Fernandes, Nuno. “M&As In 2021: How To Improve The Odds Of A Successful Deal.” Forbes, 23 March 2021. Web.
“Five steps to a better 'technology fit' in mergers and acquisitions.” BCS, 7 Nov. 2019. Web.
Fricke, Pierre. “The Biggest Opportunity You’re Missing During an M&Aamp; IT Integration.” Rackspace, 4 Nov. 2020. Web.
Garrison, David W. “Most Mergers Fail Because People Aren't Boxes.” Forbes, 24 June 2019. Web.
Harroch, Richard. “What You Need To Know About Mergers & Acquisitions: 12 Key Considerations When Selling Your Company.” Forbes, 27 Aug. 2018. Web.
Hope, Michele. “M&A Integration: New Ways To Contain The IT Cost Of Mergers, Acquisitions And Migrations.” Iron Mountain, n.d. Web.
“How Agile Project Management Principles Can Modernize M&A.” Business.com, 13 April 2020. Web.
Hull, Patrick. “Answer 4 Questions to Get a Great Mission Statement.” Forbes, 10 Jan. 2013. Web.
Kanter, Rosabeth Moss. “What We Can Learn About Unity from Hostile Takeovers.” Harvard Business Review, 12 Nov. 2020. Web.
Koller, Tim, et al. “Valuation: Measuring and Managing the Value of Companies, 7th edition.” McKinsey & Company, 2020. Web.
Labate, John. “M&A Alternatives Take Center Stage: Survey.” The Wall Street Journal, 30 Oct. 2020. Web.
Lerner, Maya Ber. “How to Calculate ROI on Infrastructure Automation.” DevOps.com, 1 July 2020. Web.
Loten, Angus. “Companies Without a Tech Plan in M&A Deals Face Higher IT Costs.” The Wall Street Journal, 18 June 2019. Web.
Low, Jia Jen. “Tackling the tech integration challenge of mergers today” Tech HQ, 6 Jan. 2020. Web.
Lucas, Suzanne. “5 Reasons Turnover Should Scare You.” Inc. 22 March 2013. Web.
“M&A Trends Survey: The future of M&A. Deal trends in a changing world.” Deloitte, Oct. 2020. Web.
Maheshwari, Adi, and Manish Dabas. “Six strategies tech companies are using for successful divesting.” EY, 1 Aug. 2020. Web.
Majaski, Christina. “Mergers and Acquisitions: What's the Difference?” Investopedia, 30 Apr. 2021.
“Mergers & Acquisitions: Top 5 Technology Considerations.” Teksetra, 21 Jul. 2020. Web.
“Mergers Acquisitions M&A Process.” Corporate Finance Institute, n.d. Web.
“Mergers and acquisitions: A means to gain technology and expertise.” DLA Piper, 2020. Web.
Nash, Kim S. “CIOs Take Larger Role in Pre-IPO Prep Work.” The Wall Street Journal, 5 March 2015. Web.
Paszti, Laila. “Canada: Emerging Trends In Information Technology (IT) Mergers And Acquisitions.” Mondaq, 24 Oct. 2019. Web.
Patel, Kiison. “The 8 Biggest M&A Failures of All Time” Deal Room, 9 Sept. 2021. Web.
Peek, Sean, and Paula Fernandes. “What Is a Vision Statement?” Business News Daily, 7 May 2020. Web.
Ravid, Barak. “Tech execs focus on growth amid increasingly competitive M&A market.” EY, 28 April 2021. Web.
Resch, Scott. “5 Questions with a Mergers & Acquisitions Expert.” CIO, 25 June 2019. Web.
Salsberg, Brian. “Four tips for estimating one-time M&A integration costs.” EY, 17 Oct. 2019. Web.
Samuels, Mark. “Mergers and acquisitions: Five ways tech can smooth the way.” ZDNet, 15 Aug. 2018. Web.
“SAP Divestiture Projects: Options, Approach and Challenges.” Cognizant, May, 2014. Web.
Steeves, Dave. “7 Rules for Surviving a Merger & Acquisition Technology Integration.” Steeves and Associates, 5 Feb. 2020. Web.
Tanaszi, Margaret. “Calculating IT Value in Business Terms.” CSO, 27 May 2004. Web.
“The CIO Playbook. Nine Steps CIOs Must Take For Successful Divestitures.” SNP, 2016. Web.
“The Role of IT in Supporting Mergers and Acquisitions.” Cognizant, Feb. 2015. Web.
Torres, Roberto. “M&A playbook: How to prepare for the cost, staff and tech hurdles.” CIO Dive, 14 Nov. 2019. Web.
“Valuation Methods.” Corporate Finance Institute, n.d. Web.
Weller, Joe. “The Ultimate Guide to the M&A Process for Buyers and Sellers.” Smartsheet, 16 May 2019. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Any time a major IT outage occurs, it increases executive awareness and internal pressure to create an IT DRP. This blueprint will help you develop an actionable DRP by following our four-phase methodology to define scope, current status, and dependencies; conduct a business impact analysis; identify and address gaps in the recovery workflow; and complete, extend, and maintain your DRP.
These examples include a client who leveraged the DRP blueprint to create practical, concise, and easy-to-maintain DRP governance and incident response plans and a case study based on a hospital providing a wide range of healthcare services.
Use this tool to measure your current DRP maturity and identify gaps to address. It includes a comprehensive list of requirements for your DRP program, including core and industry requirements.
The project charter template includes details on the project overview (description, background, drivers, and objectives); governance and management (project stakeholders/roles, budget, and dependencies); and risks, assumptions, and constraints (known and potential risks and mitigation strategy).
This tool enables you to identify critical applications/systems; identify dependencies; define objective scoring criteria to evaluate the impact of application/system downtime; determine the impact of downtime and establish criticality tiers; set recovery objectives (RTO/RPO) based on the impact of downtime; record recovery actuals (RTA/RPA) and identify any gaps between objectives and actuals; and identify dependencies that regularly fail (and have a significant impact when they fail) to prioritize efforts to improve resiliency.
Use this tool to specifically record assumptions made about who and what are impacted by system downtime and record assumptions made about impact severity.
This simple format is ideal during crisis situations, easier to maintain, and often quicker to create. Use this template to document the Notify - Assess - Declare disaster workflow, document current and planned future state recovery workflows, including gaps and risks, and review an example recovery workflow.
Improving DR capabilities is a marathon, not a sprint. You likely can't fund and resource all the measures for risk mitigation at once. Instead, use this tool to create a roadmap for actions, tasks, projects, and initiatives to complete in the short, medium, and long term. Prioritize high-benefit, low-cost mitigations.
Use this template to present your results from the DRP Maturity Scorecard, BCP-DRP Fitness Assessment, DRP Business Impact Analysis Tool, tabletop planning exercises, DRP Recovery Workflow Template, and DRP Roadmap Tool.
Leverage this tool to document information regarding DRP resources (list the documents/information sources that support DR planning and where they are located) and DR teams and contacts (list the DR teams, SMEs critical to DR, and key contacts, including business continuity management team leads that would be involved in declaring a disaster and coordinating response at an organizational level).
The following tools and templates are also included as part of this blueprint to use as needed to supplement the core steps above:
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Identify key applications and dependencies based on business needs.
Understand the entire IT “footprint” that needs to be recovered for key applications.
1.1 Assess current DR maturity.
1.2 Determine critical business operations.
1.3 Identify key applications and dependencies.
Current challenges identified through a DRP Maturity Scorecard.
Key applications and dependencies documented in the Business Impact Analysis (BIA) Tool.
Quantify application criticality based on business impact.
Appropriate recovery time and recovery point objectives defined (RTOs/RPOs).
2.1 Define an objective scoring scale to indicate different levels of impact.
2.2 Estimate the impact of downtime.
2.3 Determine desired RTO/RPO targets for applications based on business impact.
Business impact analysis scoring criteria defined.
Application criticality validated.
RTOs/RPOs defined for applications and dependencies.
Determine your baseline DR capabilities (your current state).
Gaps between current and desired DR capability are quantified.
3.1 Conduct a tabletop exercise to determine current recovery procedures.
3.2 Identify gaps between current and desired capabilities.
3.3 Estimate likelihood and impact of failure of individual dependencies.
Current achievable recovery timeline defined (i.e. the current state).
RTO/RPO gaps identified.
Critical single points of failure identified.
Identify and prioritize projects to close DR gaps.
DRP project roadmap defined that will reduce downtime and data loss to acceptable levels.
4.1 Determine what projects are required to close the gap between current and desired DR capability.
4.2 Prioritize projects based on cost, effort, and impact on RTO/RPO reduction.
4.3 Validate that the suggested projects will achieve the desired DR capability.
Potential DR projects identified.
DRP project roadmap defined.
Desired-state incident response plan defined, and project roadmap validated.
Outline how to create concise, usable DRP documentation.
Summarize workshop results.
A realistic and practical approach to documenting your DRP.
Next steps documented.
5.1 Outline a strategy for using flowcharts and checklists to create concise, usable documentation.
5.2 Review Info-Tech’s DRP templates for creating system recovery procedures and a DRP summary document.
5.3 Summarize the workshop results, including current potential downtime and action items to close gaps.
Current-state and desired-state incident response plan flowcharts.
Templates to create more detailed documentation where necessary.
Executive communication deck that outlines current DR gaps, how to close those gaps, and recommended next steps.
"An effective DRP addresses common outages such as hardware and software failures, as well as regional events, to provide day-to-day service continuity. It’s not just insurance you might never cash in. Customers are also demanding evidence of an effective DRP, so organizations without a DRP risk business impact not only from extended outages but also from lost sales. If you are fortunate enough to have executive buy-in, whether it’s due to customer pressure or concern over potential downtime, you still have the challenge of limited time to dedicate to disaster recovery (DR) planning. Organizations need a practical but structured approach that enables IT leaders to create a DRP without it becoming their full-time job."
Frank Trovato,
Research Director, Infrastructure
Info-Tech Research Group
Potential Lost Revenue
The impact of downtime tends to increase exponentially as systems remain unavailable (graph at left). A current, tested DRP will significantly improve your ability to execute systems recovery, minimizing downtime and business impact. Without a DRP, IT is gambling on its ability to define and implement a recovery strategy during a time of crisis. At the very least, this means extended downtime – potentially weeks or months – and substantial business impact.
Adapted from: Philip Jan Rothstein, 2007
Cost of Downtime for the Fortune 1000
Cost of unplanned apps downtime per year: $1.25B to $2.5B.
