The First 100 Days As CIO

Partner with Info-Tech for success in this crucial period of transition.

Analyst Perspective

The first 100 days refers to the 10 days before you start and the first three months on the job.

“The original concept of ‘the first 100 days’ was popularized by Franklin Delano Roosevelt, who passed a battery of new legislation after taking office as US president during the Great Depression. Now commonly extended to the business world, the first 100 days of any executive role is a critically important period for both the executive and the organization.

But not every new leader should follow FDR’s example of an action-first approach. Instead, finding the right balance of listening and taking action is the key to success during this transitional period. The type of the organization and the mode that it’s in serves as the fulcrum that determines where the point of perfect balance lies. An executive facing a turnaround situation will want to focus on more action more quickly. One facing a sustaining success situation or a realignment situation will want to spend more time listening before taking action.” (Brian Jackson, Research Director, CIO, Info-Tech Research Group)

Executive summary

Situation

• You’ve been promoted from within to the role of CIO.
• You’ve been hired externally to take on the role of CIO.

Complication

Studies show that two years after a new executive transition, as many as half are regarded as failures or disappointments (McKinsey). First impressions are hard to overcome, and a CIO’s first 100 days are heavily weighted in terms of how others will assess their overall success. The best way to approach this period is determined by both the size and the mode of an organization.

Resolution

• Work with Info-Tech to prepare a 100-day plan that will position you for success.
• Collaborate to collect the details needed to identify the right mode for your organization and determine how it will influence your plan.
• Use Info-Tech’s diagnostic tools to align your vision with that of business executives and form a baseline for future reference.

Info-Tech Insight

1. Foundational understanding must be achieved before you start.
   Hit the ground running before day one by using company documents and initial discussions to pin down the company’s type and mode.
2. Listen before you act (usually).
   In most situations, executives benefit from listening to peers and staff before taking action.
3. Identify quick wins early and often.
   Fix problems as soon as you recognize them to set the tone for your tenure.

The First 100 Days: Roadmap

Concierge service overview

Organize a call with your executive advisor every two weeks during your first 100 days. Info-Tech recommends completing our diagnostics during this period. If you’re not able to do so, instead complete the alternative activities marked with (a).

Call 1

Before you start: Day -10 to Day 1

Interview your predecessor

Interviewing your predecessor can help identify the organization’s mode and type.

Before reaching out to your predecessor, get a sense of whether they were viewed as successful or not. Ask your manager. If the predecessor remains within the organization in a different role, understand your relationship with them and how you'll be working together.

During the interview, make notes about follow-up questions you'll ask others at the organization.

Ask these open-ended questions in the interview:

• Tell me about the team.
• Tell me about your challenges.
• Tell me about a major project your team worked on. How did it go?
• Who/what has been helpful during your tenure?
• Who/what created barriers for you?
• What do your engagement surveys reveal?
• Tell me about your performance management programs and issues.
• What mistakes would you avoid if you could lead again?
• Why are you leaving?
• Could I reach out to you again in the future?

Learn the corporate structure

Identify the organization’s corporate structure type based on your initial conversations with company leadership. The type of structure will dictate how much control you'll have as a functional head and help you understand which stakeholders you'll need to collaborate with.

To Do:

• Review the organization’s structure list and identify whether the structure is functional, prioritized, or a matrix. If it's a matrix organization, determine if it's a strong matrix (project manager holds more authority), weak matrix (functional manager holds more authority), or balanced matrix (managers hold equal authority).

This organization is a ___________________ type.

Presentation Deck, slide 6

Determine the mode of the organization: STARS

Based on your interview process and discussions with company leadership, and using Michael Watkins’ STARS assessment, determine which mode your organization is in: startup, turnaround, accelerated growth, realignment, or sustaining success.

Knowing the mode of your organization will determine how you approach your 100-day plan. Depending on the mode, you'll rebalance your activities around the three categories of assess, listen, and deliver.

To Do:

• Review the STARS table on the right.

Based on your situation, prioritize activities in this way:

• Startup: assess, listen, deliver
• Turnaround: deliver, listen, assess
• Accelerated Growth: assess, listen, deliver
• Realignment: listen, assess, deliver
• Sustaining success: listen, assess, deliver

This organization is a ___________________ type.

(Source: Watkins, 2013.)

Presentation Deck, slide 6

Determine the mode of the organization: STARS

Satya Nadella's listen, lead, and launch approach

CASE STUDY

Industry Software
Source Gregg Keizer, Computerworld, 2014

When Satya Nadella was promoted to the CEO role at Microsoft in 2014, he received a Glassdoor approval rating of 85% and was given an "A" grade by industry analysts after his first 100 days. What did he do right? Created a sense of urgency by shaking up the senior leadership team. Already understood the culture as an insider. Listened a lot and did many one-on-one meetings. Established a vision communicated with a mantra that Microsoft would be "mobile-first, cloud-first." Met his words with actions. He launched Office for iPad and made many announcements for cloud platform Azure.

Satya Nadella, CEO, Microsoft Corp. (Image source: Microsoft)

Listen to 'The First 100 Days' podcast – Alan Fong

Create a one-page introduction sheet to use in communications

As a new CIO, you'll have to introduce yourself to many people in the organization. To save time on communicating who you are as a person outside of the office, create a brief one-pager that includes a photo of you, where you were born and raised, and what your hobbies are. This helps make a connection more quickly so your conversations can focus on the business at hand rather than personal topics.

For your presentation deck, remove the personal details and just keep it professional. The personal aspects can be used as a one-pager for other communications. (Source: Personal interview with Denis Gaudreault, Country Lead, Intel.)

Presentation Deck, slide 5

Call 2

Day 1 to Day 15

Introduce yourself to your team

Prepare a 20-second pitch about yourself that goes beyond your name and title. Touch on your experience that's relevant to your new role or the industry you're in. Be straightforward about your own perceived strengths and weaknesses so that people know what to expect from you. Focus on the value you believe you'll offer the group and use humor and humility where you're comfortable. For example:

“Hi everyone, my name is John Miller. I have 15 years of experience marketing conferences like this one to vendors, colleges, and HR departments. What I’m good at, and the reason I'm here, is getting the right people, businesses, and great ideas in a room together. I'm not good on details; that's why I work with Tim. I promise that I'll get people excited about the conference, and the gifts and talents of everyone else in this room will take over from there. I'm looking forward to working with all of you.”

Have a structured set of questions ready that you can ask everyone.

For example:

• How well is the company performing based on expectations?
• What must the company do to sustain its financial performance and market competitiveness?
• How do you foresee the CIO contributing to the team?
• How have past CIOs performed from the perspective of the team?
• What would successful performance of this role look like to you? To your peers?
• What challenges and obstacles to success am I likely to encounter? What were the common challenges of my predecessor?
• How do you view the culture here and how do successful projects tend to get approved?
• What are your greatest challenges? How could I help you?

Get to know your sphere of influence: prepare to connect with a variety of people before you get down to work

Your ability to learn from others is critical at every stage in your first 100 days. Keep your sphere of influence in the loop as you progress through this period.

Write down the names, or at least the key people, in each segment of this diagram. This will serve as a quick reference when you're planning communications with others and will help you remember everyone as you're meeting lots of new people in your early days on the job.

• Everyone knows their networks are important.
• However, busy schedules can cause leaders to overlook their many audiences.
• Plan to meet and learn from all people in your sphere to gain a full spectrum of insights.

Presentation Deck, slide 29

Identify how your competitors are leveraging technology for competitive advantage

Competitor identification and analysis are critical steps for any new leader to assess the relative strengths and weaknesses of their organization and develop a sense of strategic opportunity and environmental awareness.

Today’s CIO is accountable for driving innovation through technology. A competitive analysis will provide the foundation for understanding the current industry structure, rivalry within it, and possible competitive advantages for the organization.

Surveying your competitive landscape prior to the first day will allow you to come to the table prepared with insights on how to support the organization and ensure that you are not vulnerable to any competitive blind spots that may exist in the evaluations conducted by the organization already.

You will not be able to gain a nuanced understanding of the internal strengths and weaknesses until you are in the role, so focus on the external opportunities and how competitors are using technology to their advantage.

Info-Tech Best Practice

For a more in-depth approach to identifying and understanding relevant industry trends and turning them into insights, leverage the following Info-Tech blueprints:

• Think Like a Futurist
• CIO Trend Report 2019

Presentation Deck, slide 9

Assess the external competitive environment

INPUT: External research

OUTPUT: Competitor array

1. Conduct a broad analysis of the industry as a whole. Seek to answer the following questions:
   1. Are there market developments or new markets?
   2. Are there industry or lifestyle trends, e.g. move to mobile?
   3. Are there geographic changes in the market?
   4. Are there demographic changes that are shaping decision making?
   5. Are there changes in market demand?
2. Create a competitor array by identifying and listing key competitors. Try to be as broad as possible here and consider not only entrenched close competitors but also distant/future competitors that may disrupt the industry.
3. Identify the strengths, weaknesses, and key brand differentiators that each competitor brings to the table. For each strength and differentiator, brainstorm ways that IT-based innovation enables each. These will provide a toolkit for deeper conversations with your peers and your business stakeholders as you move further into your first 100 days.

Complete the CEO-CIO Alignment Program

INPUT: CEO-CEO Alignment Program (recommended)

OUTPUT: Desired and target state of IT maturity, Innovation goals, Top priorities

Materials: Presentation Deck, slides 11-13

Participants: CEO, CIO

Introduce the concept of the CEO-CIO Alignment Program using slide 10 of your presentation deck and the brief email text below.

Talk to your advisory contact at Info-Tech about launching the program. More information is available on Info-Tech’s website.

Once the report is complete, import the results into your presentation:

• Slide 11, the CEO’s current and desired states
• Slide 12, IT innovation goals
• Slide 13, top projects and top departments from the CEO and the CIO

Include any immediate recommendations you have.

Hello CEO NAME,

I’m excited to get started in my role as CIO, and to hit the ground running, I’d like to make sure that the IT department is aligned with the business leadership. We will accomplish this using Info-Tech Research Group’s CEO-CIO Alignment Program. It’s a simple survey of 20 questions to be completed by the CEO and the CIO.

This survey will help me understand your perception and vision as I get my footing as CIO. I’ll be able to identify and build core IT processes that will automate IT-business alignment going forward and create an effective IT strategy that helps eliminate impediments to business growth.

Research shows that IT departments that are effectively aligned to business goals achieve more success, and I’m determined to make our IT department as successful as possible. I look forward to further detailing the benefits of this program to you and answering any questions you may have the next time we speak.

Regards,
CIO NAME

New KPIs for CEO-CIO Alignment — Recommended

Info-Tech CEO-CIO Alignment Program

Info-Tech's CEO-CIO Alignment Program is set up to build IT-business alignment in any organization. It helps the CIO understand CEO perspectives and priorities. The exercise leads to useful IT performance indicators, clarifies IT’s mandate and which new technologies it should invest in, and maps business goals to IT priorities.

Benefits

Master the Basics Cut through the jargon. Take a comprehensive look at the CEO perspective.	Target Alignment Identify how IT can support top business priorities. Address CEO-CIO differences.	Start on the Right Path Get on track with the CIO vision. Use correct indicators and metrics to evaluate IT from day one.

Additional materials are available on Info-Tech’s website.

The desired maturity level of IT — Alternative

Step 1: Where are we today? Determine where the CEO sees the current overall maturity level of the IT organization. Step 2: Where do we want to be as an organization? Determine where the CEO wants the IT organization to be in order to effectively support the strategic direction of the business.

Presentation Deck, slide 11

Tim Cook's powerful use of language

CASE STUDY

Industry Consumer technology
Source Carmine Gallo, Inc., 2019

Apple CEO Tim Cook, an internal hire, had big shoes to fill after taking over from the late Steve Jobs. Cook's ability to control how the company is perceived is a big credit to his success. How does he do it? His favorite five words are “The way I see it..." These words allow him to take a line of questioning and reframe it into another perspective that he wants to get across. Similarly, he'll often say, "Let me tell you the way I look at it” or "To put it in perspective" or "To put it in context." In your first two weeks on the job, try using these phrases in your conversations with peers and direct reports. It demonstrates that you value their point of view but are independently coming to conclusions about the situation at hand.

Tim Cook, CEO, Apple Inc. (Image source: Apple)

Listen to 'The First 100 Days' podcast – Denis Gaudreault

Inform your team that you plan to do an IT Management & Governance Diagnostic survey

Run the diagnostic program or use the alternative activities to complete your presentation

INPUT: IT Management & Governance Diagnostic (recommended)

OUTPUT: Process to improve first, Processes important to the business

Materials: Presentation Deck, slides 19-20

Participants: CIO, IT staff

Introduce the IT Management & Governance Diagnostic survey that will help you form your IT strategy.

Explain that you want to understand current IT capabilities and you feel a formal approach is best. You’ll also be using this approach as an important metric to track your department’s success. Tell them that Info-Tech Research Group will be conducting the survey and it’s important to you that they take action on the email when it’s sent to them.

Example email:

Hello TEAM,

I appreciate meeting each of you, and so far I’m excited about the talents and energy on the team. Now I need to understand the processes and capabilities of our department in a deeper way. I’d like to map our process landscape against an industry-wide standard, then dive deeper into those processes to understand if our team is aligned. This will help us be accountable to the business and plan the year ahead. Advisory firm Info-Tech Research Group will be reaching out to you with a simple survey that shouldn’t take too long to complete. It’s important to me that you pay attention to that message and complete the survey as soon as possible.

Regards,
CIO NAME

Call 3

Day 16 to Day 30

Leverage team interviews as a source of determining organizational culture

Info-Tech recommends that you hold group conversations with your team to uncover their opinions of the current organizational culture. This not only helps build transparency between you and your team but also gives you another means of observing behavior and reactions as you listen to team members’ characterizations of the current culture.

Note: It is inherently difficult for people to verbalize what constitutes a culture – your strategy for extracting this information will require you to ask indirect questions to solicit the highest value information.

Questions for Discussion:

• What about the current organizational environment do you think most contributes to your success?
• What barriers do you experience as you try to accomplish your work?
• What is your favorite quality that is present in our organization?
• What is the one thing you would most like to change about this organization?
• Do the organization's policies and procedures support your efforts to accomplish work or do they impede your progress?
• How effective do you think IT’s interactions are with the larger organization?
• What would you consider to be IT’s top three guiding principles?
• What kinds of people fail in this organization?

See Info-Tech’s Cultural Archetype Calculator.

Use the Competing Values Framework to define your organization’s cultural archetype

THE COMPETING VALUES FRAMEWORK (CVF):

CVF represents the synthesis of academic study of 39 indicators of effectiveness for organizations. Using a statistical analysis, two polarities that are highly predictive of differences in organizational effectiveness were isolated: Internal focus and integration vs. external focus and differentiation. Stability and control vs. flexibility and discretion. By plotting these dimensions on a matrix of competing values, four main cultural archetypes are identified with their own value drivers and theories of effectiveness.

Presentation Deck, slide 16

Create a cultural adjustment plan

Now that you've assessed the cultural archetype, you can plan an appropriate approach to shape the culture in a positive way. When new executives want to change culture, there are a few main options at hand:

Autonomous evolution: Encourage teams to learn from each other. Empower hybrid teams to collaborate and reward teams that perform well.

Planned and managed change: Create steering committee and project-oriented taskforces to work in parallel. Appoint employees that have cultural traits you'd like to replicate to hold responsibility for these bodies.

Cultural destruction: When a toxic culture needs to be eliminated, get rid of its carriers. Putting new managers or directors in place with the right cultural traits can be a swift and effective way to realign.

Each option boils down to creating the right set of incentives and deterrents. What behaviors will you reward and which ones will you penalize? What do those consequences look like? Sometimes, but not always, some structural changes to the team will be necessary. If you feel these changes should be made, it's important to do it sooner rather than later. (Source: “Enlarging Your Sphere of Influence in Your Organization,” MindTools Corporate, 2014.)

As you're thinking about shaping a desired culture, it's helpful to have an easy way to remember the top qualities you want to espouse. Try creating an acronym that makes it easy for staff to remember. For example: RISE could remind your staff to be Responsive, Innovative, Sustainable, and Engaging (RISE). Draw upon your business direction from your manager to help produce desired qualities (Source: Jennifer Schaeffer).

Presentation Deck, slide 17

Gary Davenport’s welcome “surprise”

CASE STUDY

Industry Telecom
Source Interview with Gary Davenport

After Gary Davenport was hired on as VP of IT at MTS Allstream, his first weekend on the job was spent at an all-executive offsite meeting. There, he learned from the CEO that the IT department had a budget reduction target of 25%, like other departments in the company. “That takes your breath away,” Davenport says. He decided to meet the CEO monthly to communicate his plans to reduce spending while trying to satisfy business stakeholders. His top priorities were: Stabilize IT after seven different leaders in a five-year period. Get the IT department to be respected. To act like business owners instead of like servants. Better manage finances and deliver on projects. During Davenport’s 7.5-year tenure, the IT department became one of the top performers at MTS Allstream.

