This is a story that should make you perk up.
I know of a department that was eager to launch their new product. The strain was severe. The board was breathing down their necks. Rivals were catching up (or so they thought).
"Let's get this thing live, prove the market wants it, then we'll circle back and handle all the security and stability backlog items." For the product owner, at the time, that seemed the right thing to do.
They were hacked 48 hours after going live.
Customer information was stolen. The brand's reputation suffered. The decision led to a months-long legal nightmare. And they still had to completely rebuild the system. Making stability and security bolt-on items is never a good idea.
See, I understand. When the product owner is pressing for user experience enhancements and you're running out of time for launch, it's easy to overlook those "non-functional requirements." Yet, we should avoid blaming the product owner. The PO is under pressure from many stakeholders, and a delayed launch may also come with significant costs.
Load balancing isn't visible to customers, after all. Penetration testing doesn't excite them. Failure mechanisms don't matter to them. This statement is true until a malfunction impacts a client. Then it suddenly becomes the most important thing in the world.
However, I know that ignoring non-functional requirements (NFRs) can lead to failed businesses (or business lines). This elevates these issues beyond mere technical inconveniences. NFRs are designed with the client in mind.
Look at it this way. When your system crashes during periods of high traffic, how does the user experience change? How satisfied are customers when their personal information is stolen? When it takes 30 seconds for your website to load, how does that conversion rate look?
Let me expose you to some consultant figures. The average cost of IT outages is $5,600 per minute, according to a 2014 Gartner study. That figure can rise to $300,000 per hour for larger businesses. The reality is that in your department, you will rarely reach these numbers. When we look at current (2020-2025) and expected (2026) trends, the typical operational loss numbers in international commercial banking or insurance are closer to 100K for high-impact incidents that are handled within 2–3 hours.
Obviously, your numbers will vary. And if you don't know what your costs are, now would be a good time to discover that. This does not imply that you should simply accept the risks associated with such situations. You must fix or mitigate such opportunities for hackers to get in. Do so at the appropriate cost for your business.
Data breaches are a unique phenomenon. According to IBM's Cost of a Data Breach Report 2025, a data breach typically costs $4.44 million, and detecting and containing it takes an average of 241 days. Some preview data from the 2025 report include that 97% of organizations that reported on the study indicated that they lacked access controls for their AI systems. That means that many companies don't even have the basics in order. And AI-related breaches are just going to accelerate. AI security defenses will help lower the cost of such breaches.
Despite the decreasing cost of these breaches, I anticipate an increase in their frequency in the upcoming years.
This means that non-functional requirements in terms of security and resilience should take a more prominent place in the prioritizations. Your client depends on your systems being safe, resilient, and performant.
And yet, this is where some leaders make mistakes. I have the impression they believe that client-focused design means more functionality and elegant interfaces. They prioritize user experience enhancements over system reliability.
I want to share a key fact that distinguishes successful businesses: customers desire more than just a good product. It must always function for them. And that means following certain procedures. They are not there to hamper you; they are there to retain customers.
88% of online shoppers are less likely to visit a website again after a negative experience, according to research from Forrester. Amazon found that they lose 1% of sales for every 100 ms of latency. That 100 milliseconds adds up to millions of lost profits when billions of dollars are at stake.
You run the risk of more than just technical difficulties when you deprioritize safety. Customer trust, revenue stability, competitive advantage, adherence to the law, costs, and team morale are all at stake.
Allow me to illustrate what I see happening during development cycles.
The team tests the happy flow. The user successfully logs in. The user navigates with ease. The user makes the purchase without any problems. The user logs off without incident.
"Excellent! Publish it!"
However, what occurs if 1000 users attempt to log in at once? What occurs if an attempt is made to insert malicious code into your contact form? During a transaction, what happens if your database connection fails?
These are not extreme situations. These are real-life occurrences.
Fifty percent of data center managers and operators reported having an impactful outage in the previous three years, according to the Uptime Institute's 2025 Global Data Center Survey. Note that this is at the infra level. The biggest contributor is power outages. What role does power play in ensuring a smooth flow? Power will not always flow as you want it, so plan for lack of power and for spikes.
With regard to software failures, the spread of possible causes widens. AI is a big contributor. AI is typically brought in to accelerate development and assist in coding. But it tends to introduce subtle bugs and vulnerabilities that a seasoned developer has to review and solve.
Another upcoming article will discuss how faster release cycles often lead to a rush in testing. This should not be the case; by spending some time automating your (non-)regression test bank, you will gain speed. But you have to invest time in building the test suite.
Can your system handle success? This question should keep every executive awake at night.
I've witnessed businesses invest millions in advertising campaigns to drive traffic to systems that fail due to their success. Consider describing to your board how your greatest marketing victory became your worst operational mishap.
Managing traffic spikes is only one aspect of load balancing. It is about ensuring that your business can handle opportunities without being overwhelmed.
Let's now address the most pressing issue: security.
The majority of leaders consider security to be like insurance, something you hope you never need. The fact that security is more than just protection, however, will alter the way you approach every project. It's approval to develop.
According to the Ponemon Institute's 2025 Cost of Insider Threats Global Report, the average annualized cost of insider threats, defined as employee negligence, criminal insiders, and credential thieves, has risen to $17.4 million per incident, up from $15.4 million in 2022. The number of discovered and analyzed incidents increased from 3,269 in 2018 to 7,868 in 2025 research studies.
Cybersecurity Ventures predicts that cybercrime will cost the global economy $10.5 trillion annually by 2025.
The most fascinating thing, though, is that companies that invest in proactive security see measurable outcomes. Organizations that allocate over 10% of their IT budget to cybersecurity have a 2.5-fold higher chance of experiencing no security incidents than those that allocate less than 1%, per Deloitte's Future of Cyber Survey.
By hardening your systems against common attack vectors, you can scale quickly without worrying about the future. You can handle sensitive data with confidence, enter new markets without fear, establish partnerships that require trust, and focus on innovation instead of crisis management.
Allow me to explain this in a way that will satisfy your CFO.
Retention is equal to reliability. Customers return when a system functions reliably (given you sell items they want). The Harvard Business Review claims that a 5% increase in customer retention rates boosts profits by 25% to 95%. It is five to twenty-five times less expensive to retain customers than to acquire new ones.
Scalability is equal to security. Secure systems can handle larger client volumes, more sensitive data, and higher-value transactions. 69% of board members and C-suite executives think that privacy and cyber risks could affect their company's ability to grow, according to PwC.
Profit is equal to performance. You lose conversions for every second of load time. Google discovered that the likelihood of a bounce rises by 32% as page load time increases from 1 to 3 seconds. It increases by 90% from 1 second to 5 seconds. Walmart discovered that every second improvement in page load time led to a 2% increase in conversions.
Reputation is equal to resilience. Guess which company benefits when your system works while your competitors' systems fail? Failures reduce trust. 71% of consumers will actively advocate against companies they don't trust, and 67% of consumers will stop purchasing from them, according to Edelman's 2023 Trust Barometer. While the 2025 report does not present comparative numbers, distrust impacting consumer behavior is likely to be even more prevalent.
Reframe this discussion with your executives and team
The numbers support this point. Businesses that invest in operational resilience see three times higher profit margins and 2.5 times higher revenue growth than their counterparts, according to McKinsey's 2023 State of Organizations report. In 2025 we see a focus on AI, but the point remains.
These metrics will grab the attention when you're presenting them.
Although the average cost of downtime varies by industry, it is always high.
The impact of a security breach on customer lifetime value is equally uncomfortable. Following a data breach, 78% of consumers will cease interacting with a brand online, and 36% will never do so again, according to Ping Identity's 2023 Consumer Identity Breach Report.
Every second that the system is unavailable results in a rapidly mounting loss of money. That's about $3,170 per minute of full downtime for a business that makes $100 million a year. We're talking about $31,700 per minute for billion-dollar businesses. Again, your experience may differ, but it's important to note that this cost is often unseen yet undeniable. If you want to calculate this more granularly, then I have a calculation method for you that is easy to implement.
There is a discernible trend in the cost of rebuilding versus building correctly the first time. Resolving a problem in production can cost four to five times as much as fixing it during design, and it can cost up to 100 times as much as fixing it during the requirements and design phase, according to IBM's Systems Sciences Institute.
This is what you should do right away.
Please begin by reviewing your current primary systems. When they're under stress, what happens? What occurs if they are attacked? What occurs if they don't work? 40% of businesses that suffer a significant system failure never reopen, although only 23% of organizations have tested their disaster recovery plans in the previous year, according to Gartner. Companies we work with test their systems at least once per year. If the results are unsatisfactory, we conduct a retest to ensure they meet our standards.
Next, please determine the actual cost of addressing issues at a later stage. Add in the costs of customer attrition, security breaches, downtime, and reconstruction. To lend credibility to your calculations, try to work out exact numbers for your company. Industry standards (like in this article) will give you indicators, but you need to know your figures.
Third, recast your non-functional needs as business needs. Consider focusing on strategies for managing success rather than solely discussing load balancing. Instead of discussing security testing, focus on revenue protection.
Fourth, consider safety when defining "done." Until a feature is dependable, secure, and scalable, it isn't considered complete. Projects that incorporate non-functional requirements from the outset have a threefold higher chance of success, per the Standish Group's 2023 Chaos Report.
Fifth, use system dependability as a differentiator in the marketplace. You're up when your rivals are down. You're safe when they're compromised.
I understand that resilience isn't sexy. I am aware that UI enhancements are more exciting than infrastructure resilience.
And yet, I know that businesses that prioritize safety will survive and lead after seeing others thrive and fail based on this one choice. Customers trust them. They are capable of scaling without breaking. Because they are confident that their systems can manage whatever comes next, they are the ones who get a good night's sleep.
Resilient organizations are twice as likely to surpass customer satisfaction goals and are 2.5 times more likely to achieve revenue growth of 10% or more.
Resilience represents the most significant competitive advantage. You have a choice. Just keep in mind that your clients are depending on you to do the job correctly.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This blueprint will help you:
This template will help you to build your proposal to transform your field services.
Many IT teams are struggling to keep up with demand while trying to refocus on customer service. With more remote workers than ever, organizations who have traditionally provided desktop and field services have been revaluating the role of the field service technicians. Add in the price of fuel, and there is even more reason to assess the support model. Often changes to the way IT does support, especially if moving centralized support to an outsourcer, is met with resistance by end users who don’t see the value of phoning someone else when their local technician is still available to problem solve. This speaks to the need to ensure the central group is providing value to end users as well as the technical team. With the challenges of finding the right number of technicians with the right skills, it’s time to rethink remote support and how that can be used to train and upskill the people you have. And it’s time to think about how to use field services tools to make the best use of your technician’s time.
Sandi Conrad
Principal Research Director
Infrastructure & Operations Practice
Info-Tech Research Group
With remote work becoming a normal employee offering for many organizations, self-serve/self-solve becoming more prominent, and a common call out to improve customer service, there is a need to re-examine the way many organizations are supplying onsite support. For organizations with a small number of offices, a central desk with remote tools may be enough or can be combined with a concierge service or technical center, but for organizations with multiple offices it becomes difficult to provide a consistent level of service for all customers unless there is a team onsite for each location. This may not be financially possible if there isn’t enough work to keep a technical team busy full-time.
Where people have a choice between calling a central phone number or talking to the technician down the hall, the in-person experience often wins out. End users may resist changes to in-person support as work is rerouted to a centralized group by choosing to wait for their favorite technician to show up onsite rather than reporting issues centrally. This can make the job of the onsite technician more challenging as they need to schedule time in every visit for unplanned work. And where technicians need to support multiple locations, travel needs to be calculated into lost technician time and costs.
Improving process will be helpful for smaller teams, but as teams expand or work gets more complicated, investment in appropriate tools to support field services technicians will enable them to be more efficient, reduce costs, and improve outcomes when visits are warranted.
With many companies having new work arrangements for users, where remote work may be a permanent offering or if your digital transformation is well underway, this provides an opportunity to rethink how field support needs to be done.
Field services is in-person support delivered onsite at one or more locations. Management of field service technicians may include queue management, scheduling service and maintenance requests, triaging incidents, dispatching technicians, ordering parts, tracking job status, and billing.
Focus on the reasons for the change to ensure the outcome can be met. Common goals include improved customer service, better technician utilization, and increased response time and stability.
|
Customer Intake Provide tools for scheduling technicians, self-serve and self- or assisted-solve through ITSM or CRM-based portal and visual remote tools. |
 |
Triage and Troubleshoot Upgrade remote tools to visual remote solutions to troubleshoot equipment as well as software. Eliminate no-fault-found visits and improve first-time fix rate by visually inspecting equipment before technician deployments. |
|
Improve Communications FSM GPS and SMS updates can be set to notify customers when a technician is close by and can be used for customer sign-off to immediately update service records and launch survey or customer billing where applicable. |
Schedule Technicians Field service management (FSM) ITSM modules will allow skills-based scheduling for remote technicians and determine best route for multi-site visits. |
|
|
Enable Work From Anywhere FSM mobile applications can provide technicians with daily schedules, turn-by-turn directions, access to inventory, knowledge articles, maintenance, and warranty and asset records. Visual remote captures service records and enables access to SMEs. |
Manage Expectations Know where technicians are for routing to emergency calls and managing workload using field service management solutions with GPS. |
Field services management (FSM) software is designed to improve scheduling of technicians by skills and location while reducing travel time and mileage. When integrated with ITSM software, the service record is transferred to the field technician for continuity and to prepare for the job. FSM mobile apps will enable technicians to receive schedule updates through the day and through GPS update the dispatcher as technicians move from site to site.