Cost of critical apps failure per hour: $500,000 to $1M.
Cost of infrastructure failure per hour: $100,000.
35% reported to have recovered within 12 hours.
17% of infrastructure failures took more than 24 hours to recover.
13% of application failures took more than 24 hours to recover.
Source: Stephen Elliot, 2015
The cost of downtime is rising across the board, and not just for organizations that traditionally depend on IT (e.g. e-commerce). Downtime cost increase since 2010:
Hospitality: 129% increase
Transportation: 108% increase
Media organizations: 104% increase
DR planning is not your full-time job, so it can’t be a resource- and time-intensive process.
The Traditional Approach | Info-Tech’s Approach |
---|---|
Start with extensive risk and probability analysis. Challenge: You can’t predict every event that can occur, and this delays work on your actual recovery procedures. |
Focus on how to recover regardless of the incident. We know failure will happen. Focus on improving your ability to failover to a DR environment so you are protected regardless of what causes primary site failure. |
Build a plan for major events such as natural disasters. Challenge: Major destructive events only account for 12% of incidents while software/hardware issues account for 45%. The vast majority of incidents are isolated local events. |
An effective DRP improves day-to-day service continuity, and is not just for major events. Leverage DR planning to address both common (e.g. power/network outage or hardware failure) as well as major events. It must be documentation you can use, not shelfware. |
Create a DRP manual that provides step-by-step instructions that anyone could follow. Challenge: The result is lengthy, dense manuals that are difficult to maintain and hard to use in a crisis. The usability of DR documents has a direct impact on DR success. |
Create concise documentation written for technical experts. Use flowcharts, checklists, and diagrams. They are more usable in a crisis and easier to maintain. You aren’t going to ask a business user to recover your SQL Server databases, so you can afford to be concise. |
When a tornado takes out your data center, it’s an obvious DR scenario and the escalation towards declaring a disaster is straightforward.
The challenge is to be just as decisive in less-obvious (and more common) DR scenarios such as a critical system hardware/software failure, and knowing when to move from incident management to DR. Don’t get stuck troubleshooting for days when you could have failed over in hours.
Bridge the gap with clearly-defined escalation rules and criteria for when to treat an incident as a disaster.
Source: Info-Tech Research Group; N=92
Does this mean I don’t need to worry about natural disasters? No. It means DR planning needs to focus on overall service continuity, not just major disasters. If you ignore the more common but less dramatic causes of service interruptions, you are diminishing the business value of a DRP.
The traditional approach to DR starts with an in-depth exercise to identify risks to IT service continuity and the probability that those risks will occur.
Still, failure is inevitable – it’s been demonstrated multiple times1 through high-profile outages. When you surrender direct control of the systems themselves, it’s your responsibility to ensure the vendor can meet your DR requirements, including:
Sources: Kyle York, 2016; Shaun Nichols, 2017; Stephen Burke, 2017
IT DR is not an airplane disaster movie. You aren’t going to ask a business user to execute a system recovery, just like you wouldn’t really want a passenger with no flying experience to land a plane.
In reality, you write a DR plan for knowledgeable technical staff, which allows you to summarize key details your staff already know. Concise, visual documentation is:
"Without question, 300-page DRPs are not effective. I mean, auditors love them because of the detail, but give me a 10-page DRP with contact lists, process flows, diagrams, and recovery checklists that are easy to follow."
– Bernard Jones, MBCI, CBCP, CORP, Manager Disaster Recovery/BCP, ActiveHealth Management
Source: Info-Tech Research Group; N=95
*DR Success is based on stated ability to meet recovery time objectives (RTOs) and recovery point objectives (RPOs), and reported confidence in ability to consistently meet targets.
A DRP is the set of procedures and supporting documentation that enables an organization to restore its core IT services (i.e. applications and infrastructure) as part of an overall business continuity plan (BCP), as described below. Use the templates, tools, and activities in this blueprint to create your DRP.
Overall BCP |
---|
IT DRP | BCP for Each Business Unit | Crisis Management Plan |
---|---|---|
A plan to restore IT services (e.g. applications and infrastructure) following a disruption. This includes:
|
A set of plans to resume business processes for each business unit. Info-Tech’s Develop a Business Continuity Plan blueprint provides a methodology for creating business unit BCPs as part of an overall BCP for the organization. | A set of processes to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage. This includes emergency response plans, crisis communication plans, and the steps to invoke BC/DR plans when applicable. Info-Tech’s Implement Crisis Management Best Practices blueprint provides a structured approach to develop a crisis management process. |
Note: For DRP, we focus on business-facing IT services (as opposed to the underlying infrastructure), and then identify required infrastructure as dependencies (e.g. servers, databases, network).
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
Info-Tech members save an average of $22,983 and 22 days by working with an Info-Tech analyst on DRP (based on client response data from Info-Tech Research Group’s Measured Value Survey, following analyst advisory on this blueprint).
Define DRP scope (Call 1)
Scope requirements, objectives, and your specific challenges. Identify applications/ systems to focus on first.
Define current status and system dependencies (Calls 2-3)
Assess current DRP maturity. Identify system dependencies.
Conduct a BIA (Calls 4-6)
Create an impact scoring scale and conduct a BIA. Identify RTO and RPO for each system.
Recovery workflow (Calls 7-8)
Create a recovery workflow based on tabletop planning. Identify gaps in recovery capabilities.
Projects and action items (Calls 9-10)
Identify and prioritize improvements. Summarize results and plan next steps.
Your guided implementations will pair you with an advisor from our analyst team for the duration of your DRP project.
Contact your account representative or email Workshops@InfoTech.com for more information.
Industry: Manufacturing
Source: Info-Tech Research Group Client Engagement
A global manufacturer with annual sales over $1B worked with Info-Tech to improve DR capabilities.
DRP BIA
Conversations with the IT team and business units identified the following impact of downtime over 24 hours:
Tabletop Testing and Recovery Capabilities
Reviewing the organization’s current systems recovery workflow identified the following capabilities:
Findings
Because of end-user complaints, IT had invested heavily in email resiliency though email downtime had a relatively minimal impact on the business. After working through the methodology, it was clear that the business needed to provide additional support for critical systems.
Identify DR Maturity and System Dependencies
Conduct a BIA
Outline Incident Response and Recovery Workflow With Tabletop Exercises
Mitigate Gaps and Risks
This could be an annual review – but more likely, this is the first time you’ve reviewed the DR plan in years.* Maybe a failed audit might have provided a mandate for DR planning, or a real disaster might have highlighted gaps in DR capabilities. First, set appropriate expectations for what the project is and isn’t, in terms of scope, outputs, and resource commitments. Very few organizations can afford to hire a full-time DR planner, so it’s likely this won’t be your full-time job. Set objectives and timelines accordingly.
Gather a team
Find and review existing documentation
Set specific, realistic objectives
Estimated Time: 30 minutes
Identify the drivers and challenges to completing a functional DRP plan with the core DR team.
DRP Drivers
DRP Challenges
Write down insights from the meeting on flip-chart paper or a whiteboard and use the findings to inform your DRP project (e.g. challenges to address).
DRP Project Charter Template components:
Define project parameters, roles, and objectives, and clarify expectations with the executive team. Specific subsections are listed below and described in more detail in the remainder of this phase.
Note: Identify the initial team roles and responsibilities first so they can assist in defining the project charter.
Info-Tech’s DRP Maturity Scorecard evaluates completion status and process maturity for a comprehensive yet practical assessment across three aspects of an effective DRP program – Defining Requirements, Implementation, and Maintenance.
Completion Status: Reflects the progress made with each component of your DRP Program.
Process Maturity: Reflects the consistency and quality of the steps executed to achieve your completion status.
DRP Maturity Assessment: Each component (e.g. BIA) of your DRP Program is evaluated based on completion status and process maturity to provide an accurate holistic assessment. For example, if your BIA completion status is 4 out of 5, but process maturity is a 2, then requirements were not derived from a consistent defined process. The risk is inconsistent application prioritization and misalignment with actual business requirements.
Estimated Time: 30 minutes
Working through the planning process the first time can be challenging. If losing momentum is a concern, limit the BIA to a few critical systems to start.
Run this exercise if you need a structured exercise to decide where to focus first and identify the business users you should ask for input on the impact of system downtime.
Application | Notes |
---|---|
CRM |
|
Dialer |
|
Estimated Time: 1-2 hours
A high-level topology or architectural diagram is an effective way to identify dependencies, application ownership, outsourced services, hardware redundancies, and more.
Note:
In general, visual documentation is easier to use in a crisis and easier to maintain over time. Use Info-Tech’s research to help build your own visual SOPs.
Reviewing the entire ecosystem for applications identified key dependencies that were previously considered non-critical. For example, a system used to facilitate secure data transfers was identified as a key dependency for payroll and other critical business processes, and elevated to Tier 1.
Drawing a simple architectural diagram was an invaluable tool to identify key dependencies and critical systems, and to understand how systems and dependencies were interconnected. The drawing was an aha moment for IT and business stakeholders trying to make sense of their 1600-server environment.
A member of the S&P 500 used Info-Tech’s DRP Maturity Scorecard to provide a reliable objective assessment and make the case for improvements to the board of directors.
Info-Tech's DRP Project Charter enabled the CIO to clarify their DRP project scope and where it fit into their overall COOP. The project charter example provided much of the standard copy – objectives, scope, project roles, methodology, etc. – required to outline the project.
A BIA enables you to identify appropriate spend levels, maintain executive support, and prioritize DR planning for a more successful outcome. Info-Tech has found that a BIA has a measurable impact on the organization’s ability to set appropriate objectives and investment goals.
Business input is important, but don’t let a lack of it delay a draft BIA. Complete a draft based on your knowledge of the business. Create a draft within IT, and use it to get input from business leaders. It’s easier to edit estimates than to start from scratch; even weak estimates are far better than a blank sheet.
You don’t have to include every impact category in your BIA. Include categories that could affect your business. Defer or exclude other categories. For example, the bulk of revenue for governmental organizations comes from taxes, which won’t be permanently lost if IT systems fail.
Use the suggestions below as a guide as you modify scoring criteria in the DRP Business Impact Analysis Tool:
Estimated Time: 3 hours
On tab 3 of the DRP Business Impact Analysis Tool indicate the costs of downtime, as described below:
For example, if a core call center phone system was down:
Info-Tech suggests that IT leadership and staff identify the impact of downtime first to create a version that you can then validate with relevant business owners. As you work through the BIA as a team, have a notetaker record assumptions you make to help you explain the results and drive business engagement and feedback.