Gary Davenport’s first weekend on the job at MTS Allstream included learning about a 25% reduction target. (Image source: Ryerson University)

Listen to 'The First 100 Days' podcast – David Penny & Andrew Wertkin

Initiate IT Management & Governance Diagnostic — Recommended

Info-Tech Management & Governance Diagnostic

Talk to your Info-Tech executive advisor about launching the survey shortly after informing your team to expect it. You'll just have to provide the names and email addresses of the staff you want to be involved. Once the survey is complete, you'll harvest materials from it for your presentation deck. See slides 19 and 20 of your deck and follow the instructions on what to include.

Benefits

Explore IT Processes Dive deeper into performance. Highlight problem areas.	Align IT Team Build consensus by identifying opposing views.	Ownership & Accountability Identify process owners and hold team members accountable.

Additional materials available on Info-Tech’s website.

Conduct a high-level analysis of current IT capabilities — Alternative

INPUT: Interviews with IT leadership team, Capabilities graphic on next slide

OUTPUT: High-level understanding of current IT capabilities

Run this activity if you're not able to conduct the IT Management & Governance Diagnostic.

Schedule meetings with your IT leadership team. (In smaller organizations, interviewing everyone may be acceptable.) Provide them a list of the core capabilities that IT delivers upon and ask them to rate them on an effectiveness scale of 1-5, with a short rationale for their score.

• 1. Not effective (NE)
• 2. Somewhat Effective (SE)
• 3. Effective (E)
• 4. Very Effective (VE)
• 5. Extremely Effective (EE)

Presentation Deck, slide 21

Use the following set of IT capabilities for your assessment

Quick wins: CEO-CIO Alignment Program

Complete this while waiting on the IT M&G survey results. Based on your completed CEO-CIO Alignment Report, identify the initiatives you can tackle immediately.

If you are here...	And want to be here...	Drive toward...	Innovate around...
Business Partner	Innovator	Leading business transformation	Emerging technologies Analytical capabilities Risk management Customer-facing tech Enterprise architecture
Trusted Operator	Business Partner	Optimizing business process and supporting business transformation	IT strategy and governance Business architecture Projects Resource management Data quality
Firefighter	Trusted Operator	Optimize IT processes and services	Business applications Service management Stakeholder management Work orders
Unstable	Firefighter	Reduce use disruption and adequately support the business	Network and infrastructure Service desk Security User devices

Call 4

Day 31 to Day 45

Inform your peers that you plan to do a CIO Business Vision survey to gauge your stakeholders’ satisfaction

Run the diagnostic program or use the alternative activities to complete your presentation

INPUT: CIO Business Vision survey (recommended)

OUTPUT: True measure of business satisfaction with IT

Materials: Presentation Deck, slide 30

Participants: CIO, IT staff

Meet the business leaders at your organization face-to-face if possible. If you can't meet in person, try a video conference to establish some rapport. At the end of your introduction and after listening to what your colleague has to say, introduce the CIO Business Vision Diagnostic.

Explain that you want to understand how to meet their business needs and you feel a formal approach is best. You'll also be using this approach as an important metric to track your department's success. Tell them that Info-Tech Research Group will be conducting the survey and it’s important to you that they take the survey when the email is sent to them.

Example email:

Hello PEER NAMES,

I'm arranging for Info-Tech Research Group to invite you to take a survey that will be important to me. The CIO Business Vision survey will help me understand how to meet your business needs. It will only take about 15 minutes of your time, and the top-line results will be shared with the organization. We will use the results to plan initiatives for the future that will improve your satisfaction with IT.

Regards,
CIO NAME

Gain feedback on your initial assessments from your IT team

There are two strategies for gaining feedback on your initial assessments of the organization from the IT team:

1. Review your personal assessments with the relevant members of your IT organization as a group. This strategy can help to build trust and an open channel for communication between yourself and your team; however, it also runs the risk of being impacted by groupthink.
2. Ask for your team to complete their own assessments for you to compare and contrast. This strategy can help extract more candor from your team, as they are not expected to communicate what may be nuanced perceptions of organizational weaknesses or criticisms of the way certain capabilities function.

Who you involve in this process will be impacted by the size of your organization. For larger organizations, involve everyone down to the manager level. In smaller organizations, you may want to involve everyone on the IT team to get an accurate lay of the land.

Areas for Review:

• Strategic Document Review: Are there any major themes or areas of interest that were not covered in my initial assessment?
• Competitor Array: Are there any initiatives in flight to leverage new technologies?
• Current State of IT Maturity: Does IT’s perception align with the CEO’s? Where do you believe IT has been most effective? Least effective?
• IT’s Key Priorities: Does IT’s perception align with the CEO’s?
• Key Performance Indicators: How has IT been measured in the past?

Info-Tech Best Practice

You need your team’s hearts and minds or you risk a short tenure. Overemphasizing business commitment by neglecting to address your IT team until after you meet your business stakeholders will result in a disenfranchised group. Show your team their importance.

Susan Bowen's talent maximization

CASE STUDY

Industry Infrastructure Services
Source Interview with Susan Bowen

Susan Bowen was promoted to be the president of Cogeco Peer 1, an infrastructure services firm, when it was still a part of Cogeco Communications. Part of her mandate was to help spin out the business to a new owner, which occurred when it was acquired by Digital Colony. The firm was renamed Aptum and Bowen was put in place as CEO, which was not a certainty despite her position as president at Cogeco Peer 1. She credits her ability to put the right talent in the right place as part of the reason she succeeded. After becoming president, she sought a strong commitment from her directors. She gave them a choice about whether they'd deliver on a new set of expectations – or not. She also asks her leadership on a regular basis if they are using their talent in the right way. While it's tempting for directors to want to hold on to their best employees, those people might be able to enable many more people if they can be put in another place. Bowen fully rounded out her leadership team after Aptum was formed. She created a chief operating officer and a chief infrastructure officer. This helped put in place more clarity around roles at the firm and put an emphasis on client-facing services.

Susan Bowen, CEO, Aptum (Image source: Aptum)

Listen to 'The First 100 Days' podcast – Susan Bowen

Initiate CIO Business Vision survey – new KPIs for stakeholder management — Recommended

Info-Tech CIO Business Vision

Be sure to effectively communicate the context of this survey to your business stakeholders before you launch it. Plan to talk about your plans to introduce it in your first meetings with stakeholders. When ready, let your executive advisor know you want to launch the tool and provide the names and email addresses of the stakeholders you want involved. After you have the results, harvest the materials required for your presentation deck. See slide 30 and follow the instructions on what to include.

Benefits

Key Stakeholders Clarify the needs of the business.	Credibility Create transparency.	Improve Measure IT’s progress.	Focus Find what’s important.

Additional materials are available on Info-Tech’s website.

Create a catalog of key stakeholder details to reference prior to future conversations — Alternative

Only conduct this activity if you’re not able to run the CIO Business Vision diagnostic.

Use the Organizational Catalog as a personal cheat sheet to document the key details around each of your stakeholders, including your CEO when possible.

The catalog will be an invaluable tool to keep the competing needs of your different stakeholders in line, while ensuring you are retaining the information to build the political capital needed to excel in the C-suite.

Note: It is important to keep this document private. While you may want to communicate components of this information, ensure your catalog remains under lock and (encryption) key.

Info-Tech Insight

While profiling your stakeholders is important, do not be afraid to profile yourself as well. Visualizing how your interests overlap with those of your stakeholders can provide critical information on how to manage your communications so that those on the receiving end are hearing exactly what they need.

Activity: Conduct interviews with your key business stakeholders — Alternative

1. Once you have identified your key stakeholders through your interviews with your boss and your IT team, schedule a set of meetings with those individuals.
2. Use the meetings to get to know your stakeholders, their key priorities and initiatives, and their perceptions of the effectiveness of IT.
   1. Use the probative questions to the right to elicit key pieces of information.
   2. Refer to the Organizational Catalog tool for more questions to dig deeper in each category. Ensure that you are taking notes separate from the tool and are keeping the tool itself secure, as it will contain private information specific to your interests.
3. Following each meeting, record the results of your conversation and any key insights in the Organizational Catalog. Refer to the following slide for more details.

Questions for Discussion:

• Be indirect about your personal questions – share stories that will elicit details about their interests, kids, etc.
• What are your most critical/important initiatives for the year?
• What are your key revenue streams, products, and services?
• What are the most important ways that IT supports your success? What is your satisfaction level with those services?
• Are there any current in-flight projects or initiatives that are a current pain point? How can IT assist to alleviate challenges?
• How is your success measured? What are your targets for the year on those metrics?

Presentation Deck, slide 34

Call 5

Day 46 to Day 60

Inform your team that you plan to do an IT staffing assessment

Introduce the IT Staffing Assessment that will help you get the most out of your team

INPUT: Email template

OUTPUT: Ready to launch diagnostic

Materials: Email template, List of staff, Sample of diagnostic

Participants: CIO, IT staff

Explain that you want to understand how the IT staff is currently spending its time by function and by activity. You want to take a formal approach to this task and also assess the team’s feelings about its effectiveness across different processes. The results of the assessment will serve as the foundation that helps you improve your team’s effectiveness within the organization.

Example email:

Hello PEER NAMES,

The feedback I've heard from the team since joining the company has been incredibly useful in beginning to formulate my IT strategy. Now I want to get a clear picture of how everyone is spending their time, especially across different IT functions and activities. This will be an opportunity for you to share feedback on what we're doing well, what we need to do more of, and what we're missing. Expect to receive an email invitation to take this survey from Info-Tech Research Group. It's important to me that you complete the survey as soon as you're can. Attached you’ll find an example of the report this will generate. Thank you again for providing your time and feedback.

Regards,
CIO NAME

Wayne Berger's shortcut to solve staffing woes

CASE STUDY

Industry Office leasing
Source Interview with Wayne Berger

Wayne Berger was hired to be the International Workplace Group (IWG) CEO for Canada and Latin America in 2014. Wayne approached his early days with the office space leasing firm as a tour of sorts, visiting nearly every one of the 48 office locations across Canada to host town hall meetings. He heard from staff at every location that they felt understaffed. But instead of simply hiring more staff, Berger actually reduced the workforce by 33%. He created a more flexible approach to staffing: Employees no longer just reported to work at one office; instead, they were ready to go to wherever they were most needed in a specific geographic area. He centralized all back-office functions for the company so that not every office had to do its own bookkeeping. Finally, he changed the labor profile to consist of full-time staff, part-time staff, and time-on-demand workers.

Wayne Berger, CEO, IWG Plc (Image source: IWG)

Listen to 'The First 100 Days' podcast – Wayne Berger

Initiate IT Staffing Assessment – new KPIs to track IT performance — Recommended

Info-Tech IT Staffing Assessment

Info-Tech’s IT Staffing Assessment provides benchmarking of key metrics against 4,000 other organizations. Dashboard-style reports provide key metrics at a glance, including a time breakdown by IT function and by activity compared against business priorities. Run this survey at about the 45-day mark of your first 90 days. Its insights will be used to inform your long-term IT strategy.

Benefits

Right-Size IT Headcount Find the right level for stakeholder satisfaction.	Allocate Staff Correctly Identify staff misalignments with priorities.	Maximize Teams Identify how to drive staff.

Additional materials are available on Info-Tech’s website.

Quick wins: Make recommendations based on IT Management & Governance Framework

Complete this exercise while waiting on the IT Staffing Assessment results. Based on your completed IT Management & Governance report, identify the initiatives you can tackle immediately. You can conduct this as a team exercise by following these steps:

1. Create a shortlist of initiatives based on the processes that were identified as high need but scored low in effectiveness. Think as broadly as possible during this initial brainstorming.
2. Write each initiative on a sticky note and conduct a high-level analysis of the amount of effort that would be required to complete it, as well as its alignment with the achievement of business objectives.
3. Draw the matrix below on a whiteboard and place each sticky note onto the matrix based on its potential impact and difficulty to address.

Call 6

Day 61 to Day 75

Run a start, stop, continue exercise with your IT staff — Alternative

This is an alternative activity to running an IT Staffing Assessment, which contains a start/stop/continue assessment. This activity can be facilitated with a flip chart or a whiteboard. Create three pages or three columns and label them Start, Stop, and Continue.

Hand out sticky notes to each team member and then allow time for individual brainstorming. Instruct them to write down their contributions for each category on the sticky notes. After a few minutes, have everyone stick their notes in the appropriate category on the board. Discuss as a group and see what themes emerge. Record the results that you want to share in your presentation deck (GroupMap).

Gather your team and explain the meaning of these categories:

Start: Activities you're not currently doing but should start doing very soon.

Stop: Activities you're currently doing but aren’t working and should cease.

Continue: Things you're currently doing and are working well.

Presentation Deck, slide 24

Determine the alignment of IT commitments with business objectives

INPUT: Interviews with IT leadership team

OUTPUT: High-level understanding of in-flight commitments and investments

Run this only as an alternative to the IT Management & Governance Diagnostic.

1. Schedule meetings with IT leadership to understand what commitments have been made to the business in terms of new products, projects, or enhancements.
2. Determine the following about IT’s current investment mix:
   1. What are the current IT investments and assets? How do they align to business goals?
   2. What investments in flight are related to which information assets?
   3. Are there any immediate risks identified for these key investments?
   4. What are the primary business issues that demand attention from IT consistently?
   5. What choices remain undecided in terms of strategic direction of the IT organization?
3. Document your key investments and commitments as well as any points of misalignment between objectives and current commitments as action items to address in your long-term plans. If they are small fixes, consider them during your quick-win identification.

Presentation Deck, slide 25

Determine the alignment of IT commitments with business objectives

Run this only as an alternative to the IT Staffing Assessment diagnostic.

Schedule meetings with IT leadership to understand what commitments have been made to the business in terms of new products, projects, or enhancements.

Determine the following about IT’s current investment mix:

• What are the current IT investments and assets?
• How do they align to business goals?
• What in-flight investments are related to which information assets?
• Are there any immediate risks identified for these key investments?
• What are the primary business issues that demand attention from IT consistently?
• What remains undecided in terms of strategic direction of the IT organization?

Document your key investments and commitments, as well as any points of misalignment between objectives and current commitments, as action items to address in your long-term plans. If they are small-effort fixes, consider them during your quick-win identification.

Presentation Deck, slide 25

Make a categorized vendor list by IT process

As part of learning the IT team, you should also create a comprehensive list of vendors under contract. Collaborate with the finance department to get a clear view of how much of the IT budget is spent on specific vendors. Try to match vendors to the IT processes they serve from the IT M&G framework.

You should also organize your vendors based on their budget allocation. Go beyond just listing how much money you’re spending with each vendor and categorize them into either “transactional” relationships or “strategic relationships.” Use the grid below to organize them. Ideally, you’ll want most relationships to be high spend and strategic (Source: Gary Davenport).

Where to source your vendor list:

• Finance department
• Infrastructure managers
• Vendor manager in IT

Further reading: Manage Your Vendors Before They Manage You

Presentation Deck, slide 26

Jennifer Schaeffer’s short-timeline turnaround

CASE STUDY

Industry Education
Source Interview with Jennifer Schaeffer

Jennifer Schaeffer joined Athabasca University as CIO in November 2017. She was entering a turnaround situation as the all-online university lacked an IT strategy and had built up significant technical debt. Armed with the mandate of a third-party consultant that was supported by the president, Schaeffer used a people-first approach to construct her strategy. She met with all her staff, listening to them carefully regardless of role, and consulted with the administrative council and faculty members. She reflected that feedback in her plan or explained to staff why it wasn’t relevant for the strategy. She implemented a “strategic calendaring” approach for the organization, making sure that her team members were participating in meetings where their work was assessed and valued. Drawing on Spotify as an inspiration, she designed her teams in a way that everyone was connected to the customer experience. Given her short timeline to execute, she put off a deep skills analysis of her team for a later time, as well as creating a full architectural map of her technology stack. The outcome is that 2.5 years later, the IT department is unified in using the same tooling and optimization standards. It’s more flexible and ready to incorporate government changes, such as offering more accessibility options.

Jennifer Schaeffer took on the CIO role at Athabasca University in 2017 and was asked to create a five-year strategic plan in just six weeks. (Image source: Athabasca University)

Listen to 'The First 100 Days' podcast – Eric Wright

Call 7

Day 76 to Day 90

Finalize your vision – mission – values statement

A clear statement for your values, vision, and mission will help crystallize your IT strategy and communicate what you're trying to accomplish to the entire organization.

Mission: This statement describes the needs that IT was created to meet and answers the basic question of why IT exists.

Vision: Write a statement that captures your values. Remember that the vision statement sets out what the IT organization wants to be known for now and into the future.

Values: IT core values represent the standard axioms by which the IT department operates. Similar to the core values of the organization as a whole, IT’s core values are the set of beliefs or philosophies that guide its strategic actions.