FSM solutions are designed to manage large teams of technicians, providing automated dispatch recommendations based on skills matching and proximity. |
Routes can be mapped to reduce travel time and mileage and adjusted to respond to emergency requests by technician skills or proximity. Automation will provide suggestions for work allocation. |
Spare parts management may be part of a field services solution, enabling technicians to easily identify parts needed and update real-time inventory as parts are deployed. |
Push notifications in real-time streamline communications from the field to the office, and enable technicians to close service records while in the field. |
Dispatchers can easily view availability, assign work orders, attach notes to work orders, and immediately receive updates if technicians acknowledge or reject a job. |
Maintenance work can be built into online checklists and forms to provide a technician with step-by-step instructions and to ensure a complete review. |
Skills and location-based routing allow dispatchers to be able to see closest tech for emergency deployments. |
Visual remote support tools enable live video sessions to clearly see what the client or field service technician sees, enabling the experts to provide real-time assistance where the experts will provide guidance to the onsite person. Getting a view of the technology will reduce issues with getting the right parts, tools, and technicians onsite and dramatically reduce second visits.
Visual remote tools can provide secure connections through any smartphone, with no need for the client to install an application. |
The technicians can take control of the camera to zoom in, turn on the flashlight for extra lighting, take photos, and save video directly to the tickets. |
Optical character recognition allows automatic text capture to streamline process to check warranty, recalls, and asset history. |
Visual, interactive workflows enhance break/fix and inspections, providing step-by-step guidance visual evidence and using AI and augmented reality to assess the images, and can provide next steps by connecting to a visual knowledgebase. |
Integration with field service management tools will allow information to easily be captured and uploaded immediately into the service record. |
Self-serve is available through many of these tools, providing step-by-step instructions using visual cues. These solutions are designed to work in low-bandwidth environments, using Wi-Fi or cellular service, and sessions can be started with a simple link sent through SMS. |
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Manage organizational risk and viability during the first 30 days of a crisis.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Hold a positioning working session to focus the program around business needs, create solid targets, and create quality champions to get the job done.
Build program requirements and design standard templates that will unite IT quality.
Evaluate the readiness of the department for change and launch the program at the right time and in the right way to transform IT quality.
Facilitate the success of key IT practice areas by operating the Center of Excellence to support the key IT practice areas’ quality initiatives.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Create a quality center of excellence to lead and support quality initiatives.
Position your quality program to meet the needs of your business.
Develop clear targets and create a roadmap to achieve your vision.
Defined Center of Excellence roles & responsibilities.
A firm vision for your program with clearly outlined targets.
A plan for improvements to show dedication to the program and create accountability.
1.1 Identify current quality maturity.
1.2 Craft vision and mission.
1.3 Define scope.
1.4 Determine goals and objectives.
1.5 Specify metrics and critical success factors.
1.6 Develop quality principles.
1.7 Create action plan.
Completed Maturity Assessment
Completed Project Charter
Completed Quality Roadmap
Build the requirements for the quality program, including outputs for quality planning, quality assurance, quality control, and quality improvement.
Defined standards for the quality program.
General templates to be used to unify quality throughout IT.
2.1 Define quality policy, procedures, and guidelines.
2.2 Define your standard Quality Plan.
2.3 Define your standard Quality Review Document.
2.4 Develop your Standard Quality Management Dashboard.
Quality Policy
Standard Quality Plan Template
Standard Quality Review Template
Standard Quality Dashboard
Launch the program and begin quality improvement.
Perform a readiness assessment to ensure your organization is ready to launch its quality program.
Create a communication plan to ensure constant and consistent communication throughout implementation.
3.1 Assess organizational readiness.
3.2 Create a communication plan.
Completed Readiness Assessment
Completed Communication Plan
Have the Center of Excellence facilitate the roll-out of the quality program in your key practice areas.
Initiate ongoing monitoring and reporting processes to enable continuous improvement.
Quality plans for each practice area aligned with the overall quality program.
Periodic quality reviews to ensure plans are being acted upon.
Methodology for implementing corrective measures to ensure quality expectations are met.
4.1 Perform a quality management satisfaction survey.
4.2 Complete a practice area assessment.
4.3 Facilitate the creation of practice area quality plans.
4.4 Populate quality dashboards.
4.5 Perform quality review(s).
4.6 Address issues with corrective and preventative measures.
4.7 Devise a plan for improvement.
4.8 Report on quality outcomes.
Completed Satisfaction Surveys
Practice Area Assessments
Quality Plans (for each practice area)
Quality Reviews (for each practice area)
Quality Improvement Plan
You are looking to lose your dependency on Active Directory (AD), and you need to tackle infrastructure technical debt, but there are challenges:
Don’t allow Active Directory services to dictate your enterprise innovation and modernization strategies. Determine if you can safely remove objects and move them to a cloud service where your Azure AD Domain Services can handle your authentication and manage users and groups.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Build all new systems with cloud integration in mind. Many applications built in the past had built-in AD components for access, using Kerberos and NTLM. This dependency has prevented organizations from migrating away from AD. When assessing new technology and applications, consider SaaS or cloud-native apps rather than a Microsoft-dependent application with AD ingrained in the code.
Understand what Active Directory is and why Azure Active Directory does not replace it.
It’s about Kerberos and New Technology LAN Manager (NTLM).
 |
Many organizations that want to innovate and migrate from on-premises applications to software as a service (SaaS) and cloud services are held hostage by their legacy Active Directory (AD). Microsoft did a good job taking over from Novell back in the late 90s, but its hooks into businesses are so deep that many have become dependent on AD services to manage devices and users, when in fact AD falls far short of needed capabilities, restricting innovation and progress. Despite Microsoft’s Azure becoming prominent in the world of cloud services, Azure AD is not a replacement for on-premises AD. While Azure AD is a secure authentication store that can contain users and groups, that is where the similarities end. In fact, Microsoft itself has an architecture to mitigate the shortcomings of Azure AD by recommending organizations migrate to a hybrid model, especially for businesses that have an in-house footprint of servers and applications. If you are a greenfield business and intend to take advantage of software, infrastructure, and platform as a service (SaaS, IaaS, and PaaS), as well as Microsoft 365 in Azure, then Azure AD is for you and you don’t have to worry about the need for AD. John Donovan |
Legacy AD was never built for modern infrastructure |
When Microsoft built AD as a free component for the Windows Server environment to replace Windows NT before the demise of Novell Directory Services in 2001, it never meant Active Directory to work outside the corporate network with Microsoft apps and devices. While it began as a central managing system for users and PCs on Microsoft operating systems, with one user per PC, the IT ecosystem has changed dramatically over the last 20 years, with cloud adoption, SaaS, IaaS, PaaS, and everything as a service. To make matters worse, work-from-anywhere has become a serious security challenge. |
|---|---|
Build all new systems with cloud integration in mind |
Many applications built in the past had built-in AD components for access, using Kerberos and NTLM. This dependency has prevented organizations from migrating away from AD. When assessing new technology and applications, consider SaaS or cloud-native apps rather than a Microsoft-dependent application with AD ingrained in the code. Ensure you are engaged when the business is assessing new apps. Stop the practice of the business purchasing apps without IT’s involvement; for example, if your marketing department is asking you for your Domain credentials for a vendor when you were not informed of this purchase. |
Hybrid AD is a solution but not a long-term goal |
Economically, Microsoft has no interest in replacing AD anytime soon. Microsoft wants that revenue and has built components like Azure AD Connect to mitigate the AD dependency issue, which is basically holding your organization hostage. In fact, Microsoft has advised that a hybrid solution will remain because, as we will investigate, Azure AD is not legacy AD. |
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
|---|---|---|
You are looking to lose your dependency on Active Directory, and you need to tackle infrastructure technical debt, but there are challenges.
|
|
|
Info-Tech Insight
Don’t allow Active Directory services to dictate your enterprise innovation and modernization strategies. Determine if you can safely remove objects and move them to a cloud service where your Azure AD Domain Services can handle your authentication and manage users and groups.
From NT to the cloud
| AD 2001 | Exchange Server 2003 | SharePoint 2007 | Server 2008 R2 | BYOD Security Risk | All in Cloud 2015 |
|---|---|---|---|---|---|
|
|
|
|
|
|
AD is the backbone of many organizations’ IT infrastructure
73% of organizations say their infrastructure is built on AD.
82% say their applications depend on AD data.
89% say AD enables authenticated access to file servers.
90% say AD is the main source for authentication.
Source: Dimensions research: Active Directory Modernization :
Info-Tech Insight
Organizations fail to move away from AD for many reasons, including:
Physical and logical structure
Authentication, authorization, and auditing
AD creates infrastructure technical debt and is difficult to migrate away from.
Info-Tech Insight
Due to the pervasive nature of Active Directory in the IT ecosystem, IT organizations are reluctant to migrate away from AD to modernize and innovate.
Migration to Microsoft 365 in Azure has forced IT departments’ hand, and now that they have dipped their toe in the proverbial cloud “lake,” they see a way out of the mounting technical debt.
Neglecting Active Directory security
98% of data breaches came from external sources.
85% of data breach took weeks or even longer to discover.
The biggest challenge for recovery after an Active Directory security breach is identifying the source of the breach, determining the extent of the breach, and creating a safe and secure environment.
Info-Tech Insight
Neglecting legacy Active Directory security will lead to cyberattacks. Malicious users can steal credentials and hijack data or corrupt your systems.
AD event logs
84% of organizations that had a breach had evidence of that breach in their event logs.
It’s widely estimated that Active Directory remains at the backbone of 90% of Global Fortune 1000 companies’ business infrastructure (Lepide, 2021), and with that comes risk. The risks include:
AD is dependent on Windows Server
"Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD. It actually provides many more capabilities in a different way.
That’s why there is no actual ‘migration’ path from Active Directory to Azure Active Directory. You can synchronize your on-premises directories (Active Directory or other) to Azure Active Directory but not migrate your computer accounts, group policies, OU etc."
– Gregory Hall,
Brand Representative for Microsoft
(Source: Spiceworks)
Note: AD Federated Services (ADFS) is not a replacement for AD. It’s a bolt-on that requires maintenance, support, and it is not a liberating service.
Many companies are:
Given these trends, Active Directory is becoming obsolete in terms of identity management and permissions.
One of the core principles of Azure AD is that the user is the security boundary, not the network.
Kerberos is the default authentication and authorization protocol for AD. Kerberos is involved in nearly everything from the time you log on to accessing Sysvol, which is used to deliver policy and logon scripts to domain members from the Domain Controller.
Info-Tech Insight
If you are struggling to get away from AD, Kerberos and NTML are to blame. Working around them is difficult. Azure AD uses SAML2.0 OpenID Connect and OAuth2.0.
| Feature | Azure AD DS | Self-managed AD DS |
|---|---|---|
| Managed service | ✓ | ✕ |
| Secure deployments | ✓ | Administrator secures the deployment |
| DNS server | ✓ (managed service) | ✓ |
| Domain or Enterprise administrator privileges | ✕ | ✓ |
| Domain join | ✓ | ✓ |
| Domain authentication using NTLM and Kerberos | ✓ | ✓ |
| Kerberos-constrained delegation | Resource-based | Resource-based and account-based |
| Custom OU structure | ✓ | ✓ |
| Group Policy | ✓ | ✓ |
| Schema extensions | ✕ | ✓ |
| AD domain/forest trusts | ✓ (one-way outbound forest trusts only) | ✓ |
| Secure LDAP (LDAPS) | ✓ | ✓ |
| LDAP read | ✓ | ✓ |
| LDAP write | ✓ (within the managed domain) | ✓ |
| Geo-distributed deployments | ✓ | ✓ |
Source: “Compare self-managed Active Directory Domain Services...” Azure documentation, 2022
How AD poses issues that impact the user experience
IT organizations are under pressure to enable work-from-home/work-from-anywhere.
When considering retiring Active Directory from your environment, look at alternatives that can assist with those legacy application servers, handle Kerberos and NTML, and support LDAP.
What to look for
If you are embedded in Windows systems but looking for an alternative to AD, you need a similar solution but one that is capable of working in the cloud and on premises.
Aside from protocols and supporting utilities, also consider additional features that can help you retire your Active Directory while maintaining highly secure access control and a strong security posture.