Some common assumptions:
Use Info-Tech’s DRP BIA Scoring Context Example as a note-taking template.
You can’t build a perfect scoring scale. It’s fine to make reasonable assumptions based on your judgment and knowledge of the business. Just write down your assumptions. If you don’t write them down, you’ll forget how you arrived at that conclusion.
Once you’ve finished estimating the impact of downtime, use the following rough guideline to create an initial sort of applications into Tiers 1, 2, and 3.
Example: Highest total score is 12
The business must validate acceptable and appropriate RTOs and RPOs, but IT can use the guidelines below to set an initial estimate.
A shorter RTO typically requires higher investment. If a short period of downtime has minimal impact, setting a low RTO may not be justifiable. As downtime continues, impact begins to increase exponentially to a point where downtime is intolerable – an acceptable RTO must be shorter than this. Apply the same thinking to RPOs – how much data loss is unnoticeable? How much is intolerable?
Estimated Time: 30 minutes
RTO and RPO tiers simplify management by setting similar recovery goals for systems and applications with similar criticality.
Use the “Debate Space” approach to set appropriate and acceptable targets.
In general, the more critical the system, the shorter the RPO. But that’s not always the case. For example, a service bus might be Tier 1, but if it doesn’t store any data, RPO might be longer than other Tier 1 systems. Some systems may have a different RPO than most other systems in that tier. As long as the targets are acceptable to the business and appropriate given the impact, that’s okay.
Most organizations discover something new about key applications, or the way stakeholders use them, when they work through the BIA and review the results with stakeholders. For example:
The DRP Business Impact Analysis Tool helped structure stakeholder consultations on DR requirements for a large university IT department. Past consultations had become an airing of grievances. Using objective impact scores helped stakeholders stay focused and make informed decisions around appropriate RTOs and RPOs.
Estimated the business impact of downtime
Set recovery targets
Up Next:Conduct a tabletop planning exercise to establish current recovery capabilities
In a tabletop planning exercise, the DRP team walks through a disaster scenario to map out what should happen at each stage, and effectively defines a high-level incident response plan (i.e. recovery workflow).
Tabletop planning had the greatest impact on meeting recovery objectives (RTOs/RPOs) among survey respondents.
*Note: Relative importance indicates the contribution an individual testing methodology, conducted at least annually, had on predicting success meeting recovery objectives, when controlling for all other types of tests in a regression model. The relative-importance values have been standardized to sum to 100%.
Success was based on the following items:
Why is tabletop planning so effective?
The goal is to define a plan to restore applications and systems following a disruption. For your first tabletop exercise, Info-Tech recommends you use a non-life-threatening scenario that requires at least a temporary relocation of your data center (i.e. failing over to a DR site/environment). Assume a gas leak or burst water pipe renders the data center inaccessible. Power is shut off and IT must failover systems to another location. Once you create the master procedure, review the plan to ensure it addresses other scenarios.
When systems fail, you are faced with two high-level options: failover or recover in place. If you document the plan to failover systems to another location, you’ll have documented the core of your DR procedures. This differs from traditional scenario planning where you define separate plans for different what-if scenarios. The goal is one plan that can be adapted to different scenarios, which reduces the effort to build and maintain your DRP.
Estimated Time: 2-3 hours
Why use flowcharts?
Use the completed tabletop planning exercise results to build this workflow.
"We use flowcharts for our declaration procedures. Flowcharts are more effective when you have to explain status and next steps to upper management." – Assistant Director, IT Operations, Healthcare Industry
Source: Info-Tech Research Group Interview
For a formatted template you can use to capture your plan, see Info-Tech’s DRP Recovery Workflow Template.
For a completed example of tabletop planning results, review Info-Tech’s Case Study: Practical, Right-Sized DRP.
What’s my RPA? Consider the following case:
When identifying RPA, remember the following:
You are planning for a disaster scenario, where on-site systems may be inaccessible and any copies of data taken during the disaster may fail, be corrupt, or never make it out of the data center (e.g. if the network fails before the backup file ships). In the scenario above, it seems likely that off-site incremental backups could be restored, leading to a 24-hour RPA. However, if there were serious concerns about the reliability of the daily incrementals, the RPA could arguably be based on the weekly full backups.
The RPA is a commitment to the maximum data you would lose in a DR scenario with current capabilities (people, process, and technology). Pick a number you can likely achieve. List any situations where you couldn’t meet this RPA, and identify those for a risk tolerance discussion. In the example above, complete loss of the primary SAN would also mean losing the snapshots, so the last good copy of the data could be up to 24-hours old.
On the “Impact Analysis” tab in the DRP Business Impact Analysis Tool, enter the estimated maximum downtime and data loss in the RTA and RPA columns.
It’s okay to round numbers to the nearest shift, day, or week for simplicity (e.g. 24 hours rather than 22.5 hours, or 8 hours rather than 7.25 hours).
Estimated Time: 1 hour
As you start to consider scenarios where injuries or loss of life are a possibility, remember that health and safety risks are the top priority in a crisis. If there’s a fire in the data center, evacuating the building is the first priority, even if that means foregoing a graceful shut down. For more details on emergency response and crisis management, see Implement Crisis Management Best Practices.
Walk through your recovery workflow in the context of additional, different scenarios to ensure there are no gaps. Collaborate with your DR team to identify changes that might be required, and incorporate these changes in the plan.
Scenario Type | Considerations |
Isolated hardware/software failure |
|
Power outage or network outage |
|
Local hazard (e.g. chemical leak, police incident) |
|
Equipment/building damage (e.g. fire, roof collapse) |
|
Regional natural disasters |
|
Estimated Time: 1.5 hours
It’s about finding ways to solve the problem, not about solving the problem. When you’re brainstorming solutions to problems, don’t stop with the first idea, even if the solution seems obvious. The first idea isn’t always the best or only solution; other ideas can expand on and improve that first idea.
Is it practical to invest in greater geo-redundancy that meets RTOs and RPOs during a widespread event?
Info-Tech suggests you consider events that impact both sites, and your risk tolerance for that impact. Outline the impact of downtime at a high level if both the primary and secondary site were affected. Research how often events severe enough to have impacted both your primary and secondary sites have occurred in the past. What’s the business tolerance for this type of event?
A common strategy: have a primary and DR site that are close enough to support low RPO/RTO, but far enough away to mitigate the impact of known regional events. Back up data to a remote third location as protection against a catastrophic event.
Approach site selection as a project. Leverage Select an Optimal Disaster Recovery Deployment Model to structure your own site-selection project.
Use the DRP Roadmap Tool to create a high-level roadmap to plan and communicate DR action items and initiatives. Determine the data you’ll use to define roadmap items.
Estimated Time: 30 minutes
Outline your expected future state recovery flow to demonstrate improvements once projects and action items have been completed.
Estimated Time: time required will vary
Tabletop planning is an effective way to discover gaps in recovery capabilities. Identify issues in the tabletop exercise so you can manage them before disaster strikes. For example:
A client started to back up application data offsite. To minimize data transfer and storage costs, the systems themselves weren’t backed up. Working through the restore process at the DR site, the DBA realized 30 years of COBOL and SQR code – critical business functionality – wasn’t backed up offsite.
A 500-employee professional services firm realized its internet connection could be a significant roadblock to recovery. Without internet, no one at head office could access critical cloud systems. The tabletop exercise identified this recovery bottleneck and helped prioritize the fix on the roadmap.
Hospitals rely on their phone systems for system downtime procedures. A tabletop exercise with a hospital client highlighted that if the data center were damaged, the phone system would likely be damaged as well. Identifying this provided more urgency to the ongoing VOIP migration.
A small municipality relied on a local MSP to perform systems restore, but realized it had never tested the restore procedure to identify RTA. Contacting the MSP to review capabilities became a roadmap item to address this risk.
Outlined the DRP response and risks to recovery
Brainstormed risk mitigation measures
Up Next: Leverage the core deliverables to complete, extend, and maintain your DRP
Congratulations! You’ve completed the core DRP deliverables and made the case for investment in DR capabilities. Take a moment to celebrate your accomplishments.
This milestone is an opportunity to look back and look forward.
Use the completed, updated DRP Maturity Scorecard to demonstrate the value of your continuity program, and to help you decide where to focus next.
Estimated Time: 2 hours
Score | A: How significant are the risks this initiative will mitigate? | B: How easily can we complete this initiative? | C: How cost-effective is this initiative? |
---|---|---|---|
3: High | Critical impact on +50% of stakeholders, or major impact to compliance posture, or significant health/safety risk. | One sprint, can be completed by a few individuals with minor supervision. | Within the IT discretionary budget. |
2: Medium | Impacts <50% of stakeholders, or minor impact on compliance, or degradation to health or safety controls. | One quarter, and/or some increased effort required, some risk to completion. | Requires budget approval from finance. |
1: Low | Impacts limited to <25% of stakeholders, no impact on compliance posture or health/safety. | One year, and/or major vendor or organizational challenges. | Requires budget approval from the board of directors. |
You can use a similar scoring exercise to prioritize and schedule high-benefit, low-effort, low-cost items identified in the roadmap in phase 3.
Write out the table on a whiteboard (record the results in a spreadsheet for reference). In the case below, IT might decide to work on repeating the core methodology first as they create the active testing plans, and tackle process changes later.
Initiative | A: How significant are the risks this initiative will mitigate? | B: How easily can we complete this initiative? | C: How cost-effective is this initiative? | Aggregate score (A x B x C) |
---|---|---|---|---|
Repeat the core methodology for all systems | 2 – will impact some stakeholders, no compliance or safety impact. | 2 – will require about 3 months, no significant complications. | 3 – No cost. | 12 |
Add DR to project mgmt. and change mgmt. | 1 – Mitigates some recovery risks over the long term. | 1 – Requires extensive consultation and process review. | 3 – No cost. | 3 |
Active failover testing on plan | 2 – Mitigates some risks; documentation and cross training is already in place. | 2 – Requires 3-4 months of occasional effort to prepare for test. | 2 – May need to purchase some equipment before testing. | 8 |
Find a pace that allows you to keep momentum going, but also leaves enough time to act on the initial findings, projects, and action items identified in the DRP Roadmap Tool. Include these initiatives in the Roadmap tool to visualize how identified initiatives fit with other tasks identified to improve your recovery capabilities.