Further reading: IT Vision and Mission Statements Template

Presentation Deck, slide 42

John Chen's new strategic vision

CASE STUDY

Industry Mobile Services
Source Sean Silcoff, The Globe and Mail

John Chen, known in the industry as a successful turnaround executive, was appointed BlackBerry CEO in 2014 following the unsuccessful launch of the BlackBerry 10 mobile operating system and a new tablet. He spent his first three months travelling, talking to customers and suppliers, and understanding the company's situation. He assessed that it had a problem generating cash and had made some strategic errors, but there were many assets that could benefit from more investment. He was blunt about the state of BlackBerry, making cutting observations of the past mistakes of leadership. He also settled a key question about whether BlackBerry would focus on consumer or enterprise customers. He pointed to a base of 80,000 enterprise customers that accounted for 80% of revenue and chose to focus on that. His new mission for BlackBerry: to transform it from being a "mobile technology company" that pushes handset sales to "a mobile solutions company" that serves the mobile computing needs of its customers.

John Chen, CEO of BlackBerry, presents at BlackBerry Security Summit 2018 in New York City (Image source: Brian Jackson)

Listen to 'The First 100 Days' podcast – Erin Bury

Quick wins: Make recommendations based on the CIO Business Vision survey

Based on your completed CIO Business Vision survey, use the IT Satisfaction Scorecard to determine some initiatives. Focus on areas that are ranked as high importance to the business but low satisfaction. While all of the initiatives may be achievable given enough time, use the matrix below to identify the quick wins that you can focus on immediately. It’s important to not fail in your quick-win initiative.

• High Visibility, Low Risk: Best bet for demonstrating your ability to deliver value.
• Low Visibility, Low Risk: Worth consideration, depending on the level of effort required and the relative importance to the stakeholder.
• High Visibility, High Risk: Limit higher-risk initiatives until you feel you have gained trust from your stakeholders, demonstrating your ability to deliver.
• Low Visibility, High Risk: These will be your lowest value, quick-win initiatives. Keep them in a backlog for future consideration in case business objectives change.

Presentation Deck, slide 27

Create and communicate a post-100 plan

The last few slides of your presentation deck represent a roundup of all the assessments you’ve done and communicate your plan for the months ahead.

Slide 38. Based on the information on the previous slide and now knowing which IT capabilities need improvement and which business priorities are important to support, estimate where you'd like to see IT staff spend their time in the near future. Will you be looking to shift staff from one area to another? Will you be looking to hire staff?

Slide 39. Take your IT M&G initiatives from slide 19 and list them here. If you've already achieved a quick win, list it and mark it as completed to show what you've accomplished. Briefly outline the objectives, how you plan to achieve the result, and what measurement will indicate success.

Slide 40. Reflect your CIO Business Vision initiatives from slide 31 here.

Slide 41. Use this roadmap template to list your initiatives by roughly when they’ll be worked on and completed. Plan for when you’ll update your diagnostics.

Expert Contributors

	Alan Fong, Chief Technology Officer, Dealer-FX
	Andrew Wertkin, Chief Strategy Officer, BlueCat Networks David Penny, Chief Technology Officer, BlueCat Networks
	Susan Bowen, CEO, Aptum

	Erin Bury, CEO, Willful
	Denis Gaudreault, Country Manager, Intel Canada and Latin America
	Wayne Berger, CEO, IWG Plc

	Eric Wright, CEO, LexisNexis Canada
	Gary Davenport, past president of CIO Association” of Canada, former VP of IT, Enterprise Solutions Division, MTS AllStream
	Jennifer Schaeffer, VP of IT and CIO, Athabasca University

Bibliography

Beaudan, Eric. “Do you have what it takes to be an executive?” The Globe and Mail, 9 July 2018. Web.

Bersohn, Diana. “Go Live on Day One: The Path to Success for a New CIO.” PDF document. Accenture, 2015. Web.

Bradt, George. “Executive Onboarding When Promoted From Within To Follow A Successful Leader.” Forbes, 15 Nov. 2018. Web.

“CIO Stats: Length of CIO Tenure Varies By Industry.” CIO Journal, The Wall Street Journal. 15 Feb. 2017. Web.

“Enlarging Your Sphere of Influence in Your Organization: Your Learning and Development Guide to Getting People on Side.” MindTools Corporate, 2014.

“Executive Summary.” The CIO's First 100 Days: A Toolkit. PDF document. Gartner, 2012. Web.

Forbes, Jeff. “Are You Ready for the C-Suite?” KBRS, n.d. Web.

Gallo, Carmine. “Tim Cook Uses These 5 Words to Take Control of Any Conversation.” Inc., 9 Aug. 2019. Web.

Giles, Sunnie. “The Most Important Leadership Competencies, According to Leaders Around the World.” Harvard Business Review, 15 March 2016. Web.

Godin, Seth. “Ode: How to tell a great story.” Seth's Blog. 27 April 2006. Web.

Green, Charles W. “The horizontal dimension of race: Social culture.” Hope College Blog Network, 19 Oct. 2014. Web.

Hakobyan, Hayk. “On Louis Gerstner And IBM.” Hayk Hakobyan, n.d. Web.

Bibliography

Hargrove, Robert. Your First 100 Days in a New Executive Job, edited by Susan Youngquist. Kindle Edition. Masterful Coaching Press, 2011.

Heathfield, Susan M. “Why ‘Blink’ Matters: The Power of Your First Impressions." The Balance Careers, 25 June 2019. Web.

Hillis, Rowan, and Mark O'Donnell. “How to get off to a flying start in your new job.” Odgers Berndtson, 29 Nov. 2018. Web.

Karaevli, Ayse, and Edward J. Zajac. “When Is an Outsider CEO a Good Choice?” MIT Sloan Management Review, 19 June 2012. Web.

Keizer, Gregg. “Microsoft CEO Nadella Aces First-100-Day Test.” Computerworld, 15 May 2014. Web.

Keller, Scott, and Mary Meaney. “Successfully transitioning to new leadership roles.” McKinsey & Company, May 2018. Web.

Kress, R. “Director vs. Manager: What You Need to Know to Advance to the Next Step.” Ivy Exec, 2016. Web.

Levine, Seth. “What does it mean to be an ‘executive’.” VC Adventure, 1 Feb. 2018. Web.

Lichtenwalner, Benjamin. “CIO First 90 Days.” PDF document. Modern Servant Leader, 2008. Web.

Nawaz, Sabina. “The Biggest Mistakes New Executives Make.” Harvard Business Review, 15 May 2017. Web.

Pruitt, Sarah. “Fast Facts on the 'First 100 Days.‘” History.com, 22 Aug. 2018. Web.

Rao, M.S. “An Action Plan for New CEOs During the First 100 Days.” Training, 4 Oct. 2014. Web.

Reddy, Kendra. “It turns out being a VP isn't for everyone.” Financial Post, 17 July 2012. Web.

Silcoff, Sean. “Exclusive: John Chen’s simple plan to save BlackBerry.” The Globe & Mail, 24 Feb. 2014. Web.

Bibliography

“Start Stop Continue Retrospective.” GroupMap, n.d. Web.

Surrette, Mark. “Lack of Rapport: Why Smart Leaders Fail.” KBRS, n.d. Web.

“Understanding Types of Organization – PMP Study.” Simplilearn, 4 Sept. 2019. Web.

Wahler, Cindy. “Six Behavioral Traits That Define Executive Presence.” Forbes, 2 July 2015. Web.

Watkins, Michael D. The First 90 Days, Updated and Expanded. Harvard Business Review Press, 2013.

Watkins, Michael D. “7 Ways to Set Up a New Hire for Success.” Harvard Business Review, 10 May 2019. Web.

“What does it mean to be a business executive?” Daniels College of Business, University of Denver, 12 Aug. 2014. Web.

Yeung, Ken. “Turnaround: Marissa Mayer’s first 300 days as Yahoo’s CEO.” The Next Web, 19 May 2013. Web.

Social Media Management Software Selection Guide

Identify the best tools for your social media management needs.

Analyst Perspective

Connecting through social media is an essential way to understand and engage with your customers.

Social media management platforms (SMMP) allow businesses to engage with customers more efficiently. Ten years ago, Facebook and Twitter dominated the social media space, but many alternatives have emerged that attract a wide variety of audiences today. Every social media platform has a unique demographic; for instance, LinkedIn attracts an audience looking to develop their professional career, while Snapchat attracts those who want to share their everyday casual experience.

It is important for businesses and brands to engage with all kinds of audiences without alienating a certain group. Domino's, for example, can sell pizzas to business professionals and teenagers alike, so connecting with both customer segments via personalized and meaningful posts in their preferred platform is a great way to grow their business.

To successfully implement a social media management platform, organizations need to ensure they have their requirements and business needs shortlisted and choose vendors that ensure the best return on investment (ROI).

Sai Krishna Rajaramagopalan
Research Specialist, Customer Experience & Application Insights
Info-Tech Research Group

Executive Summary

Your Challenge

• Social media has changed the way businesses interact with customers. It is essential to engage with your them regularly and in a timely manner.
• Businesses must stay on top of the latest news and update the public regarding any downtime or mishaps.
• Customers are present on multiple social media platforms, and businesses need to engage all audiences without neglecting or alienating any one group.

Common Obstacles

• There are many social media platforms, and any post, image, or other content must be uploaded on every platform with minimal delay.
• It is often difficult to manage audience interaction on all social media platforms in a timely manner.
• Measuring key performance metrics is crucial to obtaining the targeted ROI. Calculating ROI across multiple platforms with varying audiences is a challenge.

Info-Tech's Approach

• Social media presence is an extension of the organization, and the social media management strategy must align with organizational values.
• Understand your feature requirements and don't for bells and whistles. Vendors offer many features that are not helpful during 80% of day-to-day activities. Choose the SMMP that is right for your organization's needs.
• Ensure the SMMP has support and integrations for all the platforms that you require.

Info-Tech Insight

Choosing a good SMMP is only the first step. Having great social media managers who understand their audience is essential in maintaining a healthy relationship with your audience.

Guided Implementation

What does a typical GI on this topic look like?

A Guided implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

The SMMP selection process should be broken into segments:

1. SMMP shortlisting with this buyer's guide
2. Structured approach to selection
3. Contract review

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

What exactly is an SMMP platform?

A social media management platform is a software solution that enables businesses and brands to manage multiple social media accounts. It facilitates making posts, monitoring metrics, and engaging with your audience.

An SMMP platform offers many key features, including but not limited to the following capabilities:

• Integrate with popular social media platforms
• Post images, text, videos on multiple platforms at once
• Schedule posts
• Track and monitor activity on social media accounts
• Send replies and view likes and comments across all accounts
• Reporting and analytics
• Send alerts and notifications regarding key events
• Multilingual support and translation

Info-Tech Insight

Social media management platforms have continuously expanded their features list. It is, however, essential not to get lost in endless features to remain competitive and ensure the best ROI.

Key trends – short-form videos drive the most engagement

Short-form videos

Short-form videos are defined as videos less than two minutes long. Shorter videos take substantially less time and effort to consume, making them very attractive for marketing brands to end users. According to a study conducted by Vidyard, more than 50% of viewers end up watching an entire video if it's less than one minute. Another study finds that over 93% of the surveyed brands sold their product or service to a customer through a social media video.

Popular social media platforms such as TikTok, Instagram, YouTube etc. have caught on to this trend and introduced short-form videos, more commonly called "shorts". It's also common for content creators and brands to cut and upload short clips from longer videos to drive more engagement with viewers.

Key Trends

Short-form videos have higher viewership and view time compared to long videos.

Key trends – influencer marketing

Influencer marketing

Influencer marketing is the collaboration of brands with online influencers and content creators across various social media platforms to market their products and services. Influencers are not necessarily celebrities; they can be any individual with a dedicated community. This makes influencers abundant. For instance, compare the number of popular football players with the number of YouTubers on the planet.

Unlike traditional marketing methods, influencer marketing is effective across different budget levels. This is because the engagement level of small influencers with 10,000 followers is higher than the engagement level of large influencers with millions of followers. If a brand is budget conscious, working with smaller influencers still gives a good ROI. For every dollar spent on influencer marketing, the average ROI is $5.78.

Key Trends

Executive Brief Case Study

INDUSTRY: Retail
SOURCE: "5 Influencer Marketing Case Studies," HubSpot

H&M

H&M was looking to build awareness and desirability around the brand to drive clothing sales during the holiday season. They decided to partner with influencers and align content with each celebrity's personality and lifestyle to create authentic content and messaging for H&M. H&M selected four lesser-known celebrities with highly engaged and devoted social media followings: Tyler Posey, Peyton List, Jana Kramer, and Hannah Simone.

They posted teaser clips across various platforms to create buzz about the campaign a couple of days before the full, one-minute videos were released. Presenting the content two different times enabled H&M to appeal to more viewers and increase the campaign's visibility. Two of the celebrities, List and Kramer, garnered more views and engagement on the short clip than the full video, highlighting that a great short clip can be more effective than long-form content.

Results

The campaign achieved 12 million views on YouTube, 1.3 million likes, 14,000 comments, and 19,000 shares. The average engagement with consumers across all four celebrities was 10%.

Tyler Posey's sponsored video achieved:

• 25% engagement rate on Instagram
• 14% engagement rate across Facebook, Twitter, and Instagram

Key trends – social commerce is the future of e-commerce

Social commerce

Social commerce is the selling of goods and services through social media. This may involve standalone stores on social media platforms or promotions on these platforms which link to traditional e-commerce platforms.

Social media platforms contain more data about consumers than traditional platforms, which allows more accurate targeting of ads and promotions. Additionally, social commerce can place ads on popular influencer stories and posts, taking advantage of influencer marketing without directly involving the influencers.

Popular platforms have opened their own built-in stores. Facebook created Marketplace and Facebook Shops. TikTok soon followed with the TikTok Shopping suite. These stores allow platforms to lower third-party costs and have more control over which products are featured. This also creates a transactional call to action without leaving social media.

Key Trends

2020 saw a sizable increase in social commerce occurring on social media networks, with users making purchases directly from their social accounts.

Executive Brief Case Study

BestBuy

The Twitter Shop Module allows select brands to showcase products at the top of Twitter business profiles. Users can scroll through a carousel of products on a brand's profile and tap on individual products to read more and make purchases without leaving the platform.

While the results of Twitter's Shop Module experiment are still pending, brands aren't waiting around to sell on the platform. Best Buy and others continue to link to well-formatted product pages directly in their Tweets.

Clear, direct calls to action such as "Pick yours up today" encourage interested audiences to click through, learn more, and review options for purchase. In this social commerce example, Best Buy also makes optimal use of a Tweet's character limit. In just a few words, the brand offers significant savings for a high-quality product, then doubles down with a promotional trade-in offer. Strong imagery is the icing on the cake.

INDUSTRY: Retail
SOURCE: "5 genius social commerce examples," Sprout Social, 2021

Key trends – social media risk management is crucial

Crisis management

Crisis management is the necessary intervention from an organization when negative news spreads across social media platforms. With how interconnected people are due to social media, news can quickly spread across different platforms.

Organizations must be prepared for difficult situations such as negative feedback for a product or service, site outages, real-world catastrophes or disasters, and negative comments toward the social media handle. There are tools that organizations can use to receive real-time updates and be prepared for extreme situations.

While the causes are often beyond control, organizations can prepare by setting up a well-constructed crisis management strategy.

Key Trends

Executive Brief Case Study

INDUSTRY: Apparel
SOURCE: “Social Media Crisis Management 3 Examples Done Right,” Synthesio

Nike

On February 20, 2019, Zion Williamson, a star player from Duke University, suffered a knee injury when a malfunctioning Nike shoe fell apart. This accident happened less than a minute into a highly anticipated game against North Carolina. Media outlets and social media users quickly began talking. ESPN had broadcast the game nationally. On Twitter, former President Barack Obama, who was watching the game courtside, expressed his well-wishes to Williamson, as did NBA giants like LeBron James.

This accident was so high profile that Nike stock dropped 1.7% the following day. Nike soon released a statement expressing its concern and well-wishes for Williamson. The footwear megabrand reassured the world that its teams were "working to identify the issue." The following day, Nike sent a team to Durham, North Carolina, where the game took place. This team then visited Nike's manufacturing site in China and returned with numerous suggestions.

About a month later, Williamson returned to the court with custom shoes, which he told reporters were "incredible." He thanked Nike for creating them.

Get to know the key players in the SMMP landscape

These next slides provide a top-level overview of the popular players you will encounter in the SMMP shortlisting process.

Evaluate software category leaders through vendor rankings and awards

SoftwareReviews

	The data quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions. Vendors are ranked by their composite score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.
	The emotional footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions. Vendors are ranked by their customer experience (CX) score, which combines the overall emotional footprint rating with a measure of the value delivered by the solution.

Speak with category experts to dive deeper into the vendor landscape

SoftwareReviews

Fact-based reviews of business software from IT professionals.