These are just a few examples of the many alternatives available.
The business is now driving your Active Directory migration
What IT must deal with in the modern world of work:
Organizations are making decisions that impact Active Directory, from enabling work-from-anywhere to dealing with malicious threats such as ransomware. Mergers and acquisitions also bring complexity with multiple AD domains.
The business is putting pressure on IT to become creative with security strategies, alternative authentication and authorization, and migration to SaaS and cloud services.
Discovery |
Assessment |
Proof of Concept |
Migration |
Cloud Operations |
|---|---|---|---|---|
| ☐ Catalog your applications.
☐ Define your users, groups and usage. ☐ Identify network interdependencies and complexity. ☐ Know your security and compliance regulations. ☐ Document your disaster recovery plan and recovery point and time objectives (RPO/RTO). |
☐ Build a methodology for migrating apps to IaaS. ☐ Develop a migration team using internal resources and/or outsourcing. ☐ Use Microsoft resources for specific skill sets. ☐ Map on-premises third-party solutions to determine how easily they will migrate. ☐ Create a plan to retire and archive legacy data. |
☐ Test your workload: Start small and prove value with a phased approach. ☐ Estimate cloud costs. ☐ Determine the amount and size of your compute and storage requirements. ☐ Understand security requirements and the need for network and security controls. ☐ Assess network performance. ☐ Qualify and test the tools and solutions needed for the migration. |
☐ Create a blueprint of your desired cloud environment. ☐ Establish a rollback plan. ☐ Identify tools for automating migration and syncing data. ☐ Understand the implications of the production-day data move. |
☐ Keep up with the pace of innovation. ☐ Leverage 24/7 support via skilled Azure resources. ☐ Stay on top of system maintenance and upgrades. ☐ Consider service-level agreement requirements, governance, security, compliance, performance, and uptime. |
Manage the Active Directory in the Service Desk
SoftwareReviews: Microsoft Azure Active Directory
“2012 Data Breach Investigations Report.” Verizon, 2012. Web.
“2022 Data Breach Investigations Report.” Verizon, 2012. Web.
“22 Best Alternatives to Microsoft Active Directory.” The Geek Page, 16 Feb 2022. Accessed 12 Sept. 2022.
Altieri, Matt. “Infrastructure Technical Debt.” Device 42, 20 May 2019. Accessed Sept 2022.
“Are You Ready to Make the Move from ADFS to Azure AD?’” Steeves and Associates, 29 April 2021. Accessed 28 Sept. 2022.
Blanton, Sean. “Can I Replace Active Directory with Azure AD? No, Here’s Why.” JumpCloud, 9 Mar 2021. Accessed Sept. 2022.
Chai, Wesley, and Alexander S. Gillis. “What is Active Directory and how does it work?” TechTarget, June 2021. Accessed 10 Sept. 2022.
Cogan, Sam. “Azure Active Directory is not Active Directory!” SamCogan.com, Oct 2020. Accessed Sept. 2022.
“Compare Active Directory to Azure Active Directory.” Azure documentation, Microsoft Learn, 18 Aug. 2022. Accessed 12 Sept. 2022.
"Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services." Azure documentation, Microsoft Learn, 23 Aug. 2022. Accessed Sept. 2022.
“Dimensional Research, Active Directory Modernization: A Survey of IT Professionals.” Quest, 2017. Accessed Sept 2022.
Grillenmeier, Guido. “Now’s the Time to Rethink Active Directory Security.“ Semperis, 4 Aug 2021. Accessed Oct. 2013.
“How does your Active Directory align to today’s business?” Quest Software, 2017, accessed Sept 2022
Lewis, Jack “On-Premises Active Directory: Can I remove it and go full cloud?” Softcat, Dec.2020. Accessed 15 Sept 2022.
Loshin, Peter. “What is Kerberos?” TechTarget, Sept 2021. Accessed Sept 2022.
Mann, Terry. “Why Cybersecurity Must Include Active Directory.” Lepide, 20 Sept. 2021. Accessed Sept. 2022.
Roberts, Travis. “Azure AD without on-prem Windows Active Directory?” 4sysops, 25 Oct. 2021. Accessed Sept. 2022.
“Understanding Active Directory® & its architecture.” ActiveReach, Jan 2022. Accessed Sept. 2022.
“What is Active Directory Migration?” Quest Software Inc, 2022. Accessed Sept 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Get an overview of emerging AI applications to understand how they will strengthen a shift-left service support strategy.
Review potential use cases for AI applications to prioritize improvement initiatives and align them to organizational goals.
Develop an ITSM AI strategy to prepare your organization for the coming of cognitive service management, and build a roadmap for implementation.
During peak business hours, I witnessed a straightforward database field addition bring down a whole e-commerce platform. It was meant to be standard procedure, the type of “standard change” that is automatically approved because we have performed it innumerable times.
Adding a field to the end of a table and having applications retrieve data by field name instead of position made the change itself textbook low-impact. There is no need to alter the application or the functional flow. This could have been problematic in the past if you added a field in the middle of the list and it affected the values of other fields, but adding it at the end? That ought to have been impenetrable.
However, it wasn't.
Before I tell you what went wrong, let me explain why this is important to all of the IT professionals who are reading this.
Over the past three decades, industry data has repeatedly supported what this incident taught me: our presumptions about “safe” changes are frequently our greatest weakness. Upon reviewing the ITIL research, I was not surprised to learn that failed changes, many of which were categorized as “standard” or “low-risk,” are responsible for about 80% of unplanned outages.
When you look more closely, the numbers become even more concerning. Since I've been following the Ponemon Institute's work for years, I wasn't surprised to learn that companies with well-established change management procedures have 65% fewer unscheduled outages. The paradox surprised me: many of these “mature” procedures still operate under the premise that safety correlates with repetition.
What I had been observing in the field for decades was confirmed when Gartner released their research showing that standard changes are responsible for almost 40% of change-related incidents. The very changes we consider safe enough to avoid thorough review subtly create some of our greatest risks. IBM's analysis supports the pattern I've seen in innumerable organizations: standard changes cause three times as much business disruption due to their volume and our decreased vigilance around them, whereas emergency changes receive all the attention and scrutiny.
Aberdeen Group data indicates that the average cost of an unplanned outage has increased to $300,000 per hour, with change-related failures accounting for the largest category of preventable incidents. This data makes the financial reality stark.
What precisely went wrong with the addition of that database field that caused our e-commerce platform to crash?
We were unaware that the addition of this one field would cause the database to surpass an internal threshold, necessitating a thorough examination of its execution strategy. In its algorithmic wisdom, the database engine determined that the table structure had changed enough to necessitate rebuilding its access and retrieval mechanisms. Our applications relied on high-speed requests, and the new execution plan was terribly unoptimized for them.
Instead of completing quotes or purchases, customers were spending minutes viewing error pages. All applications began to time out while they awaited data that just wasn't showing up in the anticipated amounts of time. Thousands of transactions were impacted by a single extra field that should have been invisible to the application layer.
The field addition itself was not the primary cause. We assumed that since we had made similar adjustments dozens of times previously, this one would also act in the same way. Without taking into account the hidden complexities of database optimization thresholds, we had categorized it as a standard change based on superficial similarities.
My approach to standard changes was completely altered by this experience, and it is now even more applicable in DevOps-driven environments. Many organizations use pipeline deployments, which produce a standard change at runtime. It's great for speed and reliability, but it can easily fall into the same trap.
However, I have witnessed pipeline deployments result in significant incidents for non-code-related reasons. Due to timing, resource contention, or environmental differences that weren't noticeable in earlier runs, a deployment that performed flawlessly in development and staging abruptly fails in production. Although the automation boosts our confidence, it may also reveal blind spots.
Over the course of thirty years, I have come to the unsettling realization that there is no such thing as a truly routine change in complex systems. Every modification takes place in a slightly different setting, with varying environmental factors, data states, and system loads. What we refer to as “standard changes” are actually merely modifications with comparable processes rather than risk profiles.
For this reason, I support contextual change management. We must consider the system state, timing, dependencies, and cumulative effect of recent changes rather than just categorizing them based on their technical features. After three other changes have changed the system's behavior patterns, a change made at two in the morning on a Sunday with little system load is actually different from the same change made during peak business hours.
Effective change advisory boards must therefore go beyond assessing individual changes separately. I've worked with organizations where the change board carefully considered and approved each modification on its own merits, only to find that the cumulative effect of seemingly unrelated changes led to unexpected interactions and stress on the system. The most developed change management procedures I've come across mandate that their advisory boards take a step back and look at the whole change portfolio over a specified period of time. They inquire whether we are altering the database too frequently during a single maintenance window. Could there be unanticipated interactions between these three different application updates? What is the total resource impact of this week's approved changes?
It's the distinction between forest management and tree management. While each change may seem logical individually, when combined, they can create situations beyond the scope of any single change assessment.
Having worked in this field for thirty years, I've come to the conclusion that our greatest confidences frequently conceal our greatest vulnerabilities. Our primary blind spots frequently arise from the changes we've made a hundred times before, the procedures we've automated and standardized, and the adjustments we've labeled as “routine.”
Whether we should slow down our deployment pipelines or stop using standard changes is not the question. In the current competitive environment, speed and efficiency are crucial. The issue is whether we are posing the appropriate queries before carrying them out. Are we taking into account not only what the change accomplishes but also when it occurs, what else is changing at the same time, and how our systems actually look right now?
I've discovered that the phrase “we've done this before” is more dangerous in IT operations than “what could go wrong?” Because, despite what we may believe, we never actually perform the same action twice in complex systems.
Here is what I would like you to think about: which everyday modifications are subtly putting your surroundings at risk? Which procedures have you standardized or automated to the extent that you no longer challenge their presumptions? Most importantly, when was the last time your change advisory board examined your changes as a cohesive portfolio of system modifications rather than as discrete items on a checklist?
Remember that simple addition to a database field the next time you're tempted to accept a standard change. The most unexpected outcomes can occasionally result from the most routine adjustments.
I'm always up for a conversation if you want to talk about your difficulties with change management.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use this research to identify and quantify the potential security impacts caused by vendors. Use Info-Tech’s approach to look at the security impacts from various perspectives to better prepare for issues that may arise.
By playing the “what if” game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.
It is time to start looking at risk realistically and move away from “trust but verify” toward zero trust.
Frank Sewell,
Research Director, Vendor Management
Info-Tech Research Group
We are inundated with a barrage of news about security incidents on what seems like a daily basis. In such an environment, it is easy to forget that there are ways to help prevent such things from happening and that they have actual costs if we relax our diligence.
Most people are aware of defense strategies that help keep their organization safe from direct attack and inside threats. Likewise, they expect their trusted partners to perform the same diligence. Unfortunately, as more organizations use cloud service vendors, the risks with n-party vendors are increasing.
Over the last few years, we have learned the harsh lesson that downstream attacks affect more businesses than we ever expected as suppliers, manufacturers of base goods and materials, and rising transportation costs affect the global economy.
“Trust but verify” – while a good concept – should give way to the more effective zero-trust model in favor of knowing it’s not a matter of if an incident happens but when.
|
Your Challenge More than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level. A new global change will impact your organization at any given time. Ensure that you monitor threats appropriately and that your plans are flexible enough to manage the inevitable consequences. |
Common Obstacles Identifying and managing a vendor’s potential security risk impacts on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes could introduce new risks. Organizational leadership is often taken unaware during crises, and their plans lack the flexibility needed to adjust to significant market upheavals and surprise incidents. |
Info-Tech’s Approach Vendor management practices educate organizations on the potential risks from vendors in your market and suggest creative and alternative ways to avoid and manage them. Prioritize and classify your vendors with quantifiable, standardized rankings. Prioritize focus on your high-risk vendors. Standardize your processes for identifying and monitoring vendor risks to manage potential impacts with our Security Risk Impact Tool. |
Info-Tech Insight
Organizations must evolve their security risk assessments to be more adaptive to respond to global changes in the market. Ongoing monitoring of third-party vendor risks and holding those vendors accountable throughout the vendor lifecycle are critical to preventing disastrous impacts.
This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.
Out of Scope:
This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.
The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.
When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.
Below are some things no one expected to happen in the last few years:
| 62% | 83% | 84% |
|---|---|---|
| Ransomware attacks spiked 62% globally (and 158% in North America alone). | 83% of companies increased organizational focus on third-party risk management in 2020. | In a 2020 survey, 84% of organizations reported having experienced a third-party incident in the last three years. |
| One Trust, 2022 | Help Net Security, 2021 | Deloitte, 2020 |
Due diligence will enable successful outcomes.
Third-Party Vendor: Anyone who provides goods or services to a company or individual in exchange for payment transacted with electronic instructions (Law Insider).
Third-Party Risk: The potential threat presented to organizations’ employee and customer data, financial information, and operations from the organization’s supply chain and other outside parties that provide products and/or services and have access to privileged systems (Awake Security).