Sample Outputs |
---|
Add Tier 2 & 3 systems to the BIA. |
Complete another tabletop exercise for Tier 2 & 3 systems recovery, and add the results to the recovery workflow. |
Identify projects to close additional gaps in the recovery process. Add projects to the project roadmap. |
Use this example of a complete, practical, right-size DR plan to drive and guide your efforts.
Sample Outputs |
---|
Three to five detailed systems recovery flowcharts/checklists. |
Documented team roles, succession plans, and contact information. |
Notification, assessment, and disaster declaration plan. |
DRP summary. |
Layer 1, 2 & 3 network diagrams. |
Use this example of a complete, practical, right-size DR plan to drive and guide your efforts.
Sample Outputs |
---|
Application assessment for cloud DR. |
TCO tool for different environments. |
Solution decision and executive presentation. |
Use Info-Tech’s blueprint, Select the Optimal Disaster Recovery Deployment Model, to help you make sense of a world of choice for your DR site.
Risks and Challenges Mitigated
Sample Outputs |
---|
Business process-focused BIA for one business unit. |
Recovery workflows for one business unit. |
Provisioning list for one business unit. |
BCP project roadmap. |
Use Info-Tech’s blueprint, Develop a Business Continuity Plan, to develop and deploy a repeatable BCP methodology.
Sample Outputs |
---|
DR testing readiness assessment. |
Testing handbooks. |
Test plan summary template. |
DR test issue log and analysis tool. |
Uncover deficiencies in your recovery procedures by using Info-Tech’s blueprint Reduce Costly Downtime Through DR Testing.
Sample Outputs |
---|
Reviewed and updated change, project, and performance management processes. |
Reviewed and updated internal SLAs. |
Reviewed and updated data protection and backup procedures. |
Sample Outputs |
---|
A customized vendor DRP questionnaire. |
Reviewed vendor SLAs. |
Choose to keep or change service levels or vendor offerings based on findings. |
Identified progress against targets
Prioritized further initiatives
Added initiatives to the roadmap
Myth #1: DRPs need to focus on major events such as natural disasters and other highly destructive incidents such as fire and flood.
Reality: The most common threats to service continuity are hardware and software failures, network outages, and power outages.
Myth #2: Effective DRPs start with identifying and evaluating potential risks.
Reality: DR isn’t about identifying risks; it’s about ensuring service continuity.
Myth #3: DRPs are separate from day-to-day operations and incident management.
Reality: DR must be integrated with service management to ensure service continuity.
Myth #4: I use a co-lo or cloud services so I don’t have to worry about DR. That’s my vendor’s responsibility.
Reality: You can’t outsource accountability. You can’t just assume your vendor’s DR capabilities will meet your needs.
Myth #5: A DRP must include every detail so anyone can execute the recovery.
Reality: IT DR is not an airplane disaster movie. You aren’t going to ask a business user to execute a system recovery, just like you wouldn’t really want a passenger with no flying experience to land a plane.
Select the Optimal Disaster Recovery Deployment Model Evaluate cloud, co-lo, and on-premises disaster recovery deployment models.
Develop a Business Continuity Plan Streamline the traditional approach to make BCP development manageable and repeatable.
Prepare for a DRP Audit Assess your current DRP maturity, identify required improvements, and complete an audit-ready DRP summary document.
Document and Maintain Your Disaster Recovery Plan Put your DRP on a diet: keep it fit, trim, and ready for action.
Reduce Costly Downtime Through DR Testing Improve your DR plan and your team’s ability to execute on it.
Implement Crisis Management Best Practices An effective crisis response minimizes the impact of a crisis on reputation, profitability, and continuity.
BCI Editor’s Note: In most countries “incident” and “crisis” are used interchangeably, but in the UK the term “crisis” has been generally reserved for dealing with wide-area incidents involving Emergency Services. The BCI prefers the use of “incident” for normal BCM purposes. (Source: The Business Continuity Institute)
BCMpedia. “Recovery Objectives: RTO, RPO, and MTPD.” BCMpedia, n.d. Web.
Burke, Stephen. “Public Cloud Pitfalls: Microsoft Azure Storage Cluster Loses Power, Puts Spotlight On Private, Hybrid Cloud Advantages.” CRN, 16 Mar. 2017. Web.
Elliot, Stephen. “DevOps and the Cost of Downtime: Fortune 1000 Best Practice Metrics Quantified.” IDC, 2015. Web.
FEMA. Planning & Templates. FEMA, 2015. Web.
FINRA. “Business Continuity Plans and Emergency Contact Information.” FINRA, 2015. Web.
FINRA. “FINRA, the SEC and CFTC Issue Joint Advisory on Business Continuity Planning.” FINRA, 2013. Web.
Gosling, Mel, and Andrew Hiles. “Business Continuity Statistics: Where Myth Meets Fact.” Continuity Central, 2009. Web.
Hanwacker, Linda. “COOP Templates for Success Workbook.” The LSH Group, n.d. Web.
Homeland Security. Federal Information Security Management Act (FISMA). Homeland Security, 2015. Web.
Nichols, Shaun. “AWS's S3 Outage Was So Bad Amazon Couldn't Get Into Its Own Dashboard to Warn the World.” The Register, 1 Mar. 2017. Web.
Potter, Patrick. “BCM Regulatory Alphabet Soup.” RSA Archer Organization, 2012. Web.
Rothstein, Philip Jan. “Disaster Recovery Testing: Exercising Your Contingency Plan.” Rothstein Associates Inc., 2007. Web.
The Business Continuity Institute. “The Good Practice Guidelines.” The Business Continuity Institute, 2013. Web.
The Disaster Recovery Journal. “Disaster Resource Guide.” The Disaster Recovery Journal, 2015. Web.
The Disaster Recovery Journal. “DR Rules & Regulations.” The Disaster Recovery Journal, 2015. Web.
The Federal Financial Institution Examination Council (FFIEC). Business Continuity Planning. IT Examination Handbook InfoBase, 2015. Web.
York, Kyle. “Read Dyn’s Statement on the 10/21/2016 DNS DDoS Attack.” Oracle, 22 Oct. 2016. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Each organization is different, so a generic list of security priorities will not be applicable to every organization. Thus, you need to:
During 2022, ransomware campaigns declined from quarter to quarter due to the collapse of experienced groups. Several smaller groups are developing to recapture the lost ransomware market. However, ransomware is still the most worrying cyber threat.
Also in 2022, people returned to normal activities such as traveling and attending sports or music events but not yet to the office. The reasons behind this trend can be many fold, such as employees perceive that work from home (WFH) has positive productivity effects and time flexibility for employees, especially for those with families with younger children. On the other side of the spectrum, some employers perceive that WFH has negative productivity effects and thus are urging employees to return to the office. However, employers also understand the competition to retain skilled workers is harder. Thus, the trend is to have hybrid work where eligible employees can WFH for a certain portion of their work week.
Besides ransomware and the hybrid work model, in 2022, we saw an evolving threat landscape, regulatory changes, and the potential for a recession by the end of 2023, which can impact how we prioritize cybersecurity this year. Furthermore, organizations are still facing the ongoing issues of insufficient cybersecurity resources and organization modernization.
This report will explore important security trends, the security priorities that stem from these trends, and how to customize these priorities for your organization.
In Q2 2022, the median ransom payment was $36,360 (-51% from Q1 2022), a continuation of a downward trend since Q4 2021 when the ransom payment median was $117,116.
Source: Coveware, 2022
From January until October 2022, hybrid work grew in almost all industries in Canada especially finance, insurance, real estate, rental and leasing (+14.7%), public administration and professional services (+11.8%), and scientific and technical services (+10.8%).
Source: Statistics Canada, Labour Force Survey, October 2022; N=3,701
Investment on remote work due to changes in processes and infrastructure
As part of our research process for the 2023 Security Priorities Report, we used the results from our State of Hybrid Work in IT Survey, which collected responses between July 10 and July 29, 2022 (total N=745, with n=518 completed surveys). This survey details what changes in processes and IT infrastructure are likely due to hybrid work.
Survey respondents (n=518) were asked what processes had the highest degree of change in response to supporting hybrid work. Incident management is the #1 result and service request support is #2. This is unsurprising considering that remote work changed how people communicate, how they access company assets, and how they connect to the company network and infrastructure.
For 2023, we believe that hybrid work will remain. The first driver is that employees still prefer to work remotely for certain days of the week. The second driver is the investment from employers on enabling WFH during the pandemic, such as updated network architecture (44%) and the infrastructure and day-to-day operations (41%) as shown on our survey.
In the Info-Tech Research Group 2023 Trends and Priorities Survey of IT professionals, we asked about cybersecurity concerns and the perception about readiness to meet current and future government legislation regarding cybersecurity requirements.
Survey respondents were asked how concerned they are about certain cybersecurity issues from 1 (not concerned at all) to 5 (very concerned). The #1 concern was talent shortages. Other issues with similar concerns included cyber risks not on leadership's radar, supply chain risks, and new regulations (n=507).
When asked about how confident organizations are about being prepared to meet current and future government legislation regarding cybersecurity requirements, from 1 (not confident at all) to 5 (very confident), the #1 response was 3 (n=499).
Unsurprisingly, the ever-changing government legislation environment in a world emerging from a pandemic and ongoing wars may not give us the highest confidence.
As part of our research process for the 2023 Security Priorities Report, we reviewed results of completed Info-Tech Research Group Security Governance and Management Benchmark diagnostics (N=912). This report details what we see in our clients' security governance maturity. Setting aside the perception on readiness – what are their actual security maturity levels?
Overall, assessed organizations are still scoring low (47%) on Security Culture and Policy and Process Governance. This justifies why most security incidents are still due to gaps in foundational security and security awareness, not lack of advanced controls such as event and incident management (58%).
As part of our research process for the 2023 Security Priorities Report, we reviewed the results of the Info-Tech Research Group 2023 Trends and Priorities Survey of IT professionals, which collected responses between August 9 and September 9, 2022 (total N=813 with n=521 completed surveys).
Keeping the same spending is the #1 result and #2 is increasing spending up to 10%. This is a surprising finding considering the survey was conducted after the middle of 2022 and a recession has been predicted since early 2022 (n=489).