Product and category reports with state-of-the-art data visualization.

Top-tier data quality backed by a rigorous quality assurance process.

User-experience insight that reveals the intangibles of working with a vendor.

SoftwareReviews is powered by Info-Tech

Technology coverage is a priority for Info-Tech and SoftwareReviews provides the most comprehensive unbiased data on today's technology. Combined with the insight of our expert analysts, our members receive unparalleled support in their buying journey.

Est. 2006 | MA, USA | NYSE: HUBS

bio

From attracting visitors to closing customers, HubSpot brings the entire marketing funnel together for less hassle, more control, and an inbound marketing strategy.

SoftwareReviews' SMMP Rankings

Strengths:

• Extensive functionality
• Great for midmarket and large enterprises
• Offers free trial

Areas to improve:

• Comparatively expensive
• Steep price increase between various tiers of offering

*Pricing correct as of November 2022. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.

HubSpot offers a robust social media management platform that enables organizations to run all social media campaigns from a central location. HubSpot is suitable for a range of midmarket and enterprise use cases. HubSpot offers a free base version of the platform that freelancers and start-ups can take advantage of. The free version can also be used to trial the product prior to deciding on purchase.

However, HubSpot is relatively expensive compared to its competitors. The free tools are not sustainable for growing businesses and some essential features are locked behind professional pricing. The price increase from one tier to another – specifically from starter to professional – is steep, which may discourage organizations looking for a "cheap and cheerful" product.

History

Starter Starts at $45 Per month Small businesses Professional Starts at $800 Per month Medium/large businesses Enterprise Starts at $3600 Per month Large enterprises

Est. 2010 | IL, USA | NASDAQ: SPT

bio

People increasingly turn to social media to engage with your business. Sprout Social provides powerful tools to personally connect with customers, solve issues, and create brand advocates.

SoftwareReviews' SMMP Rankings

Strengths:

• Automated response feature
• Great price for base offering

Areas to improve:

• Advanced features are very expensive
• No free trial offered

*Pricing correct as of November 2022. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.

Sprout Social offers strong social feed management and social customer service capabilities. It also provides powerful analytical tools to monitor multiple social media accounts. The listening functionality helps discover trends and identify gaps and opportunities. It is also one of the very few platforms to provide automated responses to incoming communications, easing the process of managing large and popular brands.

Although the starting price of each tier is competitive, advanced analytics and listening come at a steep additional cost. Adding one additional user to the professional tier costs $299 which is a 75% increase in cost. Sprout Social does not offer a free tier for small businesses to trial.

History

Standard Starts at $249 Per month Small businesses Five social profiles Professional Starts at $399 Per month Medium/large businesses Advanced Starts at $499 Per month Medium/large businesses Enterprise Opaque pricing Request a quote Large enterprises

Est. 2008 | BC, CANADA |PRIVATE

bio

Manage social networks, schedule messages, engage your audiences, and measure ROI right from the dashboard.

SoftwareReviews' SMMP Rankings

Strengths:

• Automatic scheduling functionality
• Competitor analysis
• 30-day free trial

Areas to improve:

• Advanced functionalities require additional purchase and are expensive

*Pricing correct as of November 2022. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.

Hootsuite is one of the largest players in the social media management space with over 18 million users. The solution has great functionality covering all the popular social media platforms like Facebook, Instagram, Twitter, and Pinterest. One popular and well-received feature is the platform’s ability to schedule posts in bulk. Hootsuite also provides an automatic scheduling feature that uses algorithms to determine the optimal time to post to maximize viewership and engagement. Additionally, the platform can pull analytics for all competitors in the same marketspace as the user to compare performance.

Hootsuite offers buyers a 30-day free trial to familiarize with the platform and provides unlimited post scheduling across all their plans. Features like social listening, employee advocacy, and ROI reporting, however, are not included in these plans and require additional purchase.

History

Professional Starts at $49* Per month 1 user and 10 social accounts Team Starts at $249* Per month 3 users and 20 social accounts Business Starts at $739* Per month 5 users and 35 social accounts Enterprise Custom built and priced Starts at 5 users and 50 social accounts

Est. 2009 | NY, USA | NYSE: CXM

bio

With social engagement & sales, you can deliver a positive experience that's true to your brand - no matter where your customers are digitally - from a single, unified platform.

SoftwareReviews' SMMP Rankings

Strengths

• Extensive social analytics functionality
• Advertising and sales capabilities

Areas to improve:

• Not suitable for small to medium businesses
• Opaque pricing

Sprinklr is a vendor focused on enterprise-grade capabilities that offers a comprehensive unified customer experience management (CXM) platform.

Their product portfolio offers an all-in-one solution set with an extensive list of features to accommodate all marketing and communication needs. Sprinklr comes integrated with products consisting of advertising, marketing, engagement, and sales capabilities. Some of the key functionality specific to social media includes sentiment analysis, social reporting, advanced data filtering, alerts and notifications, competitor analysis, post performance, and hashtag analysis.

History

Sprinklr – Opaque Pricing:
"Request a Demo"

Est. 1996 | TN, INDIA | PRIVATE

bio

Zoho Social is a complete social media management tool for growing businesses & agencies. It helps schedule posts, monitor mentions, create unlimited reports, and more. Zoho Social is from Zoho.com—a suite of 40+ products trusted by 30+ million users.

SoftwareReviews' SMMP Rankings

Strengths:

• Provides integration capabilities with other Zoho products
• Competitive pricing

Areas to improve:

• Base functionality is limited
• The two starting tiers are limited to one user

*Pricing correct as of August 2021. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.

Zoho differentiates itself from competitors by highlighting integration with other products under the Zoho umbrella – their adjacent tool sets allow organizations to manage emails, projects, accounts, and webinars. Zoho also offers the choice of purchasing their social media management tool without any of the augmented CRM capabilities, which is priced quite competitively.

The social media management tools are offered in three plans. Each plan allows the ability to publish and schedule posts across nine platforms, access summary reports and analytics, and access a Bit.ly integration & URL shortener. The standard and professional plans are limited to one brand and one team member, with the option to add team members or social channels for an additional cost.

YouTube support is exclusive to the premium offering.

History

Standard Starts at $10* Per month, billed annually 9 channels and 1 team member Professional Starts at $30* Per month, billed annually Option to add team members for additional cost Premium Starts at $40* Per month, billed annually Starts at 10 channels and 3 team members

Est. 2012 | CA, USA | PRIVATE

bio

MavSocial is a multi-award-winning, fully integrated social media management & advertising solution for brands and agencies.

SoftwareReviews' SMMP Rankings

Strengths

• Content management capabilities
• Offers millions of stock free images

Areas to improve:

• Limited market footprint compared to competitors
• Not ideal for large enterprises

*Pricing correct as of November 2022. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.

In addition to social media management, MavSocial is also an excellent content management tool. A centralized platform is offered that can store many photos, videos, infographics, and more, which can be accessed anytime. The solution comes with millions of free stock images to use. MavSocial is a great hybrid social media and content management solution for small and mid-sized businesses and larger brands that have dedicated teams to manage their social media. MavSocial also offers campaign planning and management, scheduling, and social inbox functionality. The entry-level plan starts at $78 per month for three users and 30 profiles. The enterprise plan offers fully configurable and state-of-the-art social media management tools, including the ability to manage Facebook ads.

History

Pro Starts at $78* Per month Max. 3 users and 30 Profiles Business Starts at $249* Per month 5 users, 40 profiles Ability to expand users and profiles Enterprise Starts at $499* Per month Fully customized

Est. 2019 | TX, USA | PRIVATE

bio

Use the Khoros platform (formerly Spredfast + Lithium) to deliver an all-ways connected experience your customers deserve.

SoftwareReviews' SMMP Rankings

Strengths

• Offers a dedicated social strategic service team
• Extensive functionality

Areas to improve:

• Opaque pricing
• Not suitable for small or medium businesses

Khoros is the result of the merger between two social marketing platforms - Spredfast and Lithium. The parent companies have over a decade of experience offering social management tools. Khoros is widely used among many large brands such as StarHub and Randstad. Khoros is another vendor that is primarily focused on large enterprises and does not offer plans for small/medium businesses. Khoros offers a broad range of functionality such as social media marketing, customer engagement, and brand protection with visibility and controls over social media presence. Khoros also offers a social strategic services team to manage content strategy, brand love, reporting, trend tracking, moderation, crisis and community management; this team can be full service or a special ops extension of your in-house crew.

History

Khoros – Opaque Pricing:
"Request a Demo"

Est. 2009 | UK | PRIVATE

bio

Sendible allows you to manage social networks, schedule messages, engage your audiences, and measure ROI right from one easy-to-use dashboard.

SoftwareReviews' SMMP Rankings

Strengths

• Great integration capabilities
• Competitive pricing
• Scheduling functionality

Areas to improve:

• Limited footprint compared to competitors
• Better suited for agencies

*Pricing correct as of November 2022. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.

Sendible primarily markets itself to agencies rather than individual brands or businesses. Sendible's key value proposition is its integration capabilities. It can integrate with 17 different tools including Meta, Twitter, Instagram, LinkedIn, Google My Business (GMB), YouTube, WordPress, Canva, Google Analytics, and Google Drive. In addition to normal reporting functionality, the Google Analytics integration allows customers to track clickthrough and user behavior for traffic coming from social media channels.

All plans include the functionality to schedule at least ten posts. Sendible offers excellent collaboration tools, allowing teams to work on assigned tasks and have content approved before they are scheduled to ensure quality control. Sendible offers four plans, with the option to save an additional 15% by signing up for annual payments.

History

Creator Starts at $29 Price per month For freelancers One brand Traction Starts at $89 Price per month Start-up agencies & brands. 4+ brands Scale Starts at $199 Price per month For growing agencies & brands Custom Opaque pricing Request a quote For large teams & agencies

Est. 2010 | FRANCE | PRIVATE

bio

Agorapulse is an affordable social media dashboard that helps businesses and agencies easily publish content and manage their most important conversations on their social networks.

SoftwareReviews' SMMP Rankings

Strengths

• ROI calculation for Facebook
• Competitor analysis
• Social inbox functionality

Areas to improve:

• Targeted toward agencies
• Advanced features can't be purchased under lower tier plans

*Pricing correct as of November 2022. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.

Although Agorapulse offers the solution for both agencies and business, they primarily focus on agencies. In addition to the standard social media management functionality, Agorapulse also offers features such as competitor analysis and Facebook contest apps at an affordable price point. They also offer social inbox functionality, allowing the ability to manage the inbox and reply to any message or comment across all social profiles through a single platform.

The solution is offered in three plans. The pro plan allows ten social profiles and two users. Additional social profiles and users can only be purchased under the premium plan. All plans include ROI calculation for Facebook, but if you want this functionality for other platforms, that's exclusive to the enterprise plan.

History

Pro Starts at $79 Price per month 10 social profiles and 2 users Premium Starts at $199 Price per month 20 social profiles and 2 brands Enterprise Opaque pricing 40+ social profiles and 8+ users

Est. 2010 | CA, USA | PRIVATE

bio

A better way to manage social media for your business. Buffer makes it easy to manage your business' social media accounts. Schedule posts, analyze performance, and collaborate with your team — all in one place.

SoftwareReviews' SMMP Rankings

Strengths

• Competitive pricing
• Scheduling functionality
• Mobile app

Areas to improve:

• Not suited for medium to large enterprises
• Limited functionality

*Pricing correct as of November 2022. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.

Buffer is a social media platform targeted toward small businesses. It is a great cost-effective option for those who want to manage a few social media profiles, with a free plan that lets one user access three social channels. At $5 per month, it's a great entry point for smaller companies to invest in social media management tools, offering functionality like post scheduling and link shortening and optimization tools for hashtags, tags, and mentions across platforms. All plans provide a browser extension, access to a mobile app, two-factor authentication, social media and email support, and access to the Buffer community. Customers can also trial any of the plans for 14 days before purchasing.

history

Essentials Starts at $5 Per month per channel Basic functionality Team Starts at $10 Per month per channel Adds reporting capabilities Agency Starts at $100 Per month per channel

Leverage Info-Tech's research to plan and execute your SMMP implementation

Use Info-Tech Research Group's three-phase implementation process to guide your own planning.

• Assess
• Prepare
• Govern & Course Correct

Establish and execute an end-to-end, Agile framework to succeed with the implementation of a major enterprise application.

Visit this link

Ensure your implementation team has a high degree of trust and communication

If external partners are needed, dedicate an internal resource to managing vendor and partner relationships.

Communication

Teams must have a communication strategy. This can be broken into:

• Regularity: Having a set time each day to communicate progress and a set day to conduct retrospectives.
• Ceremonies: Introducing awards and continually emphasizing delivery of value can encourage relationship building and constructive motivation.
• Escalation: Voicing any concerns and having someone responsible for addressing those concerns.

Proximity

Distributed teams create complexity as communication can break down. This can be mitigated by:

• Location: Placing teams in proximity can close the barrier of geographical distance and time zone differences.
• Inclusion: Making a deliberate attempt to pull remote team members into discussions and ceremonies.
• Communication tools: Having the right technology (e.g. video conference) can help bring teams closer together virtually.

Trust

Members should trust other members to contribute to the project and complete required tasks on time. Trust can be developed and maintained by:

• Accountability: Having frequent quality reviews and feedback sessions. As work becomes more transparent, people become more accountable.
• Role clarity: Having a clear definition of everyone's role.

Summary of Accomplishment

Knowledge Gained

• What a social media management platform (SMMP) is
• The history of SMMP
• The future of SMMP
• Key trends in SMMP

Processes Optimized

• Requirements gathering
• Requests for proposal (RFPs) and contract reviews
• SMMP vendor selection
• SMMP implementation

SMMP Vendors Analyzed

• Sprout Social
• HubSpot
• Zoho Social
• Khoros
• Agorapulse
• Hootsuite
• Sprinklr
• MavSocial
• Sendible
• Buffer

Related Info-Tech Research

Select and Implement a Social Media Management Platform

• SMMPs reduce complexity and increase the results of enterprise social media initiatives.

Social Media

• The Social Media workshop provides clear, measurable improvements to your social media strategy.

Improve Requirements Gathering

• An improvement in requirements analysis will strengthen the relationship between business and IT, as more and more applications satisfy stakeholder needs. More importantly, the applications delivered by IT will meet all the must-have and at least some of the nice-to-have requirements, allowing end users to successfully execute their day-to-day responsibilities.