It is essential to know not only who your vendors are but also who their vendors are (n-party vendors). Organizations often overlook that their vendors rely on others to support their business, and those layers can add risk to your organization.
Global Pandemic
Very few people could have predicted that a global pandemic would interrupt business on the scale experienced today. Organizations should look at their lessons learned and incorporate adaptable preparations into their security planning and ongoing monitoring moving forward.
Vendor Breaches
The IT market is an ever-shifting environment; more organizations are relying on cloud service vendors, staff augmentation, and other outside resources. Organizations should hold these vendors (and their downstream vendors) to the same levels of security and standards of conduct that they hold their internal resources.
Resource Shortages
A lack of resources is often overlooked, but it’s easily recognized as a reason for a security incident. All too often, companies are unwilling to dedicate resources to their vendors’ security risk assessment and ongoing monitoring needs. Only once an incident occurs do companies decide it is time to reprioritize.
You have made significant investments in availability and disaster recovery – but your ability to recover hasn’t been tested in years. Testing will:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use this research to understand the different types of tests, prioritize and plan tests for your organization, review the results, and establish a cadence for testing.
Use this template to document scope and goals, participants, key pre-test milestones, the test-day schedule, and your findings from the testing exercise.
Identify the tests you will run over the next year and the expertise, governance, process, and funding required to support testing.
[infographic]
Most businesses make significant investments in disaster recovery and technology resilience. Redundant sites and systems, monitoring, intrusion prevention, backups, training, documentation: it all costs time and money.
But does this investment deliver expected value? Specifically, can you deliver service continuity in a way that meets business requirements?
You can’t know the answer without regularly testing recovery processes and systems. And more than just validation, testing helps you deliver service continuity by finding and addressing gaps in your plans and training your staff on recovery procedures.
Use the insights, tools, and templates in this research to create a streamlined and effective resilience testing program that helps validate recovery capabilities and enhance service reliability, availability, and continuity.
Research Director, Infrastructure & Operations
Info-Tech Research Group
Your ChallengeYou have made significant investments in availability and disaster recovery (DR) – but your ability to recover hasn’t been tested in years. Testing will:
|
Common ObstaclesDespite the value testing can offer, actually executing on DR tests is difficult because:
|
Info-Tech's ApproachTake a realistic approach to resilience testing by starting with small, low-risk tests, then iterating with the lessons you’ve learned:
|
If you treat testing as a pass/fail exercise, you aren’t meeting the end goal of improving organizational resilience. Focus on identifying gaps and risks so you can address them before a real disaster hits.
This research is accompanied by templates to help you achieve your goals faster.
1 - Establish the business rationale for DR testing.
2 - Review a range of options for testing.
3 - Prioritize tests that are most valuable to your business.
4 - Create a disaster recovery test plan.
5 - Establish a Test Program to support a regular testing cycle.
Orange activity slides like the one on the left provide directions to help you make key decisions.
Disaster Recovery Test Plan Template
Build a plan for your first disaster recovery test.
This document provides a complete example you can use to quickly build your own plan, including goals, milestones, participants, the test-day schedule, and findings from the after-action review.
“Routine testing is vital to survive a disaster… that’s when muscle memory sets in. If you don’t test your DR plan it falls [in importance], and you never see how routine changes impact it.”
– Jennifer Goshorn
Chief Administrative Officer
Gunderson Dettmer LLP
Info-Tech members estimated even one day of system downtime could lead to significant revenue losses. 
Average estimated potential loss* in thousands of USD due to a 24-hour outage (N=41)
*Data aggregated from 41 business impact analyses (BIAs) conducted with Info-Tech advisory assistance. BIAs evaluate potential revenue loss due to a full day of system downtime, at the worst possible time.
30 minutes
Identify a group of participants who can fill the following roles and inform the discussions around testing in this research. A single person could fill multiple roles and some roles could be filled by multiple people. Many participants will be drawn from the larger DRP team.
Input
|
Output
|
Participants
|
Use Info-Tech’s Create a Right-Sized Disaster Recovery Plan research to identify recovery objectives based on business impact and outline recovery processes. Both are tremendously valuable inputs to your test plans.
IT Disaster Recovery PlanA plan to restore IT services (e.g. applications and infrastructure) following a disruption. A DRP:
|
BCP for Each Business UnitA set of plans to resume business processes for each business unit. A business continuity plan (BCP) is also sometimes called a continuity of operations plan (COOP). BCPs are created and owned by each business unit, and creating a BCP requires deep involvement from the leadership of each business unit. Info-Tech’s Develop a Business Continuity Plan blueprint provides a methodology for creating business unit BCPs as part of an overall BCP for the organization. |
Crisis Management PlanA plan to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage. Info-Tech’s Implement Crisis Management Best Practices blueprint provides a framework for planning a response to any crisis, from health and safety incidents to reputational damage. |
15-30 minutes
Identify the value recovery testing for your organization. Use language appropriate for a nontechnical audience. Start with the list below and add, modify, or delete bullet points to reflect your own organization.
Drivers for testing – Examples:
Time-strapped technical staff will sometimes push back on planning and testing, objecting that the team will “figure it out” in a disaster. But the question isn’t whether recovery is possible – it’s whether the recovery aligns with business needs. If your plan is to “MacGyver” a solution on the fly, you can’t know if it’s the right solution for your organization.
Input
|
Output
|
Participants
|
In a tabletop planning exercise, the team walks through a disaster scenario to outline the recovery workflow, and risks or gaps that could disrupt that workflow.
Tabletops are particularly effective because:
2 hours
Tabletop testing is part of our core DRP methodology, Create a Right-Sized Disaster Recovery Plan. This exercise can be run using cue cards, sticky notes, or on a whiteboard; many of our facilitators find building the workflow directly in flowchart software to be very effective.
Use our Recovery Workflow Template as a starting point.
Some tips for running your first tabletop exercise:
Do
|
Don't
|
Input
|
Output
|
Participants
|
In live exercises, some portion of your recovery plans are executed in a way that mimics a real recovery scenario. Some advantages of live testing:
| Boot and smoke test | Turn on a standby system and confirm it boots up correctly. |
| Restore and validate data | Restore data or servers from backup. Confirm data integrity. |
| Parallel testing | Send familiar transactions to production and standby systems. Confirm both systems produce the same result. |
| Failover systems | Shut down the production system and use the standby system in production. |
Most unacceptable downtime is caused by localized issues, such as hardware or software failures, rather than widespread destructive events. Regular local testing can help validate the recovery plan for local issues and improve overall service continuity.
Make local testing a standard step in maintenance work and new deployments to embed resilience considerations in day-to-day activities. Run the same tests in both your primary and your DR environment.
Some examples of localized tests:
Local tests will vary between different services, and local test design is usually best left to the system SMEs. At the same time, centralize reporting to understand where tests are being done.
Investigate whether your IT Service Management or ticketing system can create recurring tasks or work orders to schedule, document, and track test exercises. Tasks can be pre-populated with checklists and documentation to support the test and provide a record of completed tests to support oversight and reporting.
User acceptance testing (UAT) after system recovery is a key step in the recovery process. Like any step in the process, there’s value in testing it before it actually needs to be done. Assign responsibility for building UATs to the person who will be responsible for executing them.
An acceptance test script might look something like the checklist below.
“I cannot stress how important it is to assign ownership of responsibilities in a test; this is the only way to truly mitigate against issues in a test.”
– Robert Nardella
IT Service Management
Certified z/OS Mainframe Professional
Build test scripts and test transactions ahead of time to minimize the amount of new work required during a recovery scenario.
What you get:
What you need:
What you get:
What you need:
What you get:
What you need:
What you get:
What you need:
More complex, challenging, risky, or costly tests, such as full failover tests, can deliver value. But do the high-value, low-effort stuff first!
30-60 minutes
Even if you have an idea of what you need to test and how you want to run those tests, this brainstorming exercise can generate useful ideas for testing that might otherwise have been missed.
The next steps will help you prioritize the list – if needed – to tests that are highest value and lowest effort.
“There are different levels of testing and it is very progressive. I do not recommend my clients to do anything, unless they do it in a progressive fashion. Don’t try to do a live failover test with your users, right out of the box.”
– Steve Tower
Principal Consultant
Prompta Consulting Group
Input
|
Output
|
Participants
|
3-5 days
Building a test plan helps the test run smoothly and can uncover issues with the underlying DRP as you dig into the details.
The test coordinator will own the plan document but will rely on the sponsor to confirm scope and goals, technical SMEs to develop system recovery plans, and business liaisons to create UAT scripts.
Download Info-Tech’s Disaster Recovery Test Plan Template. Use the structure of the template to build your own document, deleting example data as you go. Consider saving a separate copy of this document as an example and working from a second copy.
Key sections of the document include:
Download the Disaster Recovery Test Plan Template
Input
|
Output
|
Participants
|
30-60 minutes
Take time after test exercises – especially large-scale tests with many participants – to consider what went well, what didn’t, and where you can improve future testing exercises. Track lessons learned and next steps at the bottom of your test plan.
Input
|
Output
|
Participants
|
All tests are expected to drive actions to improve resilience, as appropriate. Experience from previous tests will be applied to future testing exercises.
Outputs and lessons learned from testing should help you run future tests.
Testing should get easier over time. But if you’re easily passing every test, it’s a sign that you’re ready to run more challenging tests.
2-4 hours
Regular testing allows you to build on prior tests and helps keep plans current despite changes to your environment.
Keeping a regular testing schedule requires expertise, a process to coordinate your efforts, and a level of governance to provide oversight and ensure testing continues to deliver value. Create a call to action using Info-Tech’s Disaster Recovery Testing Program Summary Template.
The result is a summary document that:
“It is extremely important in the early stages of development to concentrate the focus on actual recoverability and data protection, enhancing these capabilities over time into a fully matured program that can truly test the recovery, and not simply focusing on the testing process itself.”
– Joe Starzyk
Senior Business Development Executive
IBM Global Services
Alton, Yoni. “Ransomware simulators – reality or a bluff?” Palo Alto Blog, 2 May 2022. Accessed 31 Jan 2023.
https://www.paloaltonetworks.com/blog/security-operations/ransomware-simulators-reality-or-a-bluff/
Brathwaite, Shimon. “How to Test your Business Continuity and Disaster Recovery Plan,” Security Made Simple, 13 Nov 2022. Accessed 31 Jan 2023.
https://www.securitymadesimple.org/cybersecurity-blog/how-to-test-your-business-continuity-and-disaster-recovery-plan
The Business Continuity Institute. Good Practice Guidelines: 2018 Edition. The Business Continuity Institute, 2017.
Emigh, Jacqueline. “Disaster Recovery Testing: Ensuring Your DR Plan Works,” Enterprise Storage Forum, 28 May 2019. Accessed 31 Jan 2023.
Disaster Recovery Testing: Ensuring Your DR Plan Works | Enterprise Storage Forum
Gardner, Dana. "Case Study: Strategic Approach to Disaster Recovery and Data Lifecycle Management Pays off for Australia's SAI Global." ZDNet. BriefingsDirect, 26 Apr 2012. Accessed 31 Jan 2023.
http://www.zdnet.com/article/case-study-strategic-approach-to-disaster-recovery-and-data-lifecycle-management-pays-off-for-australias-sai-global/.
IBM. “Section 11. Testing the Disaster Recovery Plan.” IBM, 2 Aug 2021. Accessed 31 Jan 2023. Section 11. Testing the disaster recovery plan - IBM Documentation Lutkevich, Ben and Alexander Gillis. “Chaos Engineering”. TechTarget, Jun 2021. Accessed 31 Jan 2023.
https://www.techtarget.com/searchitoperations/definition/chaos-engineering
Monperrus, Martin. “Principles of Antifragility.” Arxiv Forum, 7 June 2017. Accessed 31 Jan 2023.
https://arxiv.org/ftp/arxiv/papers/1404/1404.3056.pdf
“Principles of Chaos Engineering.” Principles of Chaos Engineering, 2019 March. Accessed 31 Jan 2023.
https://principlesofchaos.org/
Sloss, Benjamin Treynor. “Introduction.” Site Reliability Engineering. Ed. Betsy Beyer. O’Reilly Media, 2017. Accessed 31 Jan 2023.
https://sre.google/sre-book/introduction/
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Build action-based metrics to measure the success of your chatbot proof of concept.
Put business value first to architect your chatbot before implementation.
Continue to grow your chatbot beyond the proof of concept.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Build your strategy.
Calculate your chatbot’s ROI to determine its success.
Organize your chatbot proof of concept (POC) metrics to keep the project on track.
Objectively choose chatbot ticket categories.
1.1 Customize your chatbot ROI calculator.
1.2 Choose your proof of concept ticket categories.
1.3 Design chatbot metrics to measure success.
Chatbot ROI Calculator
Chatbot POC Implementation Roadmap
Chatbot POC Metrics Tool
Architect your chatbot.
Design your integrations with business value in mind.
Begin building chatbot decision trees.