Source: Statista, 2022, CC BY-ND |
US recession forecastContingency planning for recessions normally includes tight budgeting; however, it can also include opportunities for growth such as hiring talent who have been laid off by competitors and are difficult to acquire in normal conditions. This can support our previous findings on increasing cybersecurity spending. |
If anything can be learned from COVID-19 pandemic, it is that humans are resilient. We swiftly changed to remote workplaces and adjusted people, processes, and technologies accordingly. We had some hiccups along the way, but overall, we demonstrated that our ability to adjust is amazing.
The pandemic changed how people work and how and where they choose to work, and most people still want a hybrid work model. However, the number of days for hybrid work itself varies. For example, from our survey in July 2022 (n=516), 55.8% of employees have the option of 2-3 days per week to work offsite, 21.0% for 1 day per week, and 17.8% for 4 days per week.
Furthermore, the investment (e.g. on infrastructure and networks) to initiate remote work was huge, and the cost doesn't end there, as we need to maintain the secure remote work infrastructure to facilitate the hybrid work model.
Remote work: A 2022 survey by WFH Research (N=16,451) reports that ~14% of full-time employees are fully remote and ~29% are in a hybrid arrangement as of Summer-Fall 2022.
Security workforce shortage: A 2022 survey by Bridewell (N=521) reports that 68% of leaders say it has become harder to recruit the right people, impacting organizational ability to secure and monitor systems.
Confidence in the security practice: A 2022 diagnostic survey by Info-Tech Research Group (N=55) reports that importance may not correspond to confidence; for example, the most important selected cybersecurity area, namely Data Access/Integrity (93.7%), surprisingly has the lowest confidence of the practice (80.5%).
Source: National Bureau of Economic Research, 2021
As part of our research process for the 2023 Security Priorities Report, we analyzed results from the Info-Tech Research Group diagnostics. This report details what we see in our clients' perceived importance of security and their confidence in existing security practices.
Diagnostics respondents (N=55) were asked about how important security is to their organization or department. Importance to the overall organization is 2.1 percentage points (pp) higher, but confidence in the organization's overall security is slightly lower (-0.4 pp).
If we break down to security areas, we can see that the most important area, Data Access/Integrity (93.7%), surprisingly has the lowest confidence of the practice: 80.5%. From this data we can conclude that leaders must build a strong cybersecurity workforce to increase confidence in the security practice.
Use this template to explain the priorities you need your stakeholders to know about.
Provide a brief value statement for the initiative.
List initiative drivers.
List initiative risks and impacts.
List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.
Review your security strategy for hybrid work.
Determine the skill needs of your security strategy.
Identify skills gaps that hinder the successful execution of the hybrid work security strategy.
Use the identified skill gaps to define the technical skill requirements for work roles.
Conduct a skills assessment on your current workforce to identify employee skill gaps.
Decide whether to train, hire, contract, or outsource each skill gap.
Source: Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan, Info-Tech
From computerized milk-handling systems in Wisconsin farms, to automated railway systems in Europe, to Ausgrid's Distribution Network Management System (DNMS) in Australia, to smart cities and beyond; system modernization poses unique challenges to cybersecurity.
The threats can be safety, such as the trains stopped in Denmark during the last weekend of October 2022 for several hours due to an attack on a third-party IT service provider; economics, such as a cream cheese production shutdown that occurred at the peak of cream cheese demand in October 2021 due to hackers compromising a large cheese manufacturer's plants and distribution centers; and reliability, such as the significant loss of communication for the Ukrainian military, which relied on Viasat's services.
Despite all the cybersecurity risks, organizations continue modernization plans due to the long-term overall benefits.
IIoT market size is USD 323.62 billion in 2022 and projected to be around USD 1 trillion in 2028.
Source: Statista,
March 2022
Target: Australian sewage plant. Method: Insider attack. Impact: 265,000 gallons of untreated sewage released. |
Target: Middle East energy companies. Method: Shamoon. Impact: Overwritten Windows-based systems files. |
Target: German Steel Mill Method: Spear-phishing Impact: Blast furnace control shutdown failure. |
Target: Middle East Safety Instrumented System (SIS). Method: TRISIS/TRITON. Impact: Modified safety system ladder logic. |
Target: Viasat's KA-SAT Network. Method: AcidRain. Impact: Significant loss of communication for the Ukrainian military, which relied on Viasat's services. |
![]() |
||||
Target: Marconi wireless telegraphs presentation. Method: Morse code. Impact: Fake message sent "Rats, rats, rats, rats. There was a young fellow of Italy, Who diddled the public quite prettily." |
Target: Iranian uranium enrichment plant. Method: Stuxnet. Impact: Compromised programmable logic controllers (PLCs). |
Target: ICS supply chain. Method: Havex. Impact: Remote Access Trojan (RAT) collected information and uploaded data to command-and-control (C&C) servers. |
Target: Ukraine power grid. Method: BlackEnergy. Impact: Manipulation of HMI View causing 1-6 hour power outages for 230,000 consumers. |
Target: Colonial Pipeline. Method: DarkSide ransomware. Impact: Compromised billing infrastructure halted the pipeline operation. |
Sources:
Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.
Use this template to explain the priorities you need your stakeholders to know about.
Provide a brief value statement for the initiative.
List initiative drivers.
List initiative risks and impacts.
List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.
Identify the drivers to align with your organization's business objectives.
Build your case by leveraging a cost-benefit analysis, and update your security strategy.
Identify people, process, and technology gaps that hinder the modernization
security strategy.
Use the identified skill gaps to update risks, policies and procedures, IR, DR, and BCP.
Evaluate and enable modernization technology top focus areas and refine
security processes.
Decide whether to train, hire, contract, or outsource to fill the security workforce gap.
Sources:
Industrial Control System (ICS) Modernization: Unlock the Value of Automation in Utilities, Info-Tech
Secure IT-OT Convergence, Info-Tech
Identify a modernization business case for security.
Benefits |
Metrics |
---|---|
Operational Efficiency and Cost Savings |
|
Improve Reliability and Resilience |
|
Energy & Capacity Savings |
|
Customers & Society Benefits |
|
Cost | Metrics |
---|---|
Equipment and Infrastructure | Upgrade existing security equipment or instrumentation or deploy new, e.g. IPS on Enterprise DMZ and Operations DMZ. Implement communication network equipment and labor to install and configure. Upgrade or construct server room including cooling/heating, power backup, and server and rack hardware. |
Software and Commission | The SCADA/HMI software and maintenance fee as well as lifecycle upgrade implementation project cost. Labor cost of field commissioning and troubleshooting. Integration with security systems, e.g. log management and continuous monitoring. |
Support and Resources | Cost to hire/outsource security FTEs for ongoing managing and operating security devices, e.g. SOC. Cost to hire/outsource IT/OT FTEs to support and troubleshoot systems and its integrations with security systems, e.g. MSSP. |
An example of a cost-benefit analysis for ICS modernization
Sources:
Industrial Control System (ICS) Modernization: Unlock the Value of Automation in Utilities, Info-Tech
Lawrence Berkeley National Laboratory, 2021
(Control System Defense: Know the Opponent, CISA)
An example of a high-level architecture of an electric utility's control system and its interaction with IT systems.
Source: ISA-99, 2007
Government-enacted regulatory changes are occurring at an ever-increasing rate these days. As one example, on November 10, 2022, the EU Parliament introduced two EU cybersecurity laws: the Network and Information Security (NIS2) Directive (applicable to organizations located within the EU and organizations outside the EU that are essential within an EU country) and the Digital Operational Resilience Act (DORA). There are also industry regulatory changes such as PCI DSS v4.0 for the payment sector and the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) for Bulk Electric Systems (BES).
Organizations should use regulatory changes as a means to improve security practices, instead of treating them as a compliance burden. As said by lead member of EU Parliament Bart Groothuis on NIS2, "This European directive is going to help around 160,000 entities tighten their grip on security […] It will also enable information sharing with the private sector and partners around the world. If we are being attacked on an industrial scale, we need to respond on an industrial scale."
Stricter requirements and reporting: Regulations such as NIS2 include provisions for incident response, supply chain security, and encryption and vulnerability disclosure and set tighter cybersecurity obligations for risk management reporting obligations.
Broader sectors: For example, the original NIS directive covers 19 sectors such as Healthcare, Digital Infrastructure, Transport, and Energy. Meanwhile, the new NIS2 directive increases to 35 sectors by adding other sectors such as providers of public electronic communications networks or services, manufacturing of certain critical products (e.g. pharmaceuticals), food, and digital services.
High sanctions for violations: For example, Digital Services Act (DSA) includes fines of up to 6% of global turnover and a ban on operating in the EU single market in case of repeated serious breaches.
Approximately 100 cross-border data flow regulations exist in 2022.
Source: McKinsey, 2022
64 New requirements were added 13 New requirements become effective March 31, 2024 11 New requirements only for service providers |
Defined roles must be assigned for requirements. Focus on periodically assessing and documenting scope. Entities may choose a defined approach or a customized approach to requirements. |
An example of new requirements for PCI DSS v4.0
Source: Prepare for PCI DSS v4.0, Info-Tech
Use this template to explain the priorities you need your stakeholders to know about.
Provide a brief value statement for the initiative.
Description must include what organization will undertake to complete the initiative.
List initiative drivers.
List initiative risks and impacts.
List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.
Related Info-Tech Research:
Identify relevant security and privacy obligations and conformance levels.
Identify gaps for updated obligations, and map obligations into control framework.
Review, update, and implement policies and strategy.
Develop compliance exception process.
Develop test scripts to check your remediations to ensure they are effective.
Track and report status and exceptions.
Sources: Build a Security Compliance Program and Prepare for PCI DSS v4.0, Info-Tech
# | Security | Jurisdiction |
---|---|---|
1 | Network and Information Security (NIS2) Directive | European Union (EU) and organizations outside the EU that are essential within an EU country |
2 | North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) | North American electrical utilities |
3 | Executive Order (EO) 14028: Improving the Nation's Cybersecurity, The White House, 2021 | United States |
# |
Privacy | Jurisdiction |
---|---|---|
1 | General Data Protection Regulation (GDPR) | EU and EU citizens |
2 | Personal Information Protection and Electronic Documents Act (PIPEDA) | Canada |
3 | California Consumer Privacy Act (CCPA) | California, USA |
4 | Personal Information Protection Law of the People’s Republic of China (PIPL) | China |
An example of security and privacy compliance obligations
The cat and mouse game between threat actors and defenders is continuing. The looming question "can defenders do better?" has been answered with rapid development of technology. This includes the automation of threat analysis (signature-based, specification-based, anomaly-based, flow-based, content-based, sandboxing) not only on IT but also on other relevant environments, e.g. IoT, IIoT, and OT based on AI/ML.