Bibliography

"30+ Influencer Marketing Statistics You Should Know (2022)." Shopify, www.shopify.com/blog/influencer-marketing-statistics.
"A Brief History of Hootsuite." BrainStation®, 2015, https://brainstation.io/magazine/a-brief-history-of-hootsuite#:~:text=In%202008%2C%20Vancouver%2Dbased%20digital,accounts%20from%20a%20single%20interface.&text=In%202009%2C%20BrightKit's%20name%20changed,a%20capital%20%E2%80%9CS%E2%80%9D).
"About Us." Sprout Social, https://sproutsocial.com/about/#history
"About Zoho - Our Story, List of Products." Zoho, www.zoho.com/aboutus.html.
Adam Rowe, et al. "Sprout Social vs Hootsuite - Which Is Best?: Tech.co 2022." Tech.co, 15 Nov. 2022, https://tech.co/digital-marketing/sprout-social-vs-hootsuite
"Agorapulse Customer Story: Twilio Segment." Segment, https://segment.com/customers/agorapulse/
"Agorapulse - Funding, Financials, Valuation & Investors." Crunchbase, www.crunchbase.com/organization/agorapulse/company_financials.
"Agorapulse Release Notes." Agorapulse Release Notes, https://agorapulse.releasenotes.io/
"Buffer - Funding, Financials, Valuation & Investors." Crunchbase, www.crunchbase.com/organization/buffer/company_financials.
Burton, Shannon. "5 Genius Social Commerce Examples You Can Learn From." Sprout Social, 28 Oct. 2021, https://sproutsocial.com/insights/social-commerce-examples/ .
Chris Gillespie. "How Long Should a Video Be." Vidyard, 17 May 2022, www.vidyard.com/blog/video-length/.
"Consumers Continue to Seek Influencers Who Keep It Real." Matter Communications, 22 Feb 2023. https://www.matternow.com/blog/consumers-seek-influencers-who-keep-it-real/
"Contact Center, Communities, & Social Media Software." Khoros, https://khoros.com/about.
Fennell, Kylie, et al. "Blog." MavSocial, https://mavsocial.com/blog/.
Fuchs, Jay. "24 Stats That Prove Why You Need a Crisis Management Strategy in 2022." HubSpot Blog, HubSpot, 16 Mar. 2022, https://blog.hubspot.com/service/crisis-management-stats
Geyser, Werner. "Key Social Commerce Statistics You Should Know in 2022." Influencer Marketing Hub, http://influencermarketinghub.com/social-commerce-stats/
"Global Crisis Survey 2021: Building resilience for the next normal." PwC, 2021. https://www.pwc.com/ia/es/prensa/pdfs/Global-Crisis-Survey-FINAL-March-18.pdf
"Global Influencer Marketing Value 2016-2022." Statista, 6 Jan 2023, www.statista.com/statistics/1092819/global-influencer-market-size/.
"Key Social Commerce Statistics You Should Know in 2023." Influencer Marketing Hub, December 29, 2022. https://influencermarketinghub.com/social-commerce-stats/
"Khoros - Funding, Financials, Valuation & Investors." Crunchbase, www.crunchbase.com/organization/spredfast/company_financials.
Lin, Ying. "Social Commerce Market Size (2020–2026) ", Oberlo, Oberlo, www.oberlo.com/statistics/social-commerce-market-size#:~:text=Social%20commerce%20statistics%20show%20that,fastest%20and%20slowest%20growth%20rates.
Mediakix, "5 Influencer Marketing Case Studies." HubSpot, n.d. https://cdn2.hubspot.net/hubfs/505330/Influencer-Marketing-5-Case-Studies-Ebook.pdf.
"Our Story: HubSpot - Internet Marketing Company." HubSpot, www.hubspot.com/our-story .
PricewaterhouseCoopers. "69% Of Business Leaders Have Experienced a Corporate Crisis in the Last Five Years Yet 29% of Companies Have No Staff Dedicated to Crisis Preparedness." PwC, 2019. www.pwc.com/gx/en/news-room/press-releases/2019/global-crisis-survey.html.
Ferris, Robert. "Duke Player Zion Williamson Injured When Nike Shoe Blows Apart during Game." CNBC, CNBC, 21 Feb. 2019, www.cnbc.com/2019/02/21/duke-player-zion-williamson-injured-when-nike-shoe-blows-apart-in-game.html.
"Social Engagement & Sales Platform." Sprinklr, www.sprinklr.com/social-engagement/.
"Social Media Analytics & Reporting for Growing Brands." Buffer, https://buffer.com/analyze
"Social Media Management and Advertising Tool." MavSocial, 30 July 2022, https://mavsocial.com/
"Social Media Management Software." HubSpot, www.hubspot.com/products/marketing/social-inbox.
"Social Media Management Software - Zoho Social." Zoho, www.zoho.com/social/
"Social Media Management Tool for Agencies & Brands." Sendible, www.sendible.com/.
"Social Media Management Tools." Sprout Social, 6 Sept. 2022, https://sproutsocial.com/social-media-management/
"Social Media Marketing & Management Platform For Enterprises." Khoros, khoros.com/platform/social-media-management.
"Social Media Monitoring Tool." Agorapulse, www.agorapulse.com/features/social-media-monitoring/.
"Top 12 Moments in SPRINKLR's History." Sprinklr, www.sprinklr.com/blog/12-moments-sprinklr-history/.
Twitter, BestBuy, https://twitter.com/BestBuyCanada
"The Ultimate Guide to Hootsuite." Backlinko, 10 Oct. 2022, https://backlinko.com/hub/content/hootsuite
Widrich, Leo. "From 0 to 1,000,000 Users: The Journey and Statistics of Buffer." Buffer Resources, Buffer Resources, 8 Dec. 2022, buffer.com/resources/from-0-to-1000000-users-the-journey-and-statistics-of-buffer/.
Yeung, Carmen. "Social Media Crisis Management 3 Examples Done Right." Synthesio, 19 Nov. 2021, www.synthesio.com/blog/social-media-crisis-management/.

Understand the Difference Between Backups and Archives

They are not the same, and confusing the two concepts could be expensive

Analyst Perspective

Backups and archives are not interchangeable, but they can complement each other.

Backups and archives are two very different operations that are quite often confused or misplaced. IT and business leaders are tasked with protecting corporate data from a variety of threats. They also must conform to industry, geographical, and legal compliance regulations. Backup solutions keep the data safe from destruction. If you have a backup, why do you also need an archive? Archive solutions hold data for a long period of time and can be searched. If you have an archive, why do you also need a backup solution? Backups and archives used to be the same. Remember when you would keep the DAT tape in the same room as the argon gas fire suppression system for seven years? Now that's just not feasible. Some situations require a creative approach or a combination of backups and archives.

Understand the difference between archives and backups and you will understand why the two solutions are necessary and beneficial to the business.

P.J. Ryan
Research Director, Infrastructure & Operations
Info-Tech Research Group

Executive Summary

Info-Tech Insight

Keep in mind that backups are for recovery while archives are for discovery. Backups and archives are often confused but understanding the differences can result in significant savings of time and money. Backing up and archiving may be considered IT tasks but recovery and discovery are capabilities the business wants and is willing to pay for.

Archive

Tips & Tricks – Archiving

• Archiving will move older data to an alternate location. This will free up storage space in the production environment.
• Archiving solutions index the data to allow for easier searchability. This will aid in common business searches as well as assist with any potential legal searches.
• Archiving allows companies to hold onto data for historical purposes as well as for specific retention periods in compliance with industry and regional regulations such as SOX, GDPR, FISMA, as well as others (msp360.com).

Backup

Tips & Tricks – Backups

• Production data should be backed up on a regular basis, ideally once a day or more frequently if possible.
• Backups are intended to restore data when it gets deleted, over-written, or otherwise compromised. Most restore requests are from the last 24 to 48 hours, so it may be advantageous to keep a backup readily available on disk for a quick restore when needed.
• Some vendors and industry subject matter experts advocate the use of a 3-2-1 rule when it comes to backups:
  • Keep three copies of your production data
  • In at least two separate locations (some advocate two different formats), and
  • One copy should be offsite (nakivo.com)

Cold Storage

• Cold storage refers to a storage option offered by some cloud vendors. In the context of the discussion between backups and archives, it can be an option for a dedicated backup solution for a specific period. Cost is low and the data is protected from destruction.
• If an app has been replaced and all data transferred to the replacement solution but for some reason the company wishes to hold onto the data, you want a backup, not an archive. Extract the data, convert it into MongoDB or a similar solution, and drop it into cheap cloud storage (cold storage) for less than $5 per TB/month.

Case Study

Understanding the difference between archives and backups could save you a lot of time and money

INDUSTRY: Manufacturing | SOURCE: Info-Tech Research

Understanding the difference between an archive and a backup was the first step in solving their challenge.

A leading manufacturing company found themselves in a position where they had to decide between archiving or doing nothing.

The company had completed several acquisitions and ended up with multiple legacy applications that had been merged or migrated into replacement solutions. These legacy applications were very important to the original companies and although the data they held had been migrated to a replacement solution, executives felt they should hold onto these applications for a period of time, just in case.

Some of the larger applications were archived using a modern archiving solution, but when it came to the smaller applications, the cost to add them to the archiving solution greatly exceeded the cost to just keep them running and maintain the associated infrastructure.

A research advisor from Info-Tech Research Group joined a call with the manufacturing company and discussed their situation. The difference between archives and backups was explained and through the course of the conversation it was discovered that the solution was a modified backup. The application data had already been preserved through the migration, so data could be accessed in the production environment. The requirement to keep the legacy application up and running was not necessary but in compliance with the request to keep the information, the data could be exported from the legacy application into a non-sequential database, compressed, and stored in cloud-based cold storage for less than five dollars per terabyte per month. The manufacturing company’s staff realized that they could apply this same approach to several of their legacy applications and save tens of thousands of dollars in the process.

Understand the Difference Between Backups and Archives

Info-Tech Insight

Archives and backups are not the same, and there is a use case for each. Sometimes minor adjustments may be required to make the use case work. Understanding the basics of backups and archives can lead to significant savings at a monetary and effort level.

Additional Guidance

Case Study

Using tape backups as an archive solution could result in an expensive discovery and retrieval exercise.

INDUSTRY: Healthcare | SOURCE: Zasio Enterprises Inc.

“Do not commingle archive data with backup or disaster recovery tapes.”

A court case in the United States District Court for the District of Nevada involving Guardiola and Renown Health in 2015 is a good example of why using a backup solution to solve an archiving challenge is a bad idea.

Renown Health used a retention policy that declared any email older than six months of age as inactive and moved that email to a backup tape. Renown Health was ordered by the court to produce emails from a period of time in the past. Renown estimated that it would cost at least $248,000 to produce those emails, based on the effort involved to restore data from each tape and search for the email in question. Renown Health argued that this long and expensive process would result in undue costs.

The court reviewed the situation and ruled against Renown Health and ordered them to comply with the request (Zasio.com).

A proper archiving solution would have provided a quick and low-cost method to retrieve the emails in question.

Backups and archives are complementary to each other

• Archives are still production data, but the data does not change. A backup is recommended for the archived data, but the frequency of the backups can be lowered.
• Backups protect you if a disaster strikes by providing a copy of the production data that was compromised or damaged. Archives allow you to access older data that may have just been forgotten, not destroyed or compromised. Archives could also protect you in a legal court case by providing data that is older but may prove your argument in court.

Archives and backups are not the same.

Backups copy your data. Archives move your data. Backups facilitate recovery. Archives facilitate discovery.

Is it a backup or archive?

• You want to preserve older data for legal and compliance reasons, so you put extra effort into keeping your tape backups safe and secure for seven years. That’s a big mistake that may cost you time and money. You want an archive solution.
• You replace your older application and migrate all data to the new system, but you want to hold onto the old data, just in case. That’s a backup, not an archive.
• A long serving senior executive recently left the company. You want to preserve the contents of the executive's laptop in case it is needed in the future. That’s a backup.

Considerations When Choosing Between Solutions

Related Info-Tech Research

	Establish an Effective Data Protection Plan Give data the attention it deserves by building a strategy that goes beyond backup.
	Modernize Enterprise Storage Current and emerging storage technologies are disrupting the status quo – prepare your infrastructure for the exponential rise in data and its storage requirements.
	Data Archiving Policy

Bibliography

“Backup vs. archiving: Know the difference.” Open-E. Accessed 05 Mar 2022.Web.

G, Denis. “How to build retention policy.” MSP360, Jan 3, 2020. Accessed 10 Mar 2022.

Ipsen, Adam. “Archive vs Backup: What’s the Difference? A Definition Guide.” BackupAssist, 28 Mar 2017. Accessed 04 Mar 2022.

Kang, Soo. “Mitigating the expense of E-discovery; Recognizing the difference between back-ups and archived data.” Zasio Enterprises, 08 Oct 2015. Accessed 3 Mar 2022.

Mayer, Alex. “The 3-2-1 Backup Rule – An Efficient Data Protection Strategy.” Naviko. Accessed 12 Mar 2022.

“What is Data-Archiving?” Proofpoint. Accessed 07 Mar 2022.

Generative AI: Market Primer

Cut through Gen AI buzzwords to achieve market clarity.

Analyst Perspective

The generative AI (Gen AI) marketspace is complex, nascent, and unstable.

Organizations need to get clear on what Gen AI is, its infrastructural components, and the governance required for successful platform selection.

The urge to be fast-moving to leverage the potential benefits of Gen AI is understandable. There are plenty of opportunities for Gen AI to enrich an organization’s use cases – from commercial to R&D to entertainment. However, there are requisites an organization needs to get right before Gen AI can be effectively applied. Part of this is ensuring data and AI governance is well established and mature within the organization. The other part is contextualizing Gen AI to know what components of this market the organization needs to invest in.

Owing to its popularity surge, OpenAI’s ChatGPT has become near synonymous with Gen AI. However, Gen AI is an umbrella concept that encompasses a variety of infrastructural architecture. Organizations need to ask themselves probing questions if they are looking to work with OpenAI: Does ChatGPT rest on the right foundational model for us? Does ChatGPT offer the right modalities to support our organization’s use cases? How much fine-tuning and prompt engineering will we need to perform? Do we require investment in on-premises infrastructure to support significant data processing and high-volume events? And do we require FTEs to enable all this infrastructure?

Use this market primer to quickly get up to speed on the elements your organization might need to make the most of Gen AI.

Thomas Randall

Advisory Director, Info-Tech Research Group

Executive Summary

“We are entering the era of generative AI.
This is a unique time in our history where the benefits of AI are easily accessible and becoming pervasive with co-pilots emerging in the major business tools we use today. The disruptive capabilities that can potentially drive dramatic benefits also introduces risks that need to be planned for.”

Bill Wong, Principal Research Director – Data and BI, Info-Tech Research Group

Who benefits from this project?

This research is designed for:

• Senior IT, developers, data staff, and project managers who:
  • Have received a mandate from their executives to begin researching the Gen AI market.
  • Need to quickly get up to speed on the state of the Gen AI market, given no deep prior knowledge of the space.
  • Require an overview of the different components to Gen AI to contextualize how vendor comparisons and selections can be made.
  • Want to gain an understanding of key trends, risks, and evaluative criteria to consider in their selection process.

This research will help you:

• Articulate the potential business value of Gen AI to your organization.
• Establish which high-value use cases could be enriched by Gen AI functionality.
• Assess vendor viability for enterprise and specialized software providers in the Gen AI marketspace.
• Collect information on the prerequisites for implementing Gen AI functionality.
• Develop relevant evaluative criteria to assist differentiating between shortlisted contenders.

This research will also assist:

• Executives, business analysts, and procurement teams who are stakeholders in:
  • Contextualizing the landscape for learning opportunities.
  • Gathering and documenting requirements.
  • Building deliverables for software selection projects.
  • Managing vendors, especially managing the relationships with incumbent enterprise software providers.

This research will help you:

• Identify examples of how Gen AI applications could be leveraged for your organization’s core use cases.
• Verify the extent of Gen AI functionality an incumbent enterprise provider has.
• Validate accuracy of Gen AI language and architecture referenced in project deliverables.

Insight Summary

You cannot speedrun Gen AI selection and implementation.

Organizations with (1) FTEs devoted to making Gen AI work (including developers and business intelligence analysts), (2) trustworthy and regularly updated data, and (3) AI governance are just now reaching PoC testing.

Gen AI is not a software category – it is an umbrella concept.

Gen AI platforms will be built on different foundational models, be trained in different ways, and provide varying modalities. Do not expect to compare Gen AI platforms to the same parameters in a vendor quadrant.

Bad data is the tip of the iceberg for Gen AI risks.

While Gen AI success will be heavily reliant on the quality of data it is fine-tuned on, there are independent risks organizations must prepare for: from Gen AI hallucinations and output reliability to infrastructure feasibility to handle high-volume events.

Gen AI use may require changes to sales incentives.

If you plan to use Gen AI in a commercial setting, review your sales team’s KPIs. They are rewarded for sales velocity; if they are the human-in-the-loop to check for hallucinations, you must change incentives to ensure quality management.

Prepare for ongoing instability in the Gen AI market.

If your organization is unsure about where to start with Gen AI, the secure route is to examine what your enterprise providers are offering. Use this as a learning platform to confidently navigate which specialized Gen AI provider will be viable for meeting your use cases.

Brace for a potential return of on-premises infrastructure to power Gen AI.

The market trend has been for organizations to move to cloud-based products. Yet, for Gen AI, effective data processing and fine-tuning may call for organizations to invest in on-premises infrastructure (such as more GPUs) to enable their Gen AI to function effectively.

Info-Tech’s methodology for understanding the Gen AI marketspace

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

The Gen AI market evaluation process should be broken into segments:

1. Gen AI market education with this primer
2. Structured approach to selection
3. Evaluation and final due diligence

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful"

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Software selection engagement

Five advisory calls over a five-week period to accelerate your selection process

• Receive expert analyst guidance over five weeks (on average) to select and negotiate software.
• Save money, align stakeholders, speed up the process, and make better decisions.
• Use a repeatable, formal methodology to improve your application selection process.
• Get better, faster results guaranteed, included in membership.

Click here to book your selection engagement.

Software selection workshops

40 hours of advisory assistance delivered online.

Select better software, faster.

• 40 hours of expert analyst guidance
• Project and stakeholder management assistance
• Save money, align stakeholders, speed up the process, and make better decisions
• Better, faster results guaranteed; 25K standard engagement fee

Click here to book your workshop engagement.

Build an IT Risk Management Program

Mitigate the IT risks that could negatively impact your organization.

Table of Contents

3 Executive Brief

4 Analyst Perspective

5 Executive Summary

19 Phase 1: Review IT Risk Fundamentals & Governance

43 Phase 2: Identify and Assess IT Risk

74 Phase 3: Monitor, Communicate, and Respond to IT Risk

102 Appendix

108 Bibliography

Build an IT Risk Management Program

Mitigate the IT risks that could negatively impact your organization.

EXECUTIVE BRIEF

Analyst Perspective

Siloed risks are risky business for any enterprise.

Valence Howden Principal Research Director, CIO Practice

Brittany Lutes Senior Research Analyst, CIO Practice

Risk is an inherent part of life but not very well understood or executed within organizations. This has led to risk being avoided or, when it’s implemented, being performed in isolated siloes with inconsistencies in understanding of impact and terminology.