2.1 List and map your chatbot integrations.
2.2 Build your conversation tree library.
Chatbot Integration Map
Chatbot Conversation Tree Library
Architect your chatbot conversations.
Detail your chatbot conversations in the decision trees.
3.1 Build your conversation tree library.
Chatbot Conversation Tree Library
Continually grow your chatbot.
Identify talent for chatbot support.
Create an implementation plan.
4.1 Outline the support responsibilities for your chatbot.
4.2 Build a communication plan.
Chatbot POC RACI
Chatbot POC Communication Plan
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Read our concise Executive Brief to find out how you can reduce your IT cost in the short term while establishing a foundation for long-term sustainment of IT cost containment.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This research offers insight into web analytic tools, key trends in the marketspace, and advanced web analytics techniques. It also provides an overview of the ten top vendors in the marketspace.
Social media management platforms (SMMP) allow businesses to engage with customers more efficiently. Ten years ago, Facebook and Twitter dominated the social media space, but many alternatives have emerged that attract a wide variety of audiences today. Every social media platform has a unique demographic; for instance, LinkedIn attracts an audience looking to develop their professional career, while Snapchat attracts those who want to share their everyday casual experience.
It is important for businesses and brands to engage with all kinds of audiences without alienating a certain group. Domino's, for example, can sell pizzas to business professionals and teenagers alike, so connecting with both customer segments via personalized and meaningful posts in their preferred platform is a great way to grow their business.
To successfully implement a social media management platform, organizations need to ensure they have their requirements and business needs shortlisted and choose vendors that ensure the best return on investment (ROI).
Sai Krishna Rajaramagopalan
Research Specialist, Customer Experience & Application Insights
Info-Tech Research Group
Your Challenge
Common Obstacles
Info-Tech's Approach
Choosing a good SMMP is only the first step. Having great social media managers who understand their audience is essential in maintaining a healthy relationship with your audience.
| Phase 1 | Phase 2 |
|---|---|
|
Call #1: Understand what a social media management platform (SMMP) is. |
Call #3: Define your key SMMP requirements. |
A Guided implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
The SMMP selection process should be broken into segments:
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
A social media management platform is a software solution that enables businesses and brands to manage multiple social media accounts. It facilitates making posts, monitoring metrics, and engaging with your audience.
An SMMP platform offers many key features, including but not limited to the following capabilities:
Social media management platforms have continuously expanded their features list. It is, however, essential not to get lost in endless features to remain competitive and ensure the best ROI.
Short-form videos are defined as videos less than two minutes long. Shorter videos take substantially less time and effort to consume, making them very attractive for marketing brands to end users. According to a study conducted by Vidyard, more than 50% of viewers end up watching an entire video if it's less than one minute. Another study finds that over 93% of the surveyed brands sold their product or service to a customer through a social media video.
Popular social media platforms such as TikTok, Instagram, YouTube etc. have caught on to this trend and introduced short-form videos, more commonly called "shorts". It's also common for content creators and brands to cut and upload short clips from longer videos to drive more engagement with viewers.
Short-form videos have higher viewership and view time compared to long videos.
|
58% |
About 58% of viewers watch the video to the end if it’s under one minute long. A two-minute video manages to keep around 50% of its viewers till the end. |
|
30% |
Short-form videos have the highest ROI of any social media marketing at 30%. |
Influencer marketing is the collaboration of brands with online influencers and content creators across various social media platforms to market their products and services. Influencers are not necessarily celebrities; they can be any individual with a dedicated community. This makes influencers abundant. For instance, compare the number of popular football players with the number of YouTubers on the planet.
Unlike traditional marketing methods, influencer marketing is effective across different budget levels. This is because the engagement level of small influencers with 10,000 followers is higher than the engagement level of large influencers with millions of followers. If a brand is budget conscious, working with smaller influencers still gives a good ROI. For every dollar spent on influencer marketing, the average ROI is $5.78.
|
61% |
A recent study by Matter found that 61% of consumers trust influencers' recommendations over branded social media content. |
|
According to data gathered by Statista, the influencer marketing industry has more than doubled since 2019. It was worth $16.4 billion in 2022. |
INDUSTRY: Retail
SOURCE: "5 Influencer Marketing Case Studies," HubSpot
H&M was looking to build awareness and desirability around the brand to drive clothing sales during the holiday season. They decided to partner with influencers and align content with each celebrity's personality and lifestyle to create authentic content and messaging for H&M. H&M selected four lesser-known celebrities with highly engaged and devoted social media followings: Tyler Posey, Peyton List, Jana Kramer, and Hannah Simone.
They posted teaser clips across various platforms to create buzz about the campaign a couple of days before the full, one-minute videos were released. Presenting the content two different times enabled H&M to appeal to more viewers and increase the campaign's visibility. Two of the celebrities, List and Kramer, garnered more views and engagement on the short clip than the full video, highlighting that a great short clip can be more effective than long-form content.
The campaign achieved 12 million views on YouTube, 1.3 million likes, 14,000 comments, and 19,000 shares. The average engagement with consumers across all four celebrities was 10%.
Tyler Posey's sponsored video achieved:
Social commerce is the selling of goods and services through social media. This may involve standalone stores on social media platforms or promotions on these platforms which link to traditional e-commerce platforms.
Social media platforms contain more data about consumers than traditional platforms, which allows more accurate targeting of ads and promotions. Additionally, social commerce can place ads on popular influencer stories and posts, taking advantage of influencer marketing without directly involving the influencers.
Popular platforms have opened their own built-in stores. Facebook created Marketplace and Facebook Shops. TikTok soon followed with the TikTok Shopping suite. These stores allow platforms to lower third-party costs and have more control over which products are featured. This also creates a transactional call to action without leaving social media.
2020 saw a sizable increase in social commerce occurring on social media networks, with users making purchases directly from their social accounts.
|
30.8% |
Sales through social commerce are expected to grow about 30.8% per year from 2020 to 2025. The growth rate is expected to increase to 35% in 2026. |
|
46% |
China has the highest social commerce adoption rate in the world, with 46% of all internet users making at least one purchase. The US is second with a 36% adoption rate. |
The Twitter Shop Module allows select brands to showcase products at the top of Twitter business profiles. Users can scroll through a carousel of products on a brand's profile and tap on individual products to read more and make purchases without leaving the platform.
While the results of Twitter's Shop Module experiment are still pending, brands aren't waiting around to sell on the platform. Best Buy and others continue to link to well-formatted product pages directly in their Tweets.
Clear, direct calls to action such as "Pick yours up today" encourage interested audiences to click through, learn more, and review options for purchase. In this social commerce example, Best Buy also makes optimal use of a Tweet's character limit. In just a few words, the brand offers significant savings for a high-quality product, then doubles down with a promotional trade-in offer. Strong imagery is the icing on the cake.
INDUSTRY: Retail
SOURCE: "5 genius social commerce examples," Sprout Social, 2021
Crisis management is the necessary intervention from an organization when negative news spreads across social media platforms. With how interconnected people are due to social media, news can quickly spread across different platforms.
Organizations must be prepared for difficult situations such as negative feedback for a product or service, site outages, real-world catastrophes or disasters, and negative comments toward the social media handle. There are tools that organizations can use to receive real-time updates and be prepared for extreme situations.
While the causes are often beyond control, organizations can prepare by setting up a well-constructed crisis management strategy.
|
75% |
75% of respondents to PwC's Global Crisis Survey said technology has facilitated the coordination of their organization's crisis response team. |
|
69% |
69% of business leaders reported experiencing a crisis over a period of five years, with the average number of crises being three. |
INDUSTRY: Apparel
SOURCE: “Social Media Crisis Management 3 Examples Done Right,” Synthesio
On February 20, 2019, Zion Williamson, a star player from Duke University, suffered a knee injury when a malfunctioning Nike shoe fell apart. This accident happened less than a minute into a highly anticipated game against North Carolina. Media outlets and social media users quickly began talking. ESPN had broadcast the game nationally. On Twitter, former President Barack Obama, who was watching the game courtside, expressed his well-wishes to Williamson, as did NBA giants like LeBron James.
This accident was so high profile that Nike stock dropped 1.7% the following day. Nike soon released a statement expressing its concern and well-wishes for Williamson. The footwear megabrand reassured the world that its teams were "working to identify the issue." The following day, Nike sent a team to Durham, North Carolina, where the game took place. This team then visited Nike's manufacturing site in China and returned with numerous suggestions.
About a month later, Williamson returned to the court with custom shoes, which he told reporters were "incredible." He thanked Nike for creating them.
|
The data quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions. |
|
The emotional footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions. |
|
Comprehensive software reviews to make better IT decisions |
|---|
|
We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy. |
Fact-based reviews of business software from IT professionals.
Product and category reports with state-of-the-art data visualization.
Top-tier data quality backed by a rigorous quality assurance process.
User-experience insight that reveals the intangibles of working with a vendor.
Technology coverage is a priority for Info-Tech and SoftwareReviews provides the most comprehensive unbiased data on today's technology. Combined with the insight of our expert analysts, our members receive unparalleled support in their buying journey.
Est. 2006 | MA, USA | NYSE: HUBS
From attracting visitors to closing customers, HubSpot brings the entire marketing funnel together for less hassle, more control, and an inbound marketing strategy.
Strengths:
Areas to improve:
*Pricing correct as of November 2022. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.
HubSpot offers a robust social media management platform that enables organizations to run all social media campaigns from a central location. HubSpot is suitable for a range of midmarket and enterprise use cases. HubSpot offers a free base version of the platform that freelancers and start-ups can take advantage of. The free version can also be used to trial the product prior to deciding on purchase.
However, HubSpot is relatively expensive compared to its competitors. The free tools are not sustainable for growing businesses and some essential features are locked behind professional pricing. The price increase from one tier to another – specifically from starter to professional – is steep, which may discourage organizations looking for a "cheap and cheerful" product.
|
Starter
Professional
Enterprise
|
Est. 2010 | IL, USA | NASDAQ: SPT
People increasingly turn to social media to engage with your business. Sprout Social provides powerful tools to personally connect with customers, solve issues, and create brand advocates.
Strengths:
Areas to improve:
*Pricing correct as of November 2022. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.
Sprout Social offers strong social feed management and social customer service capabilities. It also provides powerful analytical tools to monitor multiple social media accounts. The listening functionality helps discover trends and identify gaps and opportunities. It is also one of the very few platforms to provide automated responses to incoming communications, easing the process of managing large and popular brands.
Although the starting price of each tier is competitive, advanced analytics and listening come at a steep additional cost. Adding one additional user to the professional tier costs $299 which is a 75% increase in cost. Sprout Social does not offer a free tier for small businesses to trial.
 | Standard
Professional
Advanced
Enterprise
|
Est. 2008 | BC, CANADA |PRIVATE
Manage social networks, schedule messages, engage your audiences, and measure ROI right from the dashboard.
Strengths:
Areas to improve:
*Pricing correct as of November 2022. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.
Hootsuite is one of the largest players in the social media management space with over 18 million users. The solution has great functionality covering all the popular social media platforms like Facebook, Instagram, Twitter, and Pinterest. One popular and well-received feature is the platform’s ability to schedule posts in bulk. Hootsuite also provides an automatic scheduling feature that uses algorithms to determine the optimal time to post to maximize viewership and engagement. Additionally, the platform can pull analytics for all competitors in the same marketspace as the user to compare performance.
Hootsuite offers buyers a 30-day free trial to familiarize with the platform and provides unlimited post scheduling across all their plans. Features like social listening, employee advocacy, and ROI reporting, however, are not included in these plans and require additional purchase.
 | Professional
Team
Business
Enterprise
|
Est. 2009 | NY, USA | NYSE: CXM
With social engagement & sales, you can deliver a positive experience that's true to your brand - no matter where your customers are digitally - from a single, unified platform.
Strengths
Areas to improve:
Sprinklr is a vendor focused on enterprise-grade capabilities that offers a comprehensive unified customer experience management (CXM) platform.
Their product portfolio offers an all-in-one solution set with an extensive list of features to accommodate all marketing and communication needs. Sprinklr comes integrated with products consisting of advertising, marketing, engagement, and sales capabilities. Some of the key functionality specific to social media includes sentiment analysis, social reporting, advanced data filtering, alerts and notifications, competitor analysis, post performance, and hashtag analysis.
Sprinklr – Opaque Pricing:
"Request a Demo"
Est. 1996 | TN, INDIA | PRIVATE
Zoho Social is a complete social media management tool for growing businesses & agencies. It helps schedule posts, monitor mentions, create unlimited reports, and more. Zoho Social is from Zoho.com—a suite of 40+ products trusted by 30+ million users.
*Pricing correct as of August 2021. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.
Zoho differentiates itself from competitors by highlighting integration with other products under the Zoho umbrella – their adjacent tool sets allow organizations to manage emails, projects, accounts, and webinars. Zoho also offers the choice of purchasing their social media management tool without any of the augmented CRM capabilities, which is priced quite competitively.