More fundamental approaches such as post-quantum cryptography and zero trust (ZT) are also emerging.
ZT is a principle, a model, and also an architecture focused on resource protection by always verifying transactions using the least privilege principle. Hopefully in 2023, ZT will be more practical and not just a vendor marketing buzzword.
Next-gen cybersecurity technologies alone are not a silver bullet. A combination of skilled talent, useful data, and best practices will give a competitive advantage. The key concepts are explainable, transparent, and trustworthy. Furthermore, regulation often faces challenges to keep up with next-gen cybersecurity technologies, especially with the implications and risks of adoption, which may not always be explicit.
ZT: Performing an accurate assessment of readiness and benefits to adopt ZT can be difficult due to ZT's many components. Thus, an organization needs to develop a ZT roadmap that aligns with organizational goals and focuses on access to data, assets, applications, and services; don't select solutions or vendors too early.
Post-quantum cryptography: Current cryptographic applications, such as RSA for PKI, rely on factorization. However, algorithms such as Shor's show quantum speedup for factorization, which can break current crypto when sufficient quantum computing devices are available. Thus, threat actors can intercept current encrypted information and store it to decrypt in the future.
AI-based threat management: AI helps in analyzing and correlating data extremely fast compared to humans. Millions of telemetries, malware samples, raw events, and vulnerability data feed into the AI system, which humans cannot process manually. Furthermore, AI does not get tired in processing this big data, thus avoiding human error and negligence.
Data breach mitigation cost without AI: USD 6.20 million; and with AI: USD 3.15 million
Source: IBM, 2022
Too many false alarms and too many events to process. Evolving threat landscapes waste your analysts' valuable time on mundane tasks, such as evidence collection. Meanwhile, only limited time is spared for decisions and conclusions, which results in the fear of missing an incident and alert fatigue.
To report progress, clear metrics are needed. However, cybersecurity still lacks in this area as the system itself is complex and some systems work in silos. Furthermore, lessons learned are not yet distilled into insights for improving future accuracy.
System integration is required to create consistent workflows across the organization and to ensure complete visibility of the threat landscape, risks, and assets. Also, the convergence of OT, IoT, and IT enhances this challenge.
Source: IBM Security Intelligence, 2020
Risk scores are generated by machine learning based on variables such as behavioral patterns and geolocation. Zero trust architecture is combined with machine learning. Asset management leverages visibility using machine learning. Comply with regulations by improving discovery, classification, and protection of data using machine learning. Data security and data privacy services use machine learning for data discovery.
AI, advanced machine learning, and static approaches, such as code file analysis, combine to automatically detect and analyze threats and prevent threats from spreading, assisted by threat intelligence.
AI helps in orchestrating security technologies for organizations to reduce the number of security agents installed, which may not talk to each other or, worse, may conflict with each other.
AI continuously tunes based on lessons learned, such as creating security policies for improving future accuracy. AI also does not get fatigue, and it assists humans in a faster recovery.
AI has been around since the 1940s, but why is it only gaining traction now? Because supporting technologies are only now available, including faster GPUs for complex computations and cheaper storage for massive volumes of data.
Use this template to explain the priorities you need your stakeholders to know about.
Use this template to explain the priorities you need your stakeholders to know about.
Description must include what organization will undertake to complete the initiative.
List initiative drivers.
List initiative risks and impacts.
List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.
Identify the stakeholders who will be affected by the next-gen cybersecurity technologies implementation and define responsibilities based on skillsets and the degree of support.
Adopt well-established data governance practices for cross-functional teams.
Conduct a maturity assessment of key processes and highlight interdependencies.
Develop a baseline and periodically review risks, policies and procedures, and business plan.
Develop a roadmap and deploy next-gen cybersecurity architecture and controls step by step, working with trusted technology partners.
Monitor metrics on effectiveness and efficiency.
Source: Leverage AI in Threat Management (keynote presentation), Info-Tech
Software is usually produced as part of a supply chain instead of in silos. A vulnerability in any part of the supply chain can become a threat surface. We have learned this from recent incidents such as Log4j, SolarWinds, and Kaseya where attackers compromised a Virtual System Administrator tool used by managed service providers to attack around 1,500 organizations.
DevSecOps is a culture and philosophy that unifies development, security, and operations to answer this challenge. DevSecOps shifts security left by automating, as much as possible, development and testing. DevSecOps provides many benefits such as rapid development of secure software and assurance that, prior to formal release and delivery, tests are reliably performed and passed.
DevSecOps practices can apply to IT, OT, IoT, and other technology environments, for example, by integrating a Secure Software Development Framework (SSDF).
Secure Software Supply Chain: Logging is a fundamental feature of most software, and recently the use of software components, especially open source, are based on trust. From the Log4j incident we learned that more could be done to improve the supply chain by adopting ZT to identify related components and data flows between systems and to apply the least privilege principle.
DevSecOps: A software error wiped out wireless services for thousands of Rogers customers across Canada in 2021. Emergency services were also impacted, even though outgoing 911 calls were always accessible. Losing such services could have been avoided, if tests were reliably performed and passed prior to release.
OT insecure-by-design: In OT, insecurity-by-design is still a norm, which causes many vulnerabilities such as insecure protocols implementation, weak authentication schemes, or insecure firmware updates. Additional challenges are the lack of CVEs or CVE duplication, the lack of Software Bill of Materials (SBOM), and product supply chains issues such as vulnerable products that are certified because of the scoping limitation and emphasis on functional testing.
Technical causes of cybersecurity incidents in EU critical service providers in 2019-2021 shows: software bug (12%) and faulty software changes/update (9%).
Source: CIRAS Incident reporting, ENISA (N=1,239)
Best Practices | 30 Years Ago | 15 Years Ago | Present Day |
---|---|---|---|
Lifecycle | Years or Months | Months or Weeks | Weeks or Days |
Development Process | Waterfall | Agile | DevSecOps |
Architecture | Monolithic | N-Tier | Microservices |
Deployment & Packaging | Physical | Virtual | Container |
Hosting Infrastructure | Server | Data Center | Cloud |
Cybersecurity Posture | Firewall | + SIEM | + Zero Trust |
Best practices in software development are evolving as shown on the diagram to the left. For example, 30 years ago the lifecycle was "Years or Months," while in the present day it is "Weeks or Days."
These changes also impact security such as the software architecture, which is no longer "Monolithic" but "Microservices" normally built within the supply chain.
The software supply chain has known integrity attacks that can happen on each part of it. Starting from bad code submitted by a developer, to compromised source control platform (e.g. PHP git server compromised), to compromised build platform (e.g. malicious behavior injected on SolarWinds build), to a compromised package repository where users are deceived into using the bad package by the similarity between the malicious and the original package name.
Therefore, we must secure each part of the link to avoid attacks on the weakest link.
Guide for Developers |
Guide for Suppliers |
Guide for Customers |
---|---|---|
Secure product criteria and management, develop secure code, verify third-party components, harden build environment, and deliver code. |
Define criteria for software security checks, protect software, produce well-secured software, and respond to vulnerabilities. |
Secure procurement and acquisition, secure deployment, and secure software operations. |
Source: "Securing the Software Supply Chain" series, Enduring Security Framework (ESF), 2022
"Most software today relies on one or more third-party components, yet organizations often have little or no visibility into and understanding of how these software components are developed, integrated, and deployed, as well as the practices used to ensure the components' security."
Source: NIST – NCCoE, 2022
Use this template to explain the priorities you need your stakeholders to know about.
Provide a brief value statement for the initiative.
Description must include what organization will undertake to complete the initiative.
List initiative drivers.
List initiative risks and impacts.
Only a few developers and suppliers explicitly address software security in detail.
Time pressure to deliver functionality over security.
Lack of security awareness and lack of trained workforce.
List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.
Customers (acquiring organizations) achieve secure acquisition, deployment, and operation of software.
Developers and suppliers provide software security with minimal vulnerabilities in its releases.
Automated processes such as automated testing avoid error-prone and labor-intensive manual test cases.
Define and keep security requirements and risk assessments up to date.
Perform analysis on current market and supplier solutions and acquire security evaluation.
Require visibility into provenance of product, and require suppliers' self-attestation of security hygiene
Verify distribution infrastructure, product and individual components integrity, and SBOM.
Save and store the tests and test environment and review and verify the
self-attestation mechanism.
Use multi-layered defenses, e.g. ZT for integration and control configuration.
Train users on how to detect and report anomalies and when to apply updates to a system.
Ensure updates from authorized and authenticated sources and verify the integrity of the updated SBOM.
Apply supply chain risk management (SCRM) operations.
Source: "Securing the Software Supply Chain" series, Enduring Security Framework (ESF), 2022
Aksoy, Cevat Giray, Jose Maria Barrero, Nicholas Bloom, Steven J. Davis, Mathias Dolls, and Pablo Zarate. "Working from Home Around the World." Brookings Papers on Economic Activity, 2022.
Barrero, Jose Maria, Nicholas Bloom, and Steven J. Davis. "Why working from home will stick." WFH Research, National Bureau of Economic Research, Working Paper 28731, 2021.
Boehm, Jim, Dennis Dias, Charlie Lewis, Kathleen Li, and Daniel Wallance. "Cybersecurity trends: Looking over the horizon." McKinsey & Company, March 2022. Accessed
31 Oct. 2022.
"China: TC260 issues list of national standards supporting implementation of PIPL." OneTrust, 8 Nov. 2022. Accessed 17 Nov. 2022.
Chmielewski, Stéphane. "What is the potential of artificial intelligence to improve cybersecurity posture?" before.ai blog, 7 Aug. 2022. Accessed 15 Aug. 2022.
Conerly, Bill. "The Recession Will Begin Late 2023 Or Early 2024." Forbes, 1 Nov. 2022. Accessed 8 Nov. 2022.
"Control System Defense: Know the Opponent." CISA, 22 Sep. 2022. Accessed 17 Nov. 2022.
"Cost of a Data Breach Report 2022." IBM, 2022.
"Cybersecurity: Parliament adopts new law to strengthen EU-wide resilience." European Parliament News, 10 Nov. 2022. Press Release.
"Cyber Security in Critical National Infrastructure Organisations: 2022." Bridewell, 2022. Accessed 7 Nov. 2022.