Looking at risk in an integrated way within an organization drives a truer sense of the thresholds and levels of risks an organization is facing – making it easier to manage and leverage risk while reducing risks associated with different mitigation responses to the same risk events.

This opens the door to using risk information – not only to prevent negative impacts but as a strategic differentiator in decision making. It helps you know which risks are worth taking, driving strong positive outcomes for your organization.

Executive Summary

Your Challenge

IT has several challenges when it comes to addressing risk management:

• Risk is unavoidable. Without a formal program to manage IT risk, you may be unaware of your severest IT risks.
• The business could be making decisions that are not informed by risk.
• Reacting to risks after they occur can be costly and crippling, yet it is one of the most common tactics used by IT departments.

Common Obstacles

Many IT organizations realize these obstacles:

• IT risks and business risks are often addressed separately, causing inconsistencies in the approach.
• Security risk receives such a high profile that it often eclipses other important IT risks, leaving the organization vulnerable.
• Failing to include the business in IT risk management leaves IT leaders too accountable; the business must have accountability as well.

Info-Tech’s Approach

• Transform your ad hoc IT risk management processes into a formalized, ongoing program and increase risk management success.
• Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
• Involve key stakeholders, including the business senior management team, to gain buy-in and to focus on the IT risks most critical to the organization.

Info-Tech Insight

IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business.

Ad hoc approaches to managing risk fail because…

If you are like the majority of IT departments, you do not have a consistent and comprehensive strategy for managing IT risk.

1. Ad hoc risk management is reactionary.
2. Ad hoc risk management is often focused only on IT security.
3. Ad hoc risk management lacks alignment with business objectives.

The results:

• Increased business risk exposure caused by a lack of understanding of the impact of IT risks on the business.
• Increased IT non-compliance, resulting in costly settlements and fines.
• IT audit failure.
• Ineffective management of risk caused by poor risk information and wrong risk response decisions.
• Increased unnecessary and avoidable IT failures and fixes.

58% of organizations still lack a systematic and robust method to actually report on risks (Source: AICPA, 2021)

Data is an invaluable asset – ensure it’s protected

Risk management is a business enabler

Formalize risk management to increase your likelihood of success.

By identifying areas of risk exposure and creating solutions proactively, obstacles can be removed or circumvented before they become a real problem.

A certain amount of risk is healthy and can stimulate innovation:

• A formal risk management strategy doesn’t mean trying to mitigate every possible risk; it means exposing the organization to the right amount of risk.
• Taking a formal risk management approach allows an organization to thoughtfully choose which risks it is willing to accept.
• Organizations with high risk management maturity will vault themselves ahead of the competition because they will be aware of which risks to prepare for, which risks to ignore, and which risks to take.

Only 12% of organizations are using risk as a strategic tool most or all of the time (Source: AICPA, 2021)

IT risk is enterprise risk

Accountability for IT risks and the decisions made to address them should be shared between IT and the business.

IT risks have a direct and often aggregated impact on enterprise risks and opportunities in the same way other business risks can. This relationship must be understood and addressed through integrated risk management to ensure a consistent approach to risk.

Follow the steps of this blueprint to build or optimize your IT risk management program

Start Here	PHASE 1 Review IT Risk Fundamentals and Governance		PHASE 2 Identify and Assess IT Risk		PHASE 3 Monitor, Report, and Respond to IT Risk
	1.1 Review IT Risk Management Fundamentals	1.2 Establish a Risk Governance Framework	2.1 Identify IT Risks	2.2 Assess and Prioritize IT Risks	3.1 Monitor IT Risks and Develop Risk Responses	3.2 Report IT Risk Priorities

Integrate Risk and Use It to Your Advantage

Accelerate and optimize your organization by leveraging meaningful risk data to make intelligent enterprise risk decisions.

Risk management is more than checking an audit box or demonstrating project due diligence.

Risk Drivers Audit & compliance Preserve value & avoid loss Previous risk impact driver Major transformation Strategic opportunities		Only 7% of organizations are in a “leading” or “aspirational” level of risk maturity. (OECD, 2021)	63% of organizations struggle when it comes to defining their appetite toward strategy related risks. (“Global Risk Management Survey,” Deloitte, 2021)	Late adopters of risk management were 70% more likely to use instinct over data or facts to inform an efficient process. (Clear Risk, 2020)	55% of organizations have little to no training on ERM to properly implement such practices. (AICPA, NC State Poole College of Management, 2021)
		1. Assess Enterprise Risk Maturity	3. Build a Risk Management Program Plan	4. Establish Risk Management Processes	5. Implement a Risk Management Program
		2. Determine Authority with Governance Unfortunately, less than 50% of those in risk focused roles are also in a governance role where they have the authority to provide risk oversight. (Governance Institute of Australia, 2020)
IT can improve the maturity of the organization’s risk governance and help identify risk owners who have authority and accountability. Governance and related decision making is optimized with integrated and aligned risk data.			ERM incorporates the different types of risk, including IT, security, digital, vendor, and other risk types. The program plan is meant to consider all the major risk types in a unified approach.		Implementation of an integrated risk management program requires ongoing access to risk data by those with decision making authority who can take action.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Key deliverable: Risk Management Program Manual Use the tools and activities in each phase of the blueprint to create a comprehensive, customized program manual for the ongoing management of IT risk.	Integrated Risk Maturity Assessment Assess the organization's current maturity and readiness for integrated risk management (IRM).		Centralized Risk Register The repository for all the risks that have been identified within your environment.
	Risk Costing Tool A potential cost-benefit analysis of possible risk responses to determine a good method to move forward.		Risk Report & Risk Event Action Plan A method to report risk severity and hold risk owners accountable for chosen method of responding.

Benefit from industry-leading best practices

As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensured that our project-focused approach is grounded in industry-leading best practices for managing IT risk.

Abandon ad hoc risk management

Blueprint benefits

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 6 to 8 calls over the course of 3 to 6 months.

What does a typical GI on this topic look like?

Phase 1

• Call #1: Assess current risk maturity and organizational buy-in.
• Call #2: Establish an IT risk council and determine IT risk management program goals.

Phase 2

• Call #3: Identify the risk categories used to organize risk events.
• Call #4: Identify the threshold for risk the organization can withstand.

Phase 3

• Call #5: Create a method to assess risk event severity.
• Call #6: Establish a method to monitor priority risks and consider possible risk responses.
• Call #7: Communicate risk priorities to the business and implement risk management plan.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Build an IT Risk Management Program

Phase 1

Review IT Risk Fundamentals and Governance

This phase will walk you through the following activities:

• Gain buy-in from senior leadership
• Assess current program maturity
• Identify obstacles and pain points
• Determine the risk culture of the organization
• Develop risk management goals
• Develop SMART project metrics
• Create the IT risk council
• Complete a RACI chart

This phase involves the following participants:

• IT executive leadership
• Business executive leadership

Step 1.1

Review IT Risk Management Fundamentals

Activities

• 1.1.1 Gain buy-in from senior leadership
• 1.1.2 Assess current program maturity

This step involves the following participants:

• IT executive leadership
• Business executive leadership

Outcomes of this step

• Reviewed key IT principles and terminology
• Gained understanding of the relationship between IT risk management and ERM
• Introduced to Info-Tech’s IT Risk Management Framework
• Obtained the support of senior leadership

Effective IT risk management is possible with or without ERM

Whether or not your organization has ERM, integrating your IT risk management program with the business is possible.

Most IT departments find themselves in one of these two organizational frameworks for managing IT risk:

Info-Tech’s IT risk management framework walks you through each step to achieve risk readiness

IT Risk Management Framework

Risk Governance Optimize Risk Management Processes Assess Risk Maturity Measure the Success of the Program		Risk Identification Engage Stakeholder Participation Use Risk Identification Frameworks Compile IT-Related Risks
Risk Response Establish Monitoring Responsibilities Perform Cost-Benefit Analysis Report Risk Response Actions		Risk Assessment Establish Thresholds for Unacceptable Risk Calculate Expected Cost Determine Risk Severity & Prioritize IT Risks

Effective IT risk management benefits

Obtain the support of the senior leadership team or IT steering committee by communicating how IT risk impacts their priorities.

1.1.1 Gain buy-in from senior leadership

Input: List of IT personnel and business stakeholders

Output: Buy-in from senior leadership for an IT risk management program

Materials: Risk Management Program Manual

Participants: IT executive leadership, Business executive leadership

The resource demands of IT risk management will vary from organization to organization. Here are typical requirements:

• Occasional participation of key IT personnel and select business stakeholders in IT risk council meetings (e.g. once every two weeks).
• Periodic risk assessments (e.g. 4 days, twice a year).
• IT personnel must take on risk monitoring responsibilities (e.g. 1-4 hours per week).
• Record the results in the Program Manual sections 3.3, 3.4 and 3.5.

Record the results in the Risk Management Program Manual.

Integrated Risk Maturity Assessment

The purpose of the Integrated Risk Maturity Assessment is to assess the organization's current maturity and readiness for integrated risk management (IRM)

Frequently and continually assessing your organization’s maturity toward integrated risk ensures the right risk management program can be adopted by your organization.

Integrated Risk Maturity Assessment A simple tool to understand if your organization is ready to embrace integrated risk management by measuring maturity across four key categories: Context & Strategic Direction, Risk Culture & Authority, Risk Management Process, and Risk Program Optimization.

Use the results from this integrated risk maturity assessment to determine the type of risk management program that can and should be adopted by your organizations.

Some organizations will need to remain siloed and focused on IT risk management only, while others will be able to integrate risk-related information to start enabling automatic controls that respond to this data.

1.1.2 Assess current program maturity

1-4 hours

Input: List of IT personnel and business stakeholders

Output: Maturity scores across four key risk categories

Materials: Integrated Risk Maturity Assessment Tool

Participants: IT executive leadership, Business executive leadership

This assessment is intended for frequent use; process completeness should be re-evaluated on a regular basis.

How to Use This Assessment:

1. Download the Integrated Risk Management Maturity Assessment Tool.
2. Tab 2, "Data Entry:" This is a qualitative assessment of your integrated risk management process and is organized by the categories of integrated risk maturity. You will be asked to rate the extent to which you are executing the activities required to successfully complete each phase of the assessment. Use the drop-down menus provided to select the appropriate level of execution for each activity listed.
3. Tab 3, "Results:" This tab will display your rate of IRM completeness/maturity. You will receive a score for each category as well as an overall score. The results will be displayed numerically, by percentage, and graphically.

Record the results in the Integrated Risk Maturity Assessment.

Step 1.2

Establish a Risk Governance Framework

Activities

• 1.2.1 Identify pain points/obstacles and opportunities
• 1.2.2 Determine the risk culture of the organization
• 1.2.3 Develop risk management goals
• 1.2.4 Develop SMART project metrics
• 1.2.5 Create the IT risk council
• 1.2.6 Complete a RACI chart

This step involves the following participants:

• IT executive leadership
• Business executive leadership

Outcomes of this step

• Developed goals for the risk management program
• Established the IT risk council
• Assigned accountability and responsibility for risk management processes

Review IT Risk Fundamentals and Governance

Create an IT risk governance framework that integrates with the business

Follow these best practices to make sure your requirements are solid:

1. Self-assess your current approach to IT risk management.
2. Identify organizational obstacles and set attainable risk management goals.
3. Track the effectiveness and success of the program using SMART risk management metrics.
4. Establish an IT risk council tasked with managing IT risk.
5. Set clear risk management accountabilities and responsibilities for IT and business stakeholders.

Key metrics for your IT risk governance framework

Info-Tech Insight

Metrics provide the foundation for determining the success of your IT risk management program and ensure ongoing funding to support appropriate risk responses.

IT risk management success factors

1.2.1 Identify obstacles and pain points

1-4 hours

Input: Integrated Risk Maturity Assessment

Output: Obstacles and pain points identified

Materials: IT Risk Management Success Factors

Participants: IT executive leadership, Business executive leadership

Anticipate potential challenges and “blind spots” by determining which success factors are missing from your current situation.

Instructions:

1. List the potential obstacles and missing success factors that you must overcome to effectively manage IT risk and build a risk management program.
2. Consider some opportunities that could be leveraged to increase the success of this program.
3. Use this list in Activity 1.2.3 to develop program goals.

Risk Management

Replace the example pain points and opportunities with real scenarios in your organization.

1.2.2 Determine the risk culture of your organization

Determine how your organization fits the criteria listed below. Descriptions and examples do not have to match your organization perfectly.

Be aware of the organization’s attitude towards risk

Risk culture is an organization’s attitude towards taking risks. This attitude manifests itself in two ways:

Info-Tech Insight

Organizations typically fall in the middle of these spectrums. While risk culture will vary depending on the industry and maturity of the organization, a culture with a balanced risk appetite that is extremely risk conscious is able to make creative, dynamic decisions with reasonable limits placed on risk-related decision making.

1.2.3 Develop goals for the IT risk management program

1-4 hours

Input: Integrated Risk Maturity Assessment, Risk Culture, Pain Points and Opportunities

Output: Goals for the IT risk management program

Materials: Risk Management Program Manual

Participants: IT executive leadership, Business executive leadership

Translate your maturity assessment and knowledge about organizational risk culture, potential obstacles, and success factors to develop goals for your IT risk management program.

Instructions:

1. In the Risk Management Program Manual, revise, replace, or add to the high-level goals provided in section 2.4.
2. Make sure that you have three to five high-level goals that reflect the current and targeted maturity of IT risk management processes.
3. Integrate potential obstacles, pain points, and insights from the organization’s risk culture.

Record the results in the Risk Management Program Manual.

1.2.4 Develop SMART project metrics

Create metrics for measuring the success of the IT risk management program.

1.2.4 Develop SMART project metrics (continued)

Attach metrics to your goals to gauge the success of the IT risk management program.

Replace the example metrics with accurate KPIs or metrics for your organization.

Create the IT risk committee (ITRC)

1.2.5 Create the IT risk council

1-4 hours

Input: List of IT personnel and business stakeholders

Output: Goals for the IT risk management program

Materials: Risk Management Program Manual

Participants: CIO, CRO (if applicable), Senior Directors, Head of Operations

Identify the essential individuals from both the IT department and the business to create a permanent committee that meets regularly and carries out IT risk management activities.

Instructions:

1. Review sections 3.1 (Mandate) and 3.2 (Agenda and Responsibilities) of the IT Risk Committee Charter, located in the Risk Management Program Manual. Make any necessary revisions.
2. In section 3.3, document how frequently the council is scheduled to meet.
3. In section 3.4, document members of the IT risk council.
4. Obtain sign-off for the IT risk council from the CIO or another member of the senior leadership team in section 3.5 of the manual.

Record the results in the Risk Management Program Manual.

1.2.6 Complete RACI chart

A RACI diagram is a useful visualization that identifies redundancies and ensures that every role, project, or task has an accountable party.

1.2.6 Complete RACI chart (continued)

Assign risk management accountabilities and responsibilities to key stakeholders:

Build an IT Risk Management Program

Phase 2

Identify and Assess IT Risk

This phase will walk you through the following activities:

• Add organization-specific risk scenarios
• Identify risk events
• Augment risk event list using COBIT 2019 processes
• Conduct a PESTLE analysis
• Determine the threshold for (un)acceptable risk
• Create a financial impact assessment scale
• Select a technique to measure reputational cost
• Create a likelihood scale
• Assess risk severity level
• Assess expected cost

This phase involves the following participants:

• IT risk council
• Relevant business stakeholders
• Representation from senior management team
• Business Risk Owners

Step 2.1

Identify IT Risks

Activities

• 2.1.1 Add organization-specific risk scenarios
• 2.1.2 Identify risk events
• 2.1.3 Augment risk event list using COBIT 19 processes
• 2.1.4 Conduct a PESTLE analysis

This step involves the following participants:

• IT executive leadership
• IT Risk Council
• Business executive leadership
• Business risk owners

Outcomes of this step

• Participation of key stakeholders
• Comprehensive list of IT risk events

Get to know what you don’t know

Info-Tech Insight

What you don’t know CAN hurt you. How do you identify IT-related threats and vulnerabilities that you are not already aware of? Now that you have created a strong risk governance framework that formalizes risk management within IT and connects it to the enterprise, follow the steps outlined in this section to reveal all of IT’s risks.

Engage key stakeholders

Ensure that all key risks are identified by engaging key business stakeholders.

Enable IT to target risk holistically

Take a top-down approach to risk identification to guide brainstorming

Info-Tech’s risk categories are consistent with a risk identification method called Risk Prompting.

A risk prompt list is a list that categorizes risks into types or areas. The n10 risk categories encapsulate the services, activities, responsibilities, and functions of most IT departments. Use these categories and the example risk scenarios provided as prompts to guide brainstorming and organize risks.

2.1.1 Add organization-specific risk scenarios

Review Info-Tech’s ten IT risk categories and add risk scenarios to the examples provided.