The social media management tools are offered in three plans. Each plan allows the ability to publish and schedule posts across nine platforms, access summary reports and analytics, and access a Bit.ly integration & URL shortener. The standard and professional plans are limited to one brand and one team member, with the option to add team members or social channels for an additional cost.
YouTube support is exclusive to the premium offering.
 | Standard
Professional
Premium
|
Est. 2012 | CA, USA | PRIVATE
MavSocial is a multi-award-winning, fully integrated social media management & advertising solution for brands and agencies.
Strengths
Areas to improve:
*Pricing correct as of November 2022. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.
In addition to social media management, MavSocial is also an excellent content management tool. A centralized platform is offered that can store many photos, videos, infographics, and more, which can be accessed anytime. The solution comes with millions of free stock images to use. MavSocial is a great hybrid social media and content management solution for small and mid-sized businesses and larger brands that have dedicated teams to manage their social media. MavSocial also offers campaign planning and management, scheduling, and social inbox functionality. The entry-level plan starts at $78 per month for three users and 30 profiles. The enterprise plan offers fully configurable and state-of-the-art social media management tools, including the ability to manage Facebook ads.
 | Pro
Business
Enterprise
|
Est. 2019 | TX, USA | PRIVATE
Use the Khoros platform (formerly Spredfast + Lithium) to deliver an all-ways connected experience your customers deserve.
Strengths
Areas to improve:
Khoros is the result of the merger between two social marketing platforms - Spredfast and Lithium. The parent companies have over a decade of experience offering social management tools. Khoros is widely used among many large brands such as StarHub and Randstad. Khoros is another vendor that is primarily focused on large enterprises and does not offer plans for small/medium businesses. Khoros offers a broad range of functionality such as social media marketing, customer engagement, and brand protection with visibility and controls over social media presence. Khoros also offers a social strategic services team to manage content strategy, brand love, reporting, trend tracking, moderation, crisis and community management; this team can be full service or a special ops extension of your in-house crew.
Khoros – Opaque Pricing:
"Request a Demo"
Est. 2009 | UK | PRIVATE
Sendible allows you to manage social networks, schedule messages, engage your audiences, and measure ROI right from one easy-to-use dashboard.
Strengths
Areas to improve:
*Pricing correct as of November 2022. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.
Sendible primarily markets itself to agencies rather than individual brands or businesses. Sendible's key value proposition is its integration capabilities. It can integrate with 17 different tools including Meta, Twitter, Instagram, LinkedIn, Google My Business (GMB), YouTube, WordPress, Canva, Google Analytics, and Google Drive. In addition to normal reporting functionality, the Google Analytics integration allows customers to track clickthrough and user behavior for traffic coming from social media channels.
All plans include the functionality to schedule at least ten posts. Sendible offers excellent collaboration tools, allowing teams to work on assigned tasks and have content approved before they are scheduled to ensure quality control. Sendible offers four plans, with the option to save an additional 15% by signing up for annual payments.
|
Creator
Traction
Scale
Custom
|
Est. 2010 | FRANCE | PRIVATE
Agorapulse is an affordable social media dashboard that helps businesses and agencies easily publish content and manage their most important conversations on their social networks.
Strengths
Areas to improve:
*Pricing correct as of November 2022. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.
Although Agorapulse offers the solution for both agencies and business, they primarily focus on agencies. In addition to the standard social media management functionality, Agorapulse also offers features such as competitor analysis and Facebook contest apps at an affordable price point. They also offer social inbox functionality, allowing the ability to manage the inbox and reply to any message or comment across all social profiles through a single platform.
The solution is offered in three plans. The pro plan allows ten social profiles and two users. Additional social profiles and users can only be purchased under the premium plan. All plans include ROI calculation for Facebook, but if you want this functionality for other platforms, that's exclusive to the enterprise plan.
 | Pro
Premium
Enterprise
|
Est. 2010 | CA, USA | PRIVATE
A better way to manage social media for your business. Buffer makes it easy to manage your business' social media accounts. Schedule posts, analyze performance, and collaborate with your team — all in one place.
Strengths
Areas to improve:
*Pricing correct as of November 2022. Listed in USD and absent discounts.
See pricing on vendor's website for latest information.
Buffer is a social media platform targeted toward small businesses. It is a great cost-effective option for those who want to manage a few social media profiles, with a free plan that lets one user access three social channels. At $5 per month, it's a great entry point for smaller companies to invest in social media management tools, offering functionality like post scheduling and link shortening and optimization tools for hashtags, tags, and mentions across platforms. All plans provide a browser extension, access to a mobile app, two-factor authentication, social media and email support, and access to the Buffer community. Customers can also trial any of the plans for 14 days before purchasing.
|
Essentials
Team
Agency
|
Establish and execute an end-to-end, Agile framework to succeed with the implementation of a major enterprise application.
Communication
Teams must have a communication strategy. This can be broken into:
Proximity
Distributed teams create complexity as communication can break down. This can be mitigated by:
Trust
Members should trust other members to contribute to the project and complete required tasks on time. Trust can be developed and maintained by:
Knowledge Gained
Processes Optimized
SMMP Vendors Analyzed
Select and Implement a Social Media Management Platform
Improve Requirements Gathering
"30+ Influencer Marketing Statistics You Should Know (2022)." Shopify, www.shopify.com/blog/influencer-marketing-statistics.
"A Brief History of Hootsuite." BrainStation®, 2015, https://brainstation.io/magazine/a-brief-history-of-hootsuite#:~:text=In%202008%2C%20Vancouver%2Dbased%20digital,accounts%20from%20a%20single%20interface.&text=In%202009%2C%20BrightKit's%20name%20changed,a%20capital%20%E2%80%9CS%E2%80%9D).
"About Us." Sprout Social, https://sproutsocial.com/about/#history
"About Zoho - Our Story, List of Products." Zoho, www.zoho.com/aboutus.html.
Adam Rowe, et al. "Sprout Social vs Hootsuite - Which Is Best?: Tech.co 2022." Tech.co, 15 Nov. 2022, https://tech.co/digital-marketing/sprout-social-vs-hootsuite
"Agorapulse Customer Story: Twilio Segment." Segment, https://segment.com/customers/agorapulse/
"Agorapulse - Funding, Financials, Valuation & Investors." Crunchbase, www.crunchbase.com/organization/agorapulse/company_financials.
"Agorapulse Release Notes." Agorapulse Release Notes, https://agorapulse.releasenotes.io/
"Buffer - Funding, Financials, Valuation & Investors." Crunchbase, www.crunchbase.com/organization/buffer/company_financials.
Burton, Shannon. "5 Genius Social Commerce Examples You Can Learn From." Sprout Social, 28 Oct. 2021, https://sproutsocial.com/insights/social-commerce-examples/ .
Chris Gillespie. "How Long Should a Video Be." Vidyard, 17 May 2022, www.vidyard.com/blog/video-length/.
"Consumers Continue to Seek Influencers Who Keep It Real." Matter Communications, 22 Feb 2023. https://www.matternow.com/blog/consumers-seek-influencers-who-keep-it-real/
"Contact Center, Communities, & Social Media Software." Khoros, https://khoros.com/about.
Fennell, Kylie, et al. "Blog." MavSocial, https://mavsocial.com/blog/.
Fuchs, Jay. "24 Stats That Prove Why You Need a Crisis Management Strategy in 2022." HubSpot Blog, HubSpot, 16 Mar. 2022, https://blog.hubspot.com/service/crisis-management-stats
Geyser, Werner. "Key Social Commerce Statistics You Should Know in 2022." Influencer Marketing Hub, http://influencermarketinghub.com/social-commerce-stats/
"Global Crisis Survey 2021: Building resilience for the next normal." PwC, 2021. https://www.pwc.com/ia/es/prensa/pdfs/Global-Crisis-Survey-FINAL-March-18.pdf
"Global Influencer Marketing Value 2016-2022." Statista, 6 Jan 2023, www.statista.com/statistics/1092819/global-influencer-market-size/.
"Key Social Commerce Statistics You Should Know in 2023." Influencer Marketing Hub, December 29, 2022. https://influencermarketinghub.com/social-commerce-stats/
"Khoros - Funding, Financials, Valuation & Investors." Crunchbase, www.crunchbase.com/organization/spredfast/company_financials.
Lin, Ying. "Social Commerce Market Size (2020–2026) ", Oberlo, Oberlo, www.oberlo.com/statistics/social-commerce-market-size#:~:text=Social%20commerce%20statistics%20show%20that,fastest%20and%20slowest%20growth%20rates.
Mediakix, "5 Influencer Marketing Case Studies." HubSpot, n.d. https://cdn2.hubspot.net/hubfs/505330/Influencer-Marketing-5-Case-Studies-Ebook.pdf.
"Our Story: HubSpot - Internet Marketing Company." HubSpot, www.hubspot.com/our-story .
PricewaterhouseCoopers. "69% Of Business Leaders Have Experienced a Corporate Crisis in the Last Five Years Yet 29% of Companies Have No Staff Dedicated to Crisis Preparedness." PwC, 2019. www.pwc.com/gx/en/news-room/press-releases/2019/global-crisis-survey.html.
Ferris, Robert. "Duke Player Zion Williamson Injured When Nike Shoe Blows Apart during Game." CNBC, CNBC, 21 Feb. 2019, www.cnbc.com/2019/02/21/duke-player-zion-williamson-injured-when-nike-shoe-blows-apart-in-game.html.
"Social Engagement & Sales Platform." Sprinklr, www.sprinklr.com/social-engagement/.
"Social Media Analytics & Reporting for Growing Brands." Buffer, https://buffer.com/analyze
"Social Media Management and Advertising Tool." MavSocial, 30 July 2022, https://mavsocial.com/
"Social Media Management Software." HubSpot, www.hubspot.com/products/marketing/social-inbox.
"Social Media Management Software - Zoho Social." Zoho, www.zoho.com/social/
"Social Media Management Tool for Agencies & Brands." Sendible, www.sendible.com/.
"Social Media Management Tools." Sprout Social, 6 Sept. 2022, https://sproutsocial.com/social-media-management/
"Social Media Marketing & Management Platform For Enterprises." Khoros, khoros.com/platform/social-media-management.
"Social Media Monitoring Tool." Agorapulse, www.agorapulse.com/features/social-media-monitoring/.
"Top 12 Moments in SPRINKLR's History." Sprinklr, www.sprinklr.com/blog/12-moments-sprinklr-history/.
Twitter, BestBuy, https://twitter.com/BestBuyCanada
"The Ultimate Guide to Hootsuite." Backlinko, 10 Oct. 2022, https://backlinko.com/hub/content/hootsuite
Widrich, Leo. "From 0 to 1,000,000 Users: The Journey and Statistics of Buffer." Buffer Resources, Buffer Resources, 8 Dec. 2022, buffer.com/resources/from-0-to-1000000-users-the-journey-and-statistics-of-buffer/.
Yeung, Carmen. "Social Media Crisis Management 3 Examples Done Right." Synthesio, 19 Nov. 2021, www.synthesio.com/blog/social-media-crisis-management/.
Securing your hybrid workforce should be an opportunity to get started on the zero trust journey. Realizing the core features needed to achieve this will assist you determine which of the options is a good fit for your organization.
Every organization's strategy to secure their hybrid workforce should include introducing zero trust principles in certain areas. Our unique approach:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
The storyboard contains two easy-to-follow steps on securing your hybrid workforce with zero trust, from assessing the suitability of SASE/SSE to taking a step in building a zero trust roadmap.
Use this tool to identify your next line of action in securing your hybrid workforce by assessing key components that conforms to the ideals and principles of Zero Trust.
Use this document to request proposals from select vendors.
Remote connections like VPNs were not designed to be security tools or to have the capacity to handle a large hybrid workforce; hence, organizations are burdened with implementing controls that are perceived to be "security solutions." The COVID-19 pandemic forced a wave of remote work for employees that were not taken into consideration for most VPN implementations, and as a result, the understanding of the traditional network perimeter as we always knew it has shifted to include devices, applications, edges, and the internet. Additionally, remote work is here to stay as recruiting talent in the current market means you must make yourself attractive to potential hires.
The shift in the network perimeter increases the risks associated with traditional VPN solutions as well as exposing the limitations of the solution. This is where zero trust as a principle introduces a more security-focused strategy that not only mitigates most (if not all) of the risks, but also eliminates limitations, which would enhance the business and improve customer/employee experience.
There are several ways of achieving zero trust maturity, and one of those is SASE, which consolidates security and networking to better secure your hybrid workforce as implied trust is thrown out of the window and verification of everything becomes the new normal to defend the business.
Victor Okorie
Senior Research Analyst, Security and Privacy
Info-Tech Research Group
CISOs are looking to zero trust to fill the gaps associated with their traditional remote setup as well as to build an adaptable security strategy. Some challenges faced include:
The zero trust journey may seem tedious because of a few obstacles like:
Info-Tech provides a three-service approach to helping organizations better secure their hybrid workforce.