Davis, Steven. "The Big Shift to Working from Home." NBER Macro Annual Session On
"The Future of Work," 1 April 2022.
"Digital Services Act: EU's landmark rules for online platforms enter into force."
EU Commission, 16 Nov. 2022. Accessed 16 Nov. 2022.
"DoD Enterprise DevSecOps Fundamentals." DoD CIO, 12 May 2022. Accessed 21 Nov. 2022.
Elkin, Elizabeth, and Deena Shanker. "That Cream Cheese Shortage You Heard About? Cyberattacks Played a Part." Bloomberg, 09 Dec. 2021. Accessed 27 Oct. 2022.
Evan, Pete. "What happened at Rogers? Day-long outage is over, but questions remain." CBC News, 21 April 2022. Accessed 15 Nov. 2022.
"Fewer Ransomware Victims Pay, as Median Ransom Falls in Q2 2022." Coveware,
28 July 2022. Accessed 18 Nov. 2022.
"Fighting cybercrime: new EU cybersecurity laws explained." EU Commission, 10 Nov. 2022. Accessed 16 Nov. 2022.
"Guide to PCI compliance cost." Vanta. Accessed 18 Nov. 2022.
Hammond, Susannah, and Mike Cowan. "Cost of Compliance 2022: Competing priorities." Thomson Reuters, 2022. Accessed 18 Nov. 2022.
Hemsley, Kevin, and Ronald Fisher. "History of Industrial Control System Cyber Incidents." Department of Energy (DOE), 2018. Accessed 29 Aug. 2022.
Hofmann, Sarah. "What Is The NIS2 And How Will It Impact Your Organisation?" CyberPilot,
5 Aug. 2022. Accessed 16 Nov. 2022.
"Incident reporting." CIRAS Incident Reporting, ENISA. Accessed 21 Nov. 2022.
"Introducing SLSA, an End-to-End Framework for Supply Chain Integrity." Google,
16 June 2021. Accessed 25 Nov. 2022.
Kovacs, Eduard. "Trains Vulnerable to Hacker Attacks: Researchers." SecurityWeek, 29 Dec. 2015. Accessed 15 Nov. 2022.
"Labour Force Survey, October 2022." Statistics Canada, 4 Nov. 2022. Accessed 7 Nov. 2022.
Malacco, Victor. "Promises and potential of automated milking systems." Michigan State University Extension, 28 Feb. 2022. Accessed 15 Nov. 2022.
Maxim, Merritt, et al. "Planning Guide 2023: Security & Risk." Forrester, 23 Aug. 2022. Accessed 31 Oct. 2022.
"National Cyber Threat Assessment 2023-2024." Canadian Centre for Cyber Security, 2022. Accessed 18 Nov. 2022.
Nicaise, Vincent. "EU NIS2 Directive: what's changing?" Stormshield, 20 Oct. 2022. Accessed
17 Nov. 2022.
O'Neill, Patrick. "Russia hacked an American satellite company one hour before the Ukraine invasion." MIT Technology Review, 10 May 2022. Accessed 26 Aug. 2022.
"OT ICEFALL: The legacy of 'insecure by design' and its implications for certifications and risk management." Forescout, 2022. Accessed 21 Nov. 2022.
Palmer, Danny. "Your cybersecurity staff are burned out - and many have thought about quitting." ZDNet, 8 Aug. 2022. Accessed 19 Aug. 2022.
Placek, Martin. "Industrial Internet of Things (IIoT) market size worldwide from 2020 to 2028 (in billion U.S. dollars)." Statista, 14 March 2022. Accessed 15 Nov. 2022.
"Revised Proposal Attachment 5.13.N.1 ADMS Business Case PUBLIC." Ausgrid, Jan. 2019. Accessed 15 Nov. 2022.
Richter, Felix. "Cloudy With a Chance of Recession." Statista, 6 April 2022. Web.
"Securing the Software Supply Chain: Recommended Practices Guide for Developers." Enduring Security Framework (ESF), Aug. 2022. Accessed 22 Sep. 2022.
"Securing the Software Supply Chain: Recommended Practices Guide for Suppliers." Enduring Security Framework (ESF), Sep. 2022. Accessed 21 Nov. 2022.
"Securing the Software Supply Chain: Recommended Practices Guide for Customers." Enduring Security Framework (ESF), Oct. 2022. Accessed 21 Nov. 2022.
"Security Guidelines for the Electricity Sector: Control System Electronic Connectivity."
North American Electric Reliability Corporation (NERC), 28 Oct. 2013. Accessed 25 Nov. 2022.
Shepel, Jan. "Schreiber Foods hit with cyberattack; plants closed." Wisconsin State Farmer,
26 Oct. 2022. Accessed 15 Nov. 2022.
"Significant Cyber Incidents." Center for Strategic and International Studies (CSIS). Accessed
1 Sep. 2022.
Souppaya, Murugiah, Michael Ogata, Paul Watrobski, and Karen Scarfone. "Software Supply Chain and DevOps Security Practices: Implementing a Risk-Based Approach to DevSecOps." NIST - National Cybersecurity Center of Excellence (NCCoE), Nov. 2022. Accessed
22 Nov. 2022.
"Ten Things Will Change Cybersecurity in 2023." SOCRadar, 23 Sep. 2022. Accessed
31 Oct. 2022.
"The Nature of Cybersecurity Defense: Pentagon To Reveal Updated Zero-Trust Cybersecurity Strategy & Guidelines." Cybersecurity Insiders. Accessed 21 Nov. 2022.
What Is Threat Management? Common Challenges and Best Practices." IBM Security Intelligence, 2020.
Woolf, Tim, et al. "Benefit-Cost Analysis for Utility-Facing Grid Modernization Investments: Trends, Challenges, and Considerations." Lawrence Berkeley National Laboratory, Feb. 2021. Accessed 15 Nov. 2022.
Violino, Bob. "5 key considerations for your 2023 cybersecurity budget planning." CSO Online,
14 July 2022. Accessed 27 Oct. 2022
Andrew Reese
Cybersecurity Practice Lead
Zones
Ashok Rutthan
Chief Information Security Officer (CISO)
Massmart
Chris Weedall
Chief Information Security Officer (CISO)
Cheshire East Council
Jeff Kramer
EVP Digital Transformation and Cybersecurity
Aprio
Kris Arthur
Chief Information Security Officer (CISO)
SEKO Logistics
Mike Toland
Chief Information Security Officer (CISO)
Mutual Benefit Group
Operations... make sure that the services and products you offer your clients are delivered in the most efficient way possible. IT Operations makes sure that the applications and infrastructure that your delivery depends on is solid.
Gert Taeymans has over 20 years experience in directing the implementation and management of mission-critical services for businesses in high-volume international markets. Strong track record in risk management, crisis management including disaster recovery, service delivery and change & config management.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Assess current capabilities and define an ideal target state.
Understand the different collection solutions to identify which best supports needs.
Begin analyzing and acting on gathered intelligence.
Stand up an intelligence dissemination program.
Realize the benefits of a diverse workforce by embedding inclusion into work practices, behaviors, and values, ensuring accountability throughout the department.
Understand what it means to be inclusive: reassess work practices and learn how to apply leadership behaviors to create an inclusive environment
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Learn, evaluate, and understand what it means to be inclusive, examine biases, and apply inclusive leadership behaviors.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Read our Time Study to understand how cybersecurity professionals allocate their time, what pain points they endure, and tactics that can be leveraged to better manage time.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Discover where your data resides, what governance helps you do, and what types of data you're classifying. Then build your data and security protection baselines for your retention policy, sensitivity labels, workload containers, and both forced and unforced policies.
Your Challenge
|
Common Obstacles
Data governance has several obstacles that impact a successful launch, especially if governing M365 is not a planned strategy. Below are some of the more common obstacles:
|
Info-Tech’s Approach
|
Data classification is the lynchpin to any effective governance of O/M365 and your objective is to navigate through this easily and effectively and build a robust, secure, and viable governance model. Start your journey by identifying what and where your data is and how much data do you have. You need to understand what sensitive data you have and where it is stored before you can protect or govern it. Ensure there is a high-level leader who is the champion of the governance objectives. Data classification fulfills the governance objectives of risk mitigation, governance and compliance, efficiency and optimization, and analytics.
1Know Your DataDo you know where your critical and sensitive data resides and what is being done with it?Trying to understand where your information is can be a significant project. |
2Protect Your DataDo you have control of your data as it traverses across the organization and externally to partners?You want to protect information wherever it goes through encryption, etc. |
3Prevent Data LossAre you able to detect unsafe activities that prevent sharing of sensitive information?Data loss prevention (DLP) is the practice of detecting and preventing data breaches, exfiltration, or unwanted destruction of sensitive data. |
4Govern Your DataAre you using multiple solutions (or any) to classify, label, and protect sensitive data?Many organizations use more than one solution to protect and govern their data, making it difficult to determine if there are any coverage gaps. |
Deciding on how granular you go into data classification will chiefly be governed by what industry you are in and your regulatory obligations – the more highly regulated your industry, the more classification levels you will be mandated to enforce. The more complexity you introduce into your organization, the more operational overhead both in cost and resources you will have to endure and build.
Microsoft Information Protection (MIP), which is Microsoft’s Data Classification Services, is the key to achieving your governance goals. Without an MVP, data classification will be overwhelming; simplifying is the first step in achieving governance.
(Source: Microsoft, “Microsoft Purview compliance portal”)
Using least-complex sensitivity labels in your classification are your building blocks to compliance and security in your data management schema; they are your foundational steps.
Data governance is a "takes a whole village" kind of effort.
Clarify who is expected to do what with a RACI chart.
End User | M365 Administrator | Security/ Compliance | Data Owner | |
Define classification divisions | R | A | ||
Appy classification label to data – at point of creation | A | R | ||
Apply classification label to data – legacy items | R | A | ||
Map classification divisions to relevant policies | R | A | ||
Define governance objectives | R | A | ||
Backup | R | A | ||
Retention | R | A | ||
Establish minimum baseline | A | R |
What and where your data residesData types that require classification. |
![]() |
M365 Workload Containers | |||
![]() |
![]() ![]() |
![]() |
![]() |
Email
|
Site Collections, Sites | Sites | Project Databases |
Contacts | Teams and Group Site Collections, Sites | Libraries and Lists | Sites |
Metadata | Libraries and Lists | Documents
|
Libraries and Lists |
Teams Conversations | Documents
|
Metadata | Documents
|
Teams Chats | Metadata | Permissions
|
Metadata |
Permissions
|
Files Shared via Teams Chats | Permissions
|
Knowing where your data resides will ensure you do not miss any applicable data that needs to be classified. These are examples of the workload containers; you may have others.