2.1.2 Identify risk events

Input: IT risk categories

Output: Risk events identified and categorized

Materials: Risk Register Tool

Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owners, CRO (if applicable)

Use Info-Tech’s IT risk categories and scenarios to brainstorm a comprehensive list of IT-related threats and vulnerabilities impacting your organization.

Instructions:

1. Document risk events in the Risk Register Tool.
2. List risk scenarios (organized by risk category) in the Risk Events/Threats column.
3. Disseminate the list to key stakeholders who were unable to participate and solicit their feedback.
   • Consult the RACI chart located in section 4.1 of the Risk Management Program Manual.
4. Attack one scenario at a time, exhausting all realistic risk events for that grouping before moving onto the next scenario. Each scenario should take approximately 45-60 minutes.

Tip: If disagreement arises regarding whether a specific risk event is relevant to the organization or not and it cannot be resolved quickly, include it in the list. The applicability of these risks will become apparent during the assessment process.

Record the results in the Risk Register Tool.

2.1.3 Augment the risk event list using COBIT 2019 processes (Optional)

Other industry-leading frameworks provide alternative ways of conceptualizing the functions and responsibilities of IT and may help you uncover additional risk events.

Instructions:

1. Review COBIT 2019’s 40 IT processes and identify additional risk events.
2. Match risk events to the corresponding risk category and scenario and add them to the Risk Register Tool.

2.1.4 Finalize your risk register by conducting a PESTLE analysis (Optional)

Explore alternative identification techniques to incorporate external factors and avoid “groupthink.”

Consider the External Environment – PESTLE Analysis Despite efforts to encourage equal participation in the risk identification process, key risks may not have been shared in previous exercises. Conduct a PESTLE analysis as a final safety net to ensure that all key risk events have been identified.		Avoid “Groupthink” – Nominal Group Technique The Nominal Group Technique uses the silent generation of ideas and an enforced “safe” period of time where ideas are shared but not discussed to encourage judgement-free idea generation. Ideas are generated silently and independently. Ideas are then shared and documented; however, discussion is delayed until all of the group’s ideas have been recorded. Idea generation can occur before the meeting and be kept anonymous. Note: Employing either of these techniques will lengthen an already time-consuming process. Only consider these techniques if you have concerns regarding the homogeneity of the ideas being generated or if select individuals are dominating the exercise.
List the following factors influencing the risk event: Political factors Economic factors Social factors Technological factors Legal factors Environmental factors

Step 2.2

Assess and Prioritize IT Risks

Activities

• 2.2.1 Determine the threshold for (un)acceptable risk
• 2.2.2 Create a financial impact assessment scale
• 2.2.3 Select a technique to measure reputational cost
• 2.2.4 Create a likelihood scale
• 2.2.5 Risk severity level assessment
• 2.2.6 Expected cost assessment

This step involves the following participants:

• IT risk council
• Relevant business stakeholders
• Representation from senior management team
• Business risk owners

Outcomes of this step

• Business-approved thresholds for unacceptable risk
• Completed Risk Register Tool with risks prioritized according to severity
• Expected cost calculations for high-priority risks

Identify and Assess IT Risk

Reveal the organization’s greatest IT threats and vulnerabilities

Info-Tech Insight

Risk is money. It’s impossible to make intelligent decisions about risks without knowing what their financial impact will be.

Review risk assessment fundamentals

Risk assessment provides you with the raw materials to conduct an informed cost-benefit analysis and make robust risk response decisions.

In this section, you will be prioritizing your IT risks according to their risk severity, which is a reflection of their expected cost.

Calculating risk severity

Maintain the engagement of key stakeholders in the risk assessment process

Info-Tech Insight

If business executives still won’t provide the necessary information to update your initial risk assessments, IT should approach business unit leaders and lower-level management. Lean on strong relationships forged over time between IT and business managers or supervisors to obtain any additional information.

Info-Tech recommends a two-level approach to risk assessment

Review the two levels of risk assessment offered in this blueprint.

Risk severity level assessment (mandatory)

Assess all of your identified risk events with a risk severity-level assessment.

• By creating a likelihood and impact assessment scale divided into three to nine “levels” (sometimes referred to as “buckets”), you can evaluate every risk event quickly while being confident that risks are being assessed accurately.
• In the following activities, you will create likelihood and impact scales that align with your organizational risk appetite and tolerance.
• Severity-level assessment is a “first pass” of your risk list, revealing your organization’s most severe IT risks, which can be assessed in greater detail by incorporating expected cost into your evaluation.

Info-Tech recommends a two-level approach to risk assessment (continued)

Expected cost assessment (optional)

Conduct expected cost assessments for IT’s greatest risks.

For risk events warranting further analysis, translate risk severity levels into hard expected-cost numbers.

Implement and leverage a centralized risk register

The purpose of the risk register is to act as the repository for all the risks that have been identified within your environment.

Use this tool to:

1. Collect and maintain a repository for all IT risk events impacting the organization and relevant information for each risk.
   • Capture all relevant IT risk information in one location.
   • Organize risk identification and assessment information for transparent risk management, stakeholder review, and/or internal audit.
2. Calculate risk severity scores to prioritize risk events and determine which risks require a risk response.
   • Separate acceptable and unacceptable risks (as determined by the business).
   • Rank risks based on severity levels.
3. Assess risk responses and calculate residual risk.
   • Evaluate the effect that proposed risk response actions will have on top risk events and quantify residual risk magnitude.
   • This step will be completed in section 3.1

2.2.1 Determine the threshold for (un)acceptable risk

Input: Risk events, Risk appetite

Output: Threshold for risk identified

Materials: Risk Register Tool, Risk Management Program Manual

Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner

Instructions:

There are times when the business needs to know about IT risks with high expected costs.

1. Create an expected cost threshold that defines what constitutes an acceptable and unacceptable risk for the organization. This figure should be a concrete dollar value. In the next exercises, you will build risk impact and likelihood scales with this value in mind, ensuring that “high” or “extreme” risks are immediately communicated to senior leadership.
2. Do not consider IT budget restrictions when developing this number. The acceptable risk threshold should reflect the business’ tolerance/appetite for risk.

This threshold is typically based on the organization’s ability to absorb financial losses, and its tolerance/appetite towards risk.

If your organization has ERM, adopt the existing acceptability threshold.

Record this threshold in section 5.3 of the Risk Management Program Manual

2.2.2 Create a financial impact assessment scale

1-4 hours

Input: Risk events, Risk threshold

Output: Financial impact scale created

Materials: Risk Register Tool, Risk Management Program Manual

Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner

Instructions:

1. Create a scale to assess the financial impact of risk events.
   • Typically, risk impacts are assessed on a scale of 1-5; however, some organizations may prefer to assess risks using 3, 4, 7, or 9-point scales.
2. Ensure that the unacceptable risk threshold is reflected in the scale.
   • In the example provided, the unacceptable risk threshold ($100,000) is represented as “High” on the impact scale.
3. Attach labels to each point on the scale. Effective labels will easily distinguish between risks on either side of the unacceptable risk threshold.

Record the risk impact scale in section 5.3 of the Risk Management Program Manual

Convert project overruns and service outages into costs

Use the tables below to quickly convert impacts typically measured in units of time to financial cost. Replace the values in the table with those that reflect your own costs.

• While project overruns and service outages may have intangible impacts beyond the unexpected costs stemming from paying employees and lost revenue (such as adding complexity to project management and undermining the business’ confidence in IT), these measurements will provide adequate impact estimations for risk assessment.
• Remember, complex risk events can be analyzed further with an expected cost assessment.

Project Overruns
Project	Time (days) 20 days	Number of employees 8	Average cost per employee (per day) $300	Estimated cost $48,000
Service Outages
Service	Time (hours) 4 hours	Lost revenue (per hour) $10,000	Estimated cost $40,000	Impact scale Low

2.2.3 Select a technique to measure reputational cost (1 of 3)

Realized risk events may have profound reputational costs that do not immediately impact your bottom line.

2.2.3 Select a technique to measure reputational cost (2 of 3)

2.2.3 Select a technique to measure reputational cost (3 of 3)

If you feel that the other techniques have not reflected reputational impacts in the overall severity level of the risk, create a parallel scale that roughly matches your financial impact scale.

Technique #3 – Create a parallel scale for reputational impact: Visibility is a useful metric for measuring reputational impact. Visibility measures how widely knowledge of the risk event has spread and how negatively the organization is perceived. Visibility has two main dimensions: Internal vs. External Low Amplification vs. High Amplification Internal/External: The further outside of the organization that the risk event is visible, the higher the reputational impact. Low/High Amplification: The greater the ability of the actor to communicate and amplify the occurrence of a risk event, the higher the reputational impact. After establishing a scale for reputational impact, test whether it reflects the severity of the financial impact levels in the financial impact scale. For example, if the media learns about a recent data breach, does that feel like a $100,000 loss?

Example:

2.2.4 Create a likelihood scale

1-3 hours

Instructions: Create a scale to assess the likelihood that a risk event will occur over a given period of time. Info-Tech recommends assessing the likelihood that the risk event will occur over a period of one year (the IT risk council should be reassessing the risk event no less than once per year). Ensure that the likelihood scale contains the same number of levels as the financial impact scale (3, 4, 5, 7, or 9). The example provided is likely to satisfy most IT departments; however, you may customize the distribution of likelihood values to reflect the organization’s aversion towards uncertainty. For example, an extremely risk-averse organization may consider any risk event with a likelihood greater than 20% to have a “High” likelihood of occurrence. Attach the same labels used for the financial impact scale (Low, Moderate, High, etc.) Record the risk impact scale in section 5.3 of the Risk Management Program Manual

Info-Tech Insight

Note: Info-Tech endorses the use of likelihood values (1-99%) rather than frequency (3 times per year) as a measurement.
For an explanation of why likelihood values lead to more precise and robust risk assessment, see the Appendix.

2.2.5 Risk severity level assessment

6-10 hours

Input: Risk events identified

Output: Assessed the likelihood of occurrence and impact for all identified risk events

Materials: Risk Register Tool

Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner

Instructions:

1. Document the “Risk Category” and “Existing Controls.” in the Risk Register Tool.
   • (See the slide following this activity for tips on identifying existing controls.)
2. Assign each risk event a likelihood and impact level.
   • Remember, you are assessing the impact that a risk event will have on the organization as a whole, not just on IT.
3. When assigning a financial impact level to a risk event, factor in the likely number of instances that the event will occur within the time frame for which you are assessing (usually one year).
   • For risk events like third-party service outages that typically occur a few times each year, assign them an impact level that reflects the likelihood of financial impact the risk event will have over the entire year.
   • E.g. If your organization is likely to experience two major service outages next year and each outage costs the organization approximately $15,000, the total financial impact is $30,000.

Record results in the Risk Register Tool

2.2.5 Risk severity level assessment (continued)

Identify current risk controls

Consider how IT is already addressing key risks.

Types of current risk control

Consider both tactical and strategic controls already in place when filling out risk event information in the Risk Register Tool.

Info-Tech Insight

Identifying existing risk controls (past risk responses) provides a clear picture of the measures already in place to avoid, mitigate, or transfer key risks. This reveals opportunities to improve existing risk controls, or where new strategies are needed, to reduce risk severity levels below business thresholds.

Assign a risk owner for each risk event

Designate a member of the IT risk council to be responsible for each risk event.

Use Info-Tech’s Risk Costing Tool to calculate the expected cost of IT’s high-priority risks (optional)

Use this tool to:

1. Conduct a deeper analysis of severe risks.
   • Determine specific likelihood and financial impact values to communicate the severity of the risk in the Expected Cost tab.
   • Identify the maximum financial impact that the risk event may inflict.
2. Assess the effectiveness of multiple risk responses for each risk event.
   • Determine how proposed risk events will change the likelihood of occurrence and financial impact of the risk event.
3. Incorporate risk proximity into your cost-benefit analysis of risk responses.
   • Illustrate how spending decisions will impact the expected cost of the risk event over time.

2.2.6 Expected cost assessment (optional)

Assign likelihood and financial impact values to high-priority risks.

2.2.6 Expected cost assessment (continued)

Assign likelihood and financial impact values to high-priority risks.

Evaluate likelihood and impact

Refine your risk assessment process by developing more accurate measurements of likelihood and impact.

Build an IT Risk Management Program

Phase 3

Monitor, Respond, and Report on IT Risk

This phase will walk you through the following activities:

• Develop key risk indicators (KRIs) and escalation protocols
• Establish the reporting schedule
• Identify and assess risk responses
• Analyze risk response cost-benefit
• Create multi-year cost projections
• Obtain executive approval for risk action plans
• Socialize the Risk Report
• Transfer ownership of risk responses to project managers
• Finalize the Risk Management Program Manual

This phase involves the following participants:

• IT risk council
• Relevant business stakeholders
• Representation from senior management team
• Risk business owner

Step 3.1

Monitor IT Risks and Develop Risk Responses

Activities

• 3.1.1 Develop key risk indicators (KRIs) and escalation protocols
• 3.1.2 Establish the reporting schedule
• 3.1.3 Identify and assess risk responses
• 3.1.4 Risk response cost-benefit analysis
• 3.1.5 Create multi-year cost projections

This step involves the following participants:

• IT risk council
• Relevant business stakeholders
• Representation from senior management team
• Business risk owner

Outcomes of this step

• Completed risk event action plans
• Risk responses identified and assessed for top risks
• Risk response selected for top risks

Monitor, Respond, and Report on IT Risk

Use Info-Tech’s Risk Event Action Plan to manage high-priority risks

Manage risks in between risk assessments and create a paper trail for key risks that exceed the unacceptable risk threshold. Use a new form for every high-priority risk that requires tracking.

Risk Event Action Plan

Obtaining sign-off from the senior leadership team or from the ERM office is an important step of the risk management process. The Risk Event Action Plan ensures that high-priority risks are closely monitored and that changes in risk severity are detected and reported.

Clear documentation is a way to ensure that critical information is shared with management so that they can make informed risk decisions. These reports should be succinct yet comprehensive; depending on time and resources, it is good practice to fill out this form and obtain sign-off for the majority of IT risks.

3.1.1 Develop key risk indicators (KRIs) and escalation protocols

Document KRIs, escalation thresholds, and escalation protocols for each risk in a Risk Event Action Plan.

Developing KRIs for success

Examples of KRIs

• Number of resources who quit or were fired who had access to critical data
• Number of risk mitigation initiatives unfunded
• Changes in time horizon of mitigation implementation
• Number of employees who did not report phishing attempts
• Amount of time required to get critical operations access to necessary data
• Number of days it takes to implement a new regulation or compliance control

3.1.2 Establish the reporting schedule

For each risk event, document how frequently the risk owner must report to the IT risk council in the Risk Event Action Plan.

• A clear reporting schedule enforces accountability for each risk event, ensuring that risk owners are fulfilling their monitoring responsibilities.
• The ongoing discussion of risks between assessment cycles also increases overall awareness of how IT risks are not static but constantly evolving.

Reporting	Risk Event
Weekly reports to ITRC
Bi-weekly reports to ITRC
Monthly reports to ITRC
Report to ITRC only if KRI thresholds triggered
No reports; reassessed bi-annually

Use Info-Tech’s tools to identify, analyze, and select risk responses

Identify factors that contribute to the severity of the risk

Environmental factors interact with the root cause to increase the likelihood or impact of the risk event.

3.1.3 Identify and assess risk responses

Record the results in the Risk Event Action Plan.

Take actions to avoid the risk entirely

Risk Avoidance Risk avoidance involves taking evasive maneuvers to avoid the risk event. Risk avoidance targets risk likelihood, decreasing the likelihood of the risk event occurring. Since risk avoidance measures are fairly drastic, the likelihood is often reduced to negligible levels. However, risk avoidance response actions often sacrifice potential benefits to eliminate the possibility of the risk entirely. Typically, risk avoidance measures should only be taken for risk events with extremely high severity and when the severity (expected cost) of the risk event exceeds the cost (benefits sacrificed) of avoiding the risk. Example Risk event: Information security vulnerability from third-party cloud services provider. Risk avoidance action: Store all data in-house. Benefits sacrificed: Cost savings, storage flexibility, etc.

Pursue projects that reduce the likelihood or impact of the risk event

Risk Mitigation

• Risk mitigation actions are risk responses that reduce the likelihood and impact of the risk event.
• Risk mitigation actions can be to either implement new controls or enhance existing ones.

Pursue projects that reduce the likelihood or impact of the risk event (continued)

Use the following IT functions to guide your selection of risk mitigation actions:

Transfer risks to a third party

Risk transfer: the exchange of uncertain future costs for fixed present costs.

Accept risks that fall below established thresholds

Risk Acceptance

Accepting a risk means tolerating the expected cost of a risk event. It is a conscious and deliberate decision to retain the threat.