Securing your hybrid workforce should be an opportunity to get started on the zero trust journey. Realizing the core features needed to achieve this will assist you in determining which of the options is a good fit for your organization.
The pandemic has shown there is no going back to full on-prem work, and as such, security should be looked at differently with various considerations in mind.
Understand that current hybrid solutions are susceptible to various forms of attack as the threat attack surface area has now expanded with users, devices, applications, locations, and data. The traditional perimeter as we know it has expanded beyond just the corporate network, and as such, it needs a more mature security strategy.
Onboarding and offboarding have been done remotely, and with some growth recorded, the size of companies has also increased, leading to a scaling issue.
Employees are now demanding remote work capabilities as part of contract negotiation before accepting a job.
Attacks have increased far more quickly during the pandemic, and all indications point to them increasing even more.
Scarce available security personnel in the job market for hire.
The number of breach incidents by identity theft.
Source: Security Magazine, 2022.
IT security teams want to adopt zero trust.
Source: Cybersecurity Insiders, 2019.
$1.07m |
$1.76m |
235 |
|---|---|---|
|
Increase in breaches related to remote work |
Cost difference in a breach where zero trust is deployed |
Days to identify a breach |
|
The average cost of a data breach where remote work was a factor rose by $1.07 million in 2021. COVID-19 brought about rapid changes in organizations, and digital transformation changes curbed some of its excesses. Organizations that did not make any digital transformation changes reported a $750,000 higher costs compared to global average. |
The average cost of a breach in an organization with no zero trust deployed was $5.04 million in 2021 compared to the average cost of a breach in an organization with zero trust deployed of $3.28 million. With a difference of $1.76 million, zero trust makes a significant difference. |
Organizations with a remote work adoption rate of 50% took 235 days to identify a breach and 81 days to contain that breach – this is in comparison to the average of 212 days to identify a breach and 75 days to contain that breach. |
Source: IBM, 2021.
The convergence and consolidation of security and network brought about the formation of secure access service edge (SASE – pronounced like "sassy"). Digital transformation, hybrid workforce, high demand of availability, uninterrupted access for employees, and a host of other factors influenced the need for this convergence that is delivered as a cloud service.
The capabilities of a SASE solution being delivered are based on certain criteria, such as the identity of the entity (users, devices, applications, data, services, location), real-time context, continuous assessment and verification of risk and "trust" throughout the lifetime of a session, and the security and compliance policies of the organization.
SASE continuously identifies users and devices, applies security based on policy, and provides secure access to the appropriate and requested application or data regardless of location.
The traditional perimeter security using the castle and moat approach is depicted in the image here. The security shields valuable resources from external attack; however, it isn't foolproof for all kinds of external attacks. Furthermore, it does not protect those valuable resources from insider threat.
This security perimeter also allows for lateral movement when it has been breached. Access to these resources is now considered "trusted" solely because it is now behind the wall/perimeter.
This approach is no longer feasible in our world today where both external and internal threats pose continuous risk and need to be contained.
|
TRADITIONAL INFRASTRUCTURE |
||||
|---|---|---|---|---|
|
NETWORK |
SECURITY |
AUTHENTICATION |
IDENTITY |
ACCESS |
|
|
|
|
|
SASE | ||||
|---|---|---|---|---|
NETWORK | SECURITY | AUTHENTICATION | IDENTITY | ACCESS |
|
|
|
|
|
|
ZERO TRUST |
|
|---|---|
|
TENETS OF ZERO TRUST |
ZERO TRUST PILLARS |
|
|
Securing your hybrid workforce should be an opportunity to get started on the zero trust journey. Realizing the core features needed to achieve this will help you determine which of the options is a good fit for your organization.
PHASE 1
|
PHASE 2 Assess the benefits of adopting SASE or zero trust |
Vendors will try to control the narrative in terms of what they can do for you, but it's time for you to control the narrative and identify pain points to IT and the business, and with that, to understand and define what the vendor solution can do for you. |
|---|---|
|
PHASE 2 Assess the benefits of adopting SASE or zero trust |
Vendors will try to control the narrative in terms of what they can do for you, but it's time for you to control the narrative and identify pain points to IT and the business, and with that, to understand and define what the vendor solution can do for you. |
IT leaders need to examine different areas of their budget and determine how the adoption of a SASE solution could influence several areas of their budget breakdown.
Determining the SASE cost factors early could accelerate the justification the business needs to move forward in making an informed decision.
|
01- Infrastructure |
|
|---|---|
|
02- Administration |
|
|
03- Inbound |
|
|
04- Outbound |
|
|
04- Data Protection |
|
|
06- Monitoring |
|
|
1. Current state and future mitigation |
2. Assess the benefits of moving to SASE/zero trust |
|
|---|---|---|
|
Phase Steps |
1.1 Limitations of legacy infrastructure 1.2 Zero trust principle as a control 1.3 SASE as a driver of zero trust |
2.1 Sourcing out a SASE/SSE vendor 2.2 Build a zero trust roadmap |
|
Phase Outcomes |
Identify and prioritize risks of current infrastructure and several ways to mitigate them. |
RFP template and build a zero trust roadmap. |
The internet is the new corporate network, which opens the organization up to more risks not protected by the current security stack. Using Info-Tech's methodology of zero trust adoption is a sure way to reduce the attack surface, and SASE is one useful tool to take you on the zero trust journey.
Securing your hybrid workforce via zero trust will inevitably include (but is not limited to) technological products/solutions.
SASE and SSE features sit as an overlay here as technological solutions that will help on the zero trust journey by aggregating all the disparate solutions required for you to meet zero trust requirements into a single interface. The knowledge and implementation of this helps put things into perspective of where and what our target state is.
It is critical to choose a solution that addresses the security problems you are actually trying to solve.
Don't allow the solution provider to tell you what you need – rather, start by understanding your capability gaps and then go to market to find the right partner.
Take advantage of the RFP template to source a SASE or SSE vendor. Additionally, build a zero trust roadmap to develop and strategize initiatives and tasks.
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Zero Trust and SASE Suitability Tool
Identify critical and vulnerable DAAS elements to protect and align them to business goals.
Zero Trust Program Gap Analysis Tool
Perform a gap analysis between current and target states to build a zero trust roadmap.
Secure Your Hybrid Workforce With Zero Trust Communication deck
Present your zero trust strategy in a prepopulated document that summarizes the work you have completed as a part of this blueprint.
Phase 1 | Phase 2 |
|---|---|
1.1 Limitations of legacy infrastructure 1.2 Zero trust principle as a control 1.3 SASE as a driver of zero trust | 2.1 Sourcing out a SASE/SSE vendor 2.2 Build a zero trust roadmap |
Ensure you minimize or eliminate weak points on all layers.
There are many limitations that make it difficult for traditional VPNs to adapt to an ever-growing hybrid workforce.
The listed limitations are tied to associated risks of legacy infrastructure as well as security components that are almost non-existent in a VPN implementation today.
VPNs were designed for small-scale remote access to corporate network. An increase in the remote workforce will require expensive hardware investment.
Users and attackers are not restricted to specific network resources, and with an absence of activity logs, they can go undetected.
Due to the reduction in or lack of visibility, threat detections are poorly managed, and responses are already too late.
Limited number of locations for VPN hardware to be situated as it can be expensive.
The increase in the hybrid workforce requires the risk perimeter to be expanded from the corporate network to devices and applications. VPNs are built for privacy, not security.
Hybrid workforces are here to stay, and adopting a strategy that is adaptable, flexible, simple, and cost-effective is a recommended road to take on the journey to bettering your security and network.
Download the Zero Trust - SASE Suitability Assessment Tool
Zero trust/"always verify" is applied to identity, workloads, devices, networks, and data to provide a greater control for risks associated with traditional network architecture.
Zero trust identity and access will lead to a mature IAM process in an organization with the removal of implicit trust.
With a zero trust network architecture (ZTNA), both the remote and on-prem network access are more secure than the traditional network deployment. The software-defined parameter ensures security on each network access.
With zero trust principle applied on identity, workload, devices, network, and data, the threat surface area which births some of the risks identified earlier will be significantly reduced.
Scaling, visibility, network throughput, secure connection from anywhere, micro-segmentation, and a host of other benefits to improve your hybrid workforce.
Security and network initiatives of a zero trust roadmap converged into a single pane of glass.
Security and network converged into a single pane of glass giving you some of the benefits and initiatives of a zero trust implemented architecture in one package.
The identity-centric nature of SASE solutions helps to improve your IAM maturity as it applies the principle of least privilege. The removal of implicit trust and continuous verification helps foster this more.
With ZTNA, both the remote and on-prem network access are more secure than the traditional network deployment. The software defined parameter ensures security on each network access.
Secure web gateway, cloud access security broker, domain name system, next-generation firewall, data loss prevention, and ZTNA protect against data leaks, prevent lateral movement, and prevent malicious actors from coming in.
Reduced costs and complexity of IT, faster user experience, and reduced risk as a result of the scalability, visibility, ease of IT administration, network throughput, secure connection from anywhere, micro-segmentation, and a host of other benefits will surely improve your hybrid workforce.
These features of SASE and zero trust mitigate the risks associated with a traditional VPN and reduce the threat surface area. With security at the core, network optimization is not compromised.
Otherwise known as security service edge (SSE)
Security service edge is the convergence of all security services typically found in SASE. At its core, SSE consists of three services which include:
SSE components are also mitigations or initiatives that make up a zero trust roadmap as they comply with the zero trust principle, and as a result, they sit up there with SASE as an overlay/driver of a zero trust implementation. SSE's benefits are identical to SASE's in that it provides zero trust access, risk reduction, low costs and complexity, and a better user experience. The difference is SSE's sole focus on security services and not the network component.
|
SASE |
|
|---|---|
|
NETWORK FEATURES |
SECURITY FEATURES |
|
|
|
Zero Trust |
SASE | ||
|---|---|---|---|
|
Pros |
Cons |
Pros |
Cons |
|
|
|
|
Use the dashboard to understand the value assessment of adopting a SASE product or building a zero trust roadmap.
This tool will help steer you on a path to take as a form of mitigation/control to some or all the identified challenges.
Phase 1 | Phase 2 |
|---|---|
1.1 Limitations of legacy infrastructure 1.2 Zero trust principle as a control 1.3 SASE as a driver of zero trust | 2.1 Sourcing out a SASE/SSE vendor 2.2 Build a zero trust roadmap |
2.1.1 Use the RFP template to request proposal from vendors
2.1.2 Use SoftwareReviews to compare vendors
Download the RFP Template
2.2.1 Assess the maturity of your current zero trust implementation
2.2.2 Understand business needs and current security projects
2.2.3 Set target maturity state with timeframe
CIO, CISO, IT manager, Infosec team, executives.
Zero Trust Roadmap
Download the Zero Trust Security Benefit Assessment tool
Download the Zero Trust Program Gap Analysis Tool
If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop
Contact your account representative for more information
workshops@infotech.com
1-888-670-8889
To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Zero Trust - SASE Suitability Assessment Tool
Assess current security capabilities and build a roadmap of tasks and initiatives that close maturity gaps.
Build an Information Security Strategy
Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations. This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current state assessment, prioritizing initiatives, and building out a security roadmap.
Determine Your Zero Trust Readiness
IT security was typified by perimeter security. However, the way the world does business has mandated a change to IT security. In response, zero trust is a set of principles that can add flexibility to planning your IT security strategy.
Use this blueprint to determine your zero trust readiness and understand how zero trust can benefit both security and the business.
Mature Your Identity and Access Management Program
Many organizations are looking to improve their identity and access management (IAM) practices but struggle with where to start and whether all areas of IAM have been considered. This blueprint will help you improve the organization's IAM practices by following our three-phase methodology:
"2021 Data Breach Investigations Report." Verizon, 2021. Web.
"Fortinet Brings Networking and Security to the Cloud" Fortinet, 2 Mar. 2021. Web.
"A Zero Trust Strategy Has 3 Needs – Identify, Authenticate, and Monitor Users and Devices on and off the Network." Fortinet, 15 July 2021. Web.
"Applying Zero Trust Principles to Enterprise Mobility." CISA, Mar. 2022. Web.
"CISA Zero Trust Maturity Model." CISA, Cybersecurity Division, June 2021. Web.
"Continuous Diagnostics and Mitigation Program Overview." CISA, Jan. 2022. Web.
"Cost of a Data Breach Report 2021 | IBM." IBM, July 2021. Web.
English, Melanie. "5 Stats That Show The Cost Saving Effect of Zero Trust." Teramind, 29 Sept. 2021. Web.
Hunter, Steve. "The Five Business Benefits of a Zero Trust Approach to Security." Security Brief - Australia, 19 Aug. 2020. Web.
"Improve Application Access and Security With Fortinet Zero Trust Network Access." Fortinet, 2 Mar. 2021. Web.