AIP helps you manage sensitive data prior to migrating to Office 365:
|
![]()
|
Azure Information Protection scanner helps discover, classify, label, and protect sensitive information in on-premises file servers. You can run the scanner and get immediate insight into risks with on-premises data. Discover mode helps you identify and report on files containing sensitive data (Microsoft Inside Track and CIAOPS, 2022). Enforce mode automatically classifies, labels, and protects files with sensitive data. |
Any asset deployed to the cloud must have approved data classification. Enforcing this policy is a must to control your data.
Information Governance
|
Records Management
|
Retention and Deletion
‹——— Connectors for Third-Party Data ———› |
|
Information governance manages your content lifecycle using solutions to import, store, and classify business-critical data so you can keep what you need and delete what you do not. Backup should not be used as a retention methodology since information governance is managed as a “living entity” and backup is a stored information block that is “suspended in time.” | Records management uses intelligent classification to automate and simplify the retention schedule for regulatory, legal, and business-critical records in your organization. It is for that discrete set of content that needs to be immutable. |
Info-Tech InsightRetention is not backup. Retention means something different: “the content must be available for discovery and legal document production while being able to defend its provenance, chain of custody, and its deletion or destruction” (AvePoint Blog, 2021). |
|
What are retention policies used for? Why you need them as part of your MVP?
Do not confuse retention labels and policies with backup.
Remember: “retention [policies are] auto-applied whereas retention label policies are only applied if the content is tagged with the associated retention label” (AvePoint Blog, 2021).
E-discovery tool retention policies are not turned on automatically.
Retention policies are not a backup tool – when you activate this feature you are unable to delete anyone.
“Data retention policy tools enable a business to:
“It is also important to remember that ‘Retention Label Policies’ do not move a copy of the content to the ‘Preservation Holds’ folder until the content under policy is changed next.” (Source: AvePoint Blog, 2021)
Data classification is a focused term used in the fields of cybersecurity and information governance to describe the process of identifying, categorizing, and protecting content according to its sensitivity or impact level. In its most basic form, data classification is a means of protecting your data from unauthorized disclosure, alteration, or destruction based on how sensitive or impactful it is.
Once data is classified, you can then create policies; sensitive data types, trainable classifiers, and sensitivity labels function as inputs to policies. Policies define behaviors, like if there will be a default label, if labeling is mandatory, what locations the label will be applied to, and under what conditions. A policy is created when you configure Microsoft 365 to publish or automatically apply sensitive information types, trainable classifiers, or labels.
Sensitivity label policies show one or more labels to Office apps (like Outlook and Word), SharePoint sites, and Office 365 groups. Once published, users can apply the labels to protect their content.
Data loss prevention (DLP) policies help identify and protect your organization's sensitive info (Microsoft Docs, April 2022). For example, you can set up policies to help make sure information in email and documents is not shared with the wrong people. DLP policies can use sensitive information types and retention labels to identify content containing information that might need protection.
Retention policies and retention label policies help you keep what you want and get rid of what you do not. They also play a significant role in records management.
Internal Personal, Employment, and Job Performance Data
|
Confidential Information
|
Internal Data
|
Public Data
|
Public | Private | |
Privacy |
|
|
Allowed | Not Allowed | |
External guest policy |
|
|
What users will see when they create or label a Team/Group/Site
(Source: Microsoft, “Microsoft Purview compliance portal”)
Data Protection Baseline
“Microsoft provides a default assessment in Compliance Manager for the Microsoft 365 data protection baseline" (Microsoft Docs, June 2022). This baseline assessment has a set of controls for key regulations and standards for data protection and general data governance. This baseline draws elements primarily from NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and ISO (International Organization for Standardization) as well as from FedRAMP (Federal Risk and Authorization Management Program) and GDPR (General Data Protection Regulation of the European Union). |
Security Baseline
The final stage in M365 governance is security. You need to implement a governance policy that clearly defines storage locations for certain types of data and who has permission to access it. You need to record and track who accesses content and how they share it externally. “Part of your process should involve monitoring unusual external sharing to ensure staff only share documents that they are allowed to” (Rencore, 2021). |
![]() Security MFA or SSO to access from anywhere, any device Banned password list BYOD sync with corporate network |
![]() Users Sign out inactive users automatically Enable guest users External sharing Block client forwarding rules |
![]() Resources Account lockout threshold OneDrive SharePoint |
![]() Controls Sensitivity labels, retention labels and policies, DLP Mobile application management policy |
Sensitivity Profiles: Public, Internal, Confidential; Subcategory: Highly Confidential
Sensitivity | Public | External Collaboration | Internal | Highly Confidential |
Description | Data that is specifically prepared for public consumption | Not approved for public consumption, but OK for external collaboration | External collaboration highly discouraged and must be justified | Data of the highest sensitivity: avoid oversharing, internal collaboration only |
Label details |
|
|
|
|
Teams or Site details | Public Team or Site open discovery, guests are allowed | Private Team or Site members are invited, guests are allowed | Private Team or Site members are invited, guests are not allowed | |
DLP | None | Warn | Block |
Please Note: Global/Compliance Admins go to the 365 Groups platform, the compliance center (Purview), and Teams services (Source: Microsoft Documentation, “Microsoft Purview compliance documentation”)
PRIMARY ACTIVITIES |
Define Your Governance
The objective of the MVP is reducing barriers to establishing an initial governance position, and then enabling rapid progression of the solution to address a variety of tangible risks, including DLP, data retention, legal holds, and labeling. Decide on your classification labels early. |
CATEGORIZATION
CLASSIFICATION |
MVP | ||||
Data Discovery and Management
AIP (Azure Information Protection) scanner helps discover, classify, label, and protect sensitive information in on-premises file servers. You can run the scanner and get immediate insight into risks with on-premises data. |
|||||||
Baseline Setup
Building baseline profiles will be a part of your MVP. You will understand what type of information you are addressing and label it accordingly. Microsoft provides a default assessment in Compliance Manager for the Microsoft 365 data protection baseline. |
|||||||
Default M365 settings
Microsoft provides a default assessment in Compliance Manager for the Microsoft 365 data protection baseline. This baseline assessment has a set of controls for key regulations and standards for data protection and general data governance. |
|||||||
SUPPORT ACTIVITIES |
Retention Policy
Retention policy is auto-applied. Decide whether to retain content, delete content, or retain and then delete the content. |
Sensitivity Labels
Automatically enforce policies on groups through labels; classify groups. |
Workload Containers
M365: SharePoint, Teams, OneDrive, and Exchange, where your data is stored for labels and policies. |
Unforced Policies
Written policies that are not enforceable by controls in Compliance Manager such as acceptable use policy. |
Forced Policies
Restrict sharing controls to outside organizations. Enforce prefix or suffix to group or team names. |
PRIMARY ACTIVITIES | Define Your Governance
| CATEGORIZATION
CLASSIFICATION | MVP | ||||
Data Discovery and Management
| |||||||
Baseline Setup
| |||||||
Default M365 settings
| |||||||
SUPPORT ACTIVITIES | Retention Policy
| Sensitivity Labels
| Workload Containers
| Unforced Policies
| Forced Policies
|
Office 365 is as difficult to wrangle as it is valuable. Leverage best practices to produce governance outcomes aligned with your goals.
Map your organizational goals to the administration features available in the Office 365 console. Your governance should reflect your requirements.
Jumping into an Office 365 migration project without careful thought of the risks of a cloud migration will lead to project halt and interruption. Intentionally plan in order to expose risk and to develop project foresight for a smooth migration.
Remote work calls for leveraging your Office 365 license to use Microsoft Teams – but IT is unsure about best practices for governance and permissions. Moreover, IT has few resources to help train end users with Teams best practicesIT Governance, Risk & Compliance
Several blueprints are available on a broader topic of governance, from Make Your IT Governance Adaptable to Improve IT Governance to Drive Business Results and Build an IT Risk Management Program.
“Best practices for sharing files and folders with unauthenticated users.” Microsoft Build, 28 April 2022. Accessed 2 April 2022.
“Build and manage assessments in Compliance Manager.” Microsoft Docs, 15 June 2022. Web.
“Building a modern workplace with Microsoft 365.” Microsoft Inside Track, n.d. Web.
Crane, Robert. “June 2020 Microsoft 365 Need to Know Webinar.” CIAOPS, SlideShare, 26 June 2020. Web.
“Data Classification: Overview, Types, and Examples.” Simplilearn, 27 Dec. 2021. Accessed 11 April 2022.
“Data loss prevention in Exchange Online.” Microsoft Docs, 19 April 2022. Web.
Davies, Nahla. “5 Common Data Governance Challenges (and How to Overcome Them).” Dataversity. 25 October 2021. Accessed 5 April 2022.
“Default labels and policies to protect your data.” Microsoft Build, April 2022. Accessed 3 April 2022.
M., Peter. "Guide: The difference between Microsoft Backup and Retention." AvePoint Blog, 9 Oct. 2021. Accessed 4 April 2022.
Meyer, Guillaume. “Sensitivity Labels: What They Are, Why You Need Them, and How to Apply Them.” nBold, 6 October 2021. Accessed 2 April 2022.
“Microsoft 365 guidance for security & compliance.” Microsoft, 27 April 2022. Accessed 28 April 2022.
“Microsoft Purview compliance portal.” Microsoft, 19 April 2022. Accessed 22 April 2022.
“Microsoft Purview compliance documentation.” Microsoft, n.d. Accessed 22 April 2022.
“Microsoft Trust Center: Products and services that run on trust.” Microsoft, 2022. Accessed 3 April 2022.
“Protect your sensitive data with Microsoft Purview.” Microsoft Build, April 2022. Accessed 3 April 2022.
Zimmergren, Tobias. “4 steps to successful cloud governance in Office 365.” Rencore, 9 Sept. 2021. Accessed 5 April 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Our concise executive brief shows why you should create or refresh your business intelligence (BI) strategy. We'll show you our methodology and the ways we can help you in handling this.
Upon ordering you receive the complete guide with all files zipped.
Understand critical business information and analyze your current business intelligence landscape.
Assess your current maturity level and define the future state.
Create business intelligence focused initiatives for continuous improvement.