You may choose to accept a risk event for one of the following three reasons:

1. The risk severity (expected cost) of the risk event falls below acceptability thresholds and does not justify an investment in a risk avoidance, mitigation, or transfer measure.
2. The risk severity (expected cost) exceeds acceptability thresholds but all effective risk avoidance, mitigation, and transfer measures are ineffective or prohibitively expensive.
3. The risk severity (expected cost) exceeds acceptability thresholds but there are no feasible risk avoidance, mitigation, and transfer measures to be implemented.

Info-Tech Insight

Constant monitoring and the assignment of responsibility and accountability for accepted risk events is crucial for effective management of these risks. No IT risk should be accepted without detailed documentation outlining the reasoning behind that decision and evidence of approval by senior management.

3.1.4 Risk response cost-benefit analysis (optional)

The purpose of a cost-benefit analysis (CBA) is to guide financial decision making.

This helps IT make risk-conscious investment decisions that fall within the IT budget and helps the organization make sound budgetary decisions for risk response projects that cannot be addressed by IT’s existing budget.

Instructions: Reopen the Risk Costing Tool. For each risk that you conducted an expected cost assessment in section 2.2 for, find the Excel sheet that corresponds to the risk number (e.g. R001). Identify between one and four risk response options for the risk event and document them in the Risk Costing Tool. The “Risk Response 1” field will be automatically populated with expected cost data for a scenario where no action was taken (risk acceptance). This will serve as a baseline for comparing alternative responses. For the following steps, go through the risk responses one by one. Estimate the first-year cost for the risk response. This cost should reflect initial capital expenditures and first-year operating expenditures.

Record the results in the Risk Costing Tool.

3.1.4 Risk response cost-benefit analysis (continued)

The purpose of a cost-benefit analysis (CBA) is to guide financial decision making.

Instructions:

4. Estimate residual risk likelihood and financial impact for Year 1 with the risk response in place.
   • Rather than estimating the likelihood level (low, medium, high), determine a precise likelihood value of the risk event occurring once the response has been implemented.
   • Estimate the dollar value of financial impacts if the risk event were to occur with the risk response in place.

   The tool will calculate the expected residual cost of the risk event: (Financial Impact x Likelihood) - Costs = Expected Residual Cost

5. Select the highest value risk response and document it in the Risk Register Tool.
6. Document your analysis and recommendations in the Risk Event Action Plan.

Note: See Activity 3.1.5 to build multi-year cost projections for risk responses.

3.1.5 Create multi-year cost projections (optional)

Select between risk response options by projecting their costs and benefits over multiple years.

• It can be difficult to choose between risk response options that require different payment schedules. A risk response project with costs spread out over more than one year (e.g. incremental upgrades to an IT system) may be more advantageous than a project with costs concentrated up front that may cost less in the long run (e.g. replacing the system).
• However, the impact that risk response projects have on reducing risk severity is not necessarily static. For example, an expensive project like replacing a system may drastically reduce the risk severity of a system failure. Whereas, incremental system upgrades may only marginally reduce risk severity in the short term but reach similar levels as a full system replacement in a few years.

Instructions: Calculate expected cost for multiple years using the Risk Costing Tool for: Risk events that are subject to change in severity over time. Risk responses that reduce the severity of the risk gradually. Risk responses that cannot be implemented immediately. Copy and paste the graphs into the Risk Report and the Risk Event Action Plan for the risk event.

Record the results in the Risk Costing Tool.

Step 3.2

Report IT Risk Priorities

Activities

• 3.2.1 Obtain executive approval for risk action plans
• 3.2.2 Socialize the Risk Report
• 3.2.3 Transfer ownership of risk responses to project managers
• 3.2.4 Finalize the Risk Management Program Manual

This step involves the following participants:

• IT risk council
• Relevant business stakeholders
• Representation from senior management team

Outcomes of this step

• Obtained approval for risk action plans
• Communicated IT’s risk recommendations to senior leadership
• Embedded risk management into day-to-day IT operations

Monitor, Respond, and Report on IT Risk

Effectively deliver IT risk expertise to the business

3.2.1 Obtain executive approval for risk action plans

Best Practices and Key Benefits

Best practice is for all acceptable risks to also be signed-off by senior leadership. However, for ITRCs that brainstorm 100+ risks, this may not be possible. If this is the case, prioritize accepted risks that were assessed to be closest to the organization’s thresholds. By receiving a stamp of approval for each key risk from senior management, you ensure that: The organization is aware of important IT risks that may impact business objectives. The organization supports the risk assessment conducted by the ITRC. The organization supports the plan of action and monitoring responsibilities proposed by the ITRC. If a risk event were to occur, the organization holds ultimate accountability.

Task:
All IT risks that were flagged for exceeding the organization’s severity thresholds must obtain sign-off by the CIO or another member of the senior leadership team.

• In the assessment phase, you evaluated risks using severity thresholds approved by the business and determined whether or not they justified a risk response.
• Whether your recommendation was to accept the risk or to analyze possible risk responses, the business should be made aware of most IT risks.

3.2.2 Socialize the risk report

Create a succinct, impactful document that summarizes the outcomes of risk assessment and highlights the IT risk council’s top recommendations to the senior leadership team.

The Risk Report contains: An executive summary page highlighting the main takeaways for senior management: A short summary of results from the most recent risk assessment Dashboard A list of top 10 risks ordered from most severe to least Subsequent individual risk analyses (1 to 10) Detailed risk assessment data Risk responses Risk response analysis Multi-year cost projection (see the following slide) Dashboard Recommendations

Risk Report

Pursue projects that reduce the likelihood or impact of the risk event

Encourage risk awareness to extend the benefits of risk management to every aspect of IT.

Benefits of risk awareness:

• More preventative and proactive approaches to IT projects are discussed and considered.
• Changes to the IT threat landscape are more likely to be detected, communicated, and acted upon.
• IT possesses a realistic perception of its ability to perform functions and provide services.
• Contingency plans are put in place to hedge against risk events.
• Fewer IT risks go unidentified.
• CIOs and business executives make better risk decisions.

Consequences of low risk awareness:

• False confidence about the number of IT risks impacting the organization and their severity.
• Risk-relevant information is not communicated to the ITRC, which may result in inaccurate risk assessments.
• Confusion surrounding whose responsibility it is to consider how risk impacts IT decision making.
• Uncertainty and panic when unanticipated risks impact the IT department and the organization.

Embedding risk management in the IT department is a full-time job

Take concrete steps to increase risk-aware decision making in IT.

The IT risk council plays an instrumental role in fostering a culture of risk awareness throughout the IT department. In addition to periodic risk assessments, fulfilling reporting requirements, and undertaking ongoing monitoring responsibilities, members of the ITRC can take a number of actions to encourage other IT employees to adopt a risk-focused approach, particularly at the project planning stage.

Embedding risk management in the IT department is a full-time job (continued)

Encourage risk awareness by adjusting performance metrics and job titles.

Performance metrics:

Depending on the size of your IT department and the amount of resources dedicated to ongoing risk management, you may consider embedding risk management responsibilities into the performance assessments of certain ITRC members or other IT personnel.

• Personalize the risk management program metrics you have documented in your Risk Management Program Manual.
• Evidence that KPIs are monitored and frequently reported is also a good indicator that risk owners are fulfilling their risk management responsibilities.

Info-Tech Insight

If risk management responsibilities are not built into performance assessments, it is less likely that they will invest time and energy into these tasks. Adding risk management metrics to performance assessments directly links good job performance with good risk management, making it more likely that ITRC activities and initiatives gain traction throughout the IT department.

Job descriptions:

Changing job titles to reflect the focus of an individual’s role on managing IT risk may be a good way to distinguish personnel tasked with developing KRIs and monitoring risks on a week-to-week basis.

• Some examples include IT Risk Officer, IT Risk Manager, and IT Risk Analyst.

3.2.3 Transfer ownership of risk responses to project managers

Once risk responses have obtained approval and funding, it is time to transform them into fully-fledged projects.

• Assign responsibility for executing the specific risk response action to a project manager.
• For advice on how to optimize project management, read Info-Tech’s blueprint Tailor IT Project Management Processes to Fit Your Projects.

3.2.4 Finalize the Risk Management Program Manual

Go back through the Risk Management Program Manual and ensure that the material will accurately reflect your approach to risk management going forward.

Remember, the program manual is a living document that should be evolving alongside your risk management program, reflecting best practices, knowledge, and experiences accrued from your own assessments and experienced risk events.

The best way to ensure that the program manual continues to guide and document your risk management program is to make it the focal point of every ITRC meeting and ensure that one participant is tasked with making necessary adjustments and additions.

Risk Management Program Manual

“Upon completing the Info-Tech workshop, the deliverables that we were left with were really outstanding. We put together a 3-year project plan from a high level, outlining projects that will touch upon our high risk areas.” (Director of Security & Risk, Water Management Company)

Don’t allow your risk management program to flatline

54% of small businesses haven’t implemented controls to respond to the threat of cyber attacks (Source: Insurance Bureau of Canada, 2021)

Don’t be lulled into a false sense of security. It might be your greatest risk.

So you’ve identified the most important IT risks and implemented projects to protect IT and the business.

Unfortunately, your risk assessment is already outdated.

Perform regular health checks to keep your finger on the pulse of the key risks threatening the business and your reputation.

To continue the momentum of your newly forged IT risk management program, read Info-Tech’s research on conducting periodic risk assessments and “health checks”:

Revive Your Risk Management Program With a Regular Health Check

• Complete Info-Tech’s Risk Management Health Check to seize the momentum you created by building a robust IT risk management program and create a process for conducting periodic health checks and embedding ongoing risk management into every aspect of IT.
• Our focus is on using data to make IT risk assessment less like an art and more like a science. Ongoing data-driven risk management is self-improving and grounded in historical data.

Appendix I: Familiarize yourself with key risk terminology

Review important risk management terms and definitions.

Appendix II: Likelihood vs. Frequency

Why we measure likelihood, not frequency:

The basic formula of Likelihood x Impact = Severity is a common methodology used across risk management frameworks. However, some frameworks measure likelihood using Frequency rather than Likelihood.

Frequency is typically measured as the number of instances an event occurs over a given period of time (e.g. once per month).

• For risk assessment, historical data regarding the frequency of a risk event is commonly used to indicate the likelihood that the event will happen in the future.

Likelihood is a numerical representation of the “degree of belief” that the risk event will occur in a given future timeframe (e.g. 25% likelihood that the event will occur within the next year).

False Objectivity

While some may argue that frequency provides an objective measurement of likelihood, it is well understood in the field of likelihood theory that historical data regarding the frequency of a risk event may have little bearing over the likelihood of that event happening in the future. Frequency is often an indication of future likelihood but should not be considered an objective measurement of it.

Likelihood scales that use frequency underestimate the magnitude of risks that lack historical precedent. For example, an IT department that has never experienced a high-impact data breach would adopt a very low likelihood score using the frequentist approach. However, if all of the organization’s major competitors have suffered a major breach within the last two years, they ought to possess a much higher degree of belief that the risk event will occur within the next year.

Likelihood is a more comprehensive measurement of future likelihood, as frequency can be used to inform the selection of a likelihood value. The process of selecting intersubjective likelihood values will naturally internalize historical data such as the frequency that the event occurred in the past. Further, the frequency that the event is expected to occur in the future can be captured by the expected impact value. For example, a risk event that has an expected impact per occurrence of $10,000 that is expected to occur three times over the next year has an expected impact of $30,000.

Appendix III: Should max impacts sway decision making?

Don’t just fixate on the most likely impact – be aware of high-impact outcomes. During assessment, risks are evaluated according to their most likely financial impact. For example, a service outage will likely last for two hours and may have an expected cost of $14,000. Naturally, focusing on the most likely financial impact will exclude higher impacts that – while theoretically possible – are so unlikely that they do not warrant any real consideration. For example, it is possible that a service outage could last for days; however, the likelihood for such an event may be well below 1%. While the risk severity level assessment allows you to present impacts as a range of values (e.g. $50,000 to $75,000), the expected cost assessment requires you to select specific values. However, this analysis may fail to consider much higher potential impacts that have non-negligible likelihood values (likelihood values that you cannot ignore). What you consider “non-negligible” will depend on your organizational risk tolerance/appetite. Sometimes called Black Swan events or Fat-Tailed outcomes, high-impact events may occur when the far right of the likelihood distribution – or the “tail” – is thicker than a normal distribution (see fig. 2). A good example is a data breach. While small to medium impacts are far more likely to occur than a devastating intrusion, the high-impact scenario cannot be ignored completely. For risk events that contain non-negligible likelihoods (too high to be ignored) consider elevating the risk severity level or expected cost.

Leverage Info-Tech’s research on security and compliance risk to identify additional risk events

Take Control of Compliance Improvement to Conquer Every Audit	Info-Tech Insight Don’t gamble recklessly with external compliance. Play a winning system and take calculated risks to stack the odds in your favor. Take an agile approach to analyze your gaps and prioritize your remediations. You don’t always have to be fully compliant as long as your organization understands and can live with the consequences.
Develop and Implement a Security Risk Management Program	Info-Tech Insight Security risk management equals cost effectiveness. Time spent upfront identifying and prioritizing risks can mean the difference between spending too much and staying on budget.

Research Contributors and Experts

Research Contributors and Experts

*Plus 10 additional interviewees who wish to remain anonymous.

Bibliography

“2021 State of the CIO.” IDG, 28 January 2021. Web.

“4 Reasons Why CIOs Lose Their Jobs.” Silverton Consulting, 2012. Web.

Beasley, Mark, Bruce Branson, and Bonnie Hancock. “The State of Risk Oversight,” AICPA, April 2021. Web.

COBIT 2019. ISACA, 2019. Web.

“Cognyte jeopardized its database exposing 5 billion records, including earlier data breaches.” SecureBlink, 21 June 2021. Web.

Culp, Steve. “Accenture 2019 Global Risk Management Study, Financial Services Report.” Accenture, 2019. Web.

Curtis, Patchin, and Mark Carey. “Risk Assessment in Practice.” COSO Committee of Sponsoring Organizations of the Treadway Commission, Deloitte & Touche LLP, 2012. Web.

“Cyber Risk Management.” Insurance Bureau of Canada (IBC), 2022. Web.

Eccles, Robert G., Scott C. Newquist, and Roland Schatz. “Reputation and Its Risks.” Harvard Business Review, February 2007. Web.

Eden, C. and F. Ackermann. Making Strategy: The Journey of Strategic Management. Sage Publications, 1998.

“Enterprise Risk Management Maturity Model.” OECD, 9 February 2021. Web.

Ganguly, Saptarshi, Holger Harreis, Ben Margolis, and Kayvaun Rowshankish. “Digital Risks: Transforming risk management for the 2020s.” McKinsey & Company, 10 February 2017. Web.

“Governance Institute of Australia Risk Management Survey 2020.” Governance Institute of Australia, 2020. Web.

“Guidance on Enterprise Risk Management.” COSO, 2022. Web.

Henriquez, Maria. “The Top 10 Data Breaches of 2021” Security Magazine, 9 December 2021. Web.

Holmes, Aaron. “533 million Facebook users’ phone numbers and personal data have been leaked online.” Business Insider, 3 April 2021. Web.

Bibliography

“Integrated Risk and Compliance Management for Banks and Financial Services Organizations: Benefits of a Holistic Approach.” MetricStream, 2022. Web.

“ISACA’s Risk IT Framework Offers a Structured Methodology for Enterprises to Manage Information and Technology Risk.” ISACA, 25 June 2020. Web.

ISO 31000 Risk Management. ISO, 2018. Web.

Lawton, George. “10 Enterprise Risk Management Trends in 2022.” TechTarget, 2 February 2022. Web.

Levenson, Michael. “MGM Resorts Says Data Breach Exposed Some Guests’ Personal Information.” The New York Times, 19 February 2020. Web.

Management of Risk (M_o_R): Guidance for Practitioners. Office of Government Commerce, 2007. Web.

“Many small businesses vulnerable to cyber attacks.” Insurance Bureau of Canada (IBC), 5 October 2021.

Maxwell, Phil. “Why risk-informed decision-making matters.” EY, 3 December 2019. Web.

“Measuring and Mitigating Reputational Risk.” Marsh, September 2014. Web.

Natarajan, Aarthi. “The Top 6 Business Risks you should Prepare for in 2022.” Diligent, 22 December 2021. Web.

“Operational Risk Management Excellence – Get to Strong Survey: Executive Report.” KMPG and RMA, 2014. Web.

“Third-party risk is becoming a first priority challenge.” Deloitte, 2022. Web.

Thomas, Adam, and Dan Kinsella. “Extended Enterprise Risk Management Survey, 2020.” Deloitte, 2021. Web.

Treasury Board Secretariat. “Guide to Integrated Risk Management.” Government of Canada, 12 May 2016. Web.

Webb, Rebecca. “6 Reasons Data is Key for Risk Management.” ClearRisk, 13 January 2021. Web.

“What is Enterprise Risk Management (ERM)?” RIMS, 2015. Web.

Wiggins, Perry. “Do you spend enough time assessing strategic risks?” CFO, 26 January 2022. Web.