"Incorporating zero trust Strategies for Secure Network and Application Access." Fortinet, 21 Jul. 2021. Web.
Jakkal, Vasu. "Zero Trust Adoption Report: How Does Your Organization Compare?" Microsoft, 28 July 2021. Web.
"Jericho Forum™ Commandments." The Open Group, Jericho Forum, May 2007. Web.
Schulze, Holger. "2019 Zero Trust Adoption Report." Cybersecurity Insiders, 2019. Web.
"67% of Organizations Had Identity-Related Data Breaches Last Year." Security Magazine, 22 Aug. 2022. Web.
United States, Executive Office of the President Joseph R. Biden, Jr. "Executive Order on Improving the Nation's Cybersecurity." The White House, 12 May 2021. Web.
Organizations consider application oversight a low priority and app portfolio knowledge is poor:
Build an APM program that is actionable and fit for size:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Enterprises have more applications than they need and rarely apply oversight to monitor the health, cost, and relative value of applications to ensure efficiency and minimal risk. This blueprint will help you build a streamlined application portfolio management process.
Visibility into your application portfolio and APM practices will help inform and guide your next steps.
Capture your APM roles and responsibilities and build a repeatable process.
This tool is the central hub for the activities within Application Portfolio Management Foundations.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Work with key corporate stakeholders to come to a shared understanding of the benefits and aspects of application portfolio management.
Establish the goals of APM.
Set the scope of APM responsibilities.
Establish business priorities for the application portfolio.
1.1 Define goals and metrics.
1.2 Define application categories.
1.3 Determine steps and roles.
1.4 Weight value drivers.
Set short- and long-term goals and metrics.
Set the scope for applications.
Set the scope for the APM process.
Defined business value drivers.
Gather information on your applications to build a detailed inventory and identify areas of redundancy.
Populated inventory based on your and your team’s current knowledge.
Understanding of outstanding data and a plan to collect it.
2.1 Populate inventory.
2.2 Assign business capabilities.
2.3 Review outstanding data.
Initial application inventory
List of areas of redundancy
Plan to collect outstanding data
Work with the application subject matter experts to collect and compile data points and determine the appropriate disposition for your apps.
Dispositions for individual applications
Application rationalization framework
3.1 Assess business value.
3.2 Assess end-user perspective.
3.3 Assess TCO.
3.4 Assess technical health.
3.5 Assess redundancies.
3.6 Determine dispositions.
Business value score for individual applications
End-user satisfaction scores for individual applications
TCO score for individual applications
Technical health scores for individual applications
Feature-level assessment of redundant applications
Assigned dispositions for individual applications
Work with application delivery specialists to determine the strategic plans for your apps and place these in your portfolio roadmap.
Prioritized initiatives
Initial application portfolio roadmap
Ongoing structure of APM
4.1 Prioritize initiatives
4.2 Populate roadmap.
4.3 Determine ongoing APM cadence.
4.4 Build APM action plan.
Prioritized new potential initiatives.
Built an initial portfolio roadmap.
Established an ongoing cadence of APM activities.
Built an action plan to complete APM activities.
Many lack visibility into their overall application portfolio, focusing instead on individual projects or application development. Inevitably, application sprawl creates process and data disparities, redundant applications, and duplication of resources and stands as a significant barrier to business agility and responsiveness. The shift from strategic investment to application maintenance creates an unnecessary constraint on innovation and value delivery.
With the rise and convenience of SAAS solutions, IT has an increasing need to discover and support all applications in the organization. Unmanaged and unsanctioned applications can lead to increased reputational risk. What you don’t know WILL hurt you.
You can outsource development, you can even outsource maintenance, but you cannot outsource accountability for the portfolio. Organizations need a holistic dashboard of application performance and dispositions to help guide and inform planning and investment discussions. Application portfolio management (APM) can’t tell you why something is broken or how to fix it, but it is an important tool to determine if an application’s value and performance are up to your standards and can help meet your future goals.
Hans Eckman
Principal Research Director
Info-Tech Research Group
Research Navigation
Managing your application portfolio is essential regardless of its size or whether your software is purchased or developed in house. Each organization must have some degree of application portfolio management to ensure that applications deliver value efficiently and that their risk or gradual decline in technical health is appropriately limited.
|
Your APM goals |
If this describes your primary goal(s) |
|
|
|
|
|
|
|
|
|
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
|
|
|
Modern software options have decreased the need for organizations to have robust in-house application management capabilities. Your applications’ future and governance of the portfolio still require a centralized IT oversight to ensure the best return on investment.
Source: National Small Business Association, 2019 |
Having more applications than an organization needs means unnecessarily high costs and additional burden on the teams who support the applications. Especially in the case of small enterprises, this is added pressure the IT team cannot afford. A poorly maintained portfolio will eventually hurt the business more than it hurts IT. Legacy systems, complex environments, or anything that leads to a portfolio that can’t adapt to changing business needs will eventually become a barrier to business growth and accomplishing objectives. Often the blame is put on the IT department. |
56%
of small businesses cited inflexible technology as a barrier to growth Source: Salesforce as quoted by Tech Republic, 2019 |
||||||||||||||
A hidden and inefficient application portfolio is the root cause of so many pains experienced by both IT and the business.
The benefits of APM
APM identifies areas where you can reduce core spending and reinvest in innovation initiatives.
Other benefits can include:
Application Inventory
The artifact that documents and informs the business of your application portfolio.
Application Rationalization
The process of collecting information and assessing your applications to determine recommended dispositions.
Application Alignment
The process of revealing application information through interviewing stakeholders and aligning to business capabilities.
Application Roadmap
The artifact that showcases the strategic directions for your applications over a given timeline.
The ongoing practice of:
Product Lifecycle Management
Align your product and service improvement and execution to enterprise strategy and value realization in three key areas: defining your products and services, aligning product/service owners, and developing your product vision.
Product Delivery Lifecycle (Agile DevOps)
Enhance business agility by leveraging an Agile mindset and continuously improving your delivery throughput, quality, value realization, and adaptive governance.
Application Portfolio Management
Transform your application portfolio into a cohesive service catalog aligned to your business capabilities by discovering, rationalizing, and modernizing your applications while improving application maintenance, management, and reuse.
Inefficiencies within your application portfolio are created by the gradual and non-strategic accumulation of applications.
You have more apps than you need.
Only 34% of software is rated as both IMPORTANT and EFFECTIVE by users.
|
Directionless portfolio of applications |
Info-Tech’s Five Lens Model |
Assigned dispositions for individual apps |
||||
|
Application Alignment |
Business Value |
Technical Health |
End-User Perspective |
Total Cost of Ownership (TCO) |
Maintain: Keep the application but adjust its support structure. Modernize: Create a new initiative to address an inadequacy. Consolidate: Create a new initiative to reduce duplicate functionality. Retire: Phase out the application. Disposition: The intended strategic direction or implied course of action for an application. |
|
How well do your apps support your core functions and teams? |
How well are your apps aligned to value delivery? |
Do your apps meet all IT quality standards and policies? |
How well do your apps meet your end users’ needs? |
What is the relative cost of ownership and operation of your apps? |
||
|
Application rationalization requires the collection of several data points that represent these perspectives and act as the criteria for determining a disposition for each of your applications. |
||||||
| Determine Scope and categories | Build your list of applications and capabilities | Score each application based on your values | Determine outcomes based on app scoring and support for capabilities | |||
|---|---|---|---|---|---|---|
|
1. Lay Your Foundations 1.1 Assess the state of your current application portfolio. 1.2 Determine narrative. 1.3 Define goals and metrics. 1.4 Define application categories. 1.5 Determine APM steps and roles (SIPOC). |
⇒ |
2. Improve Your Inventory 2.1 Populate your inventory. 2.2 Align to business capabilities. *Repeat |
⇒ |
3. Rationalize Your Apps 3.1 Assess business value. 3.2 Assess technical health. 3.3 Assess end-user perspective. 3.4 Assess total cost of ownership. *Repeat |
⇒ |
4. Populate Your Roadmap 4.1 Review APM Snapshot results. 4.2 Review APM Foundations results. 4.3 Determine dispositions. 4.4 Assess redundancies (optional). 4.5 Determine dispositions for redundant applications (optional). 4.6 Prioritize initiatives. 4.7 Determine ongoing cadence. *Repeat |
INDUSTRY: Retail
SOURCE: Deloitte, 2017
|
Supermarket Company The grocer was a smaller organization for the supermarket industry with a relatively low IT budget. While its portfolio consisted of a dozen applications, the organization still found it difficult to react to an evolving industry due to inflexible and overly complex legacy systems. The IT manager found himself in a scenario where he knew the applications well but had little awareness of the business processes they supported. Application maintenance was purely in keeping things operational, with little consideration for a future business strategy. As the business demanded more responsiveness to changes, the IT team needed to be able to react more efficiently and effectively while still securing the continuity of the business. The IT manager found success by introducing APM and gaining a better understanding of the business use and future needs for the applications. The organization started small but then increased the scope over time to produce and develop techniques to aid the business in meeting strategic goals with applications. Results The IT manager gained credibility and trust within the organization. The organization was able to build a plan to move away from the legacy systems and create a portfolio more responsive to the dynamic needs of an evolving marketplace. |
The application portfolio management initiative included the following components: Train teams and stakeholders on APM Model the core business processes Collect application inventory Assign APM responsibilities Start small, then grow |
|
1. Lay Your Foundations |
2. Improve Your Inventory |
3. Rationalize Your Apps |
4. Populate Your Roadmap |
|
|---|---|---|---|---|
|
Phase Activities |
1.1 Assess your current application portfolio 1.2 Determine narrative 1.3 Define goals and metrics 1.4 Define application categories 1.5 Determine APM steps and roles |
2.1 Populate your inventory 2.2 Align to business capabilities |
3.1 Assess business value 3.2 Assess technical health 3.3 Assess end-user perspective 3.4 Assess total cost of ownership |
4.1 Review APM Snapshot results 4.2 Review APM Foundations results 4.3 Determine dispositions 4.4 Assess redundancies (optional) 4.5 Determine dispositions for redundant applications (optional) 4.6 Prioritize initiatives 4.7 Determine ongoing APM cadence |
|
Phase Outcomes |
Work with the appropriate management stakeholders to:
|
Gather information on your own understanding of your applications to build a detailed inventory and identify areas of redundancy. |
Work with application subject matter experts to collect and compile data points and determine the appropriate disposition for your apps. |
Work with application delivery specialists to determine the strategic plans for your apps and place these in your portfolio roadmap. |
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals.
|
Application Portfolio Management Foundations Playbook |
Application Portfolio Management Snapshot and Foundations Tool |
|
This template allows you to capture your APM roles and responsibilities and build a repeatable process. |
This tool stores all relevant application information and allows you to assess your capability support, execute rationalization, and build a portfolio roadmap. |
|
|
Key deliverable:
Blueprint Storyboard
This is the PowerPoint document you are viewing now. Follow this guide to understand APM, learn how to use the tools, and build a repeatable APM process that will be captured in your playbook.
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
| “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” | “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” | “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” | “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.” |
Diagnostics and consistent frameworks used throughout all four options
| Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|---|---|---|---|
|
Call #1: Establish goals and foundations for your APM practice. |
Call #2: Initiate inventory and determine data requirements. |
Call #3: Initiate rationalization with group of applications. Call #4: Review result of first iteration and perform retrospective. |
Call #5: Initiate your roadmap and determine your ongoing APM practice. |
Note: The Guided Implementation will focus on a subset or group of applications depending on the state of your current APM inventory and available time. The goal is to use this first group to build your APM process and models to support your ongoing discovery, rationalization, and modernization efforts.
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our right-sized best practices in your organization. A typical GI, using our materials, is 3 to 6 calls over the course of 1 to 3 months.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
1. Lay Your Foundations | 2. Improve Your Inventory | 3. Rationalize Your Apps | 4. Populate Your Roadmap | Post Workshop Steps | |
|---|---|---|---|---|---|
Activities | 1.1 Assess your current 1.2 Determine narrative 1.3 Define goals and metrics 1.4 Define application categories 1.5 Determine APM steps and roles | 2.1 Populate your inventory 2.2 Align to business capabilities | 3.1 Assess business value 3.2 Assess technical health 3.3 Assess end-user perspective 3.4 Assess total cost of ownership | 4.1 Review APM Snapshot results 4.2 Review APM Foundations results 4.3 Determine dispositions 4.4 Assess redundancies (optional) 4.5 Determine dispositions for redundant applications (optional) 4.6 Prioritize initiatives 4.7 Determine ongoing APM cadence |
|
Outcomes | Work with the appropriate management stakeholders to:
| Work with your applications team to:
| Work with the SMEs for a subset of applications to:
| Work with application delivery specialists to:
| Info-Tech analysts complete:
|
Note: The workshop will focus on a subset or group of applications depending on the state of your current APM inventory and available time. The goal is to use this first group to build your APM process and models to support your ongoing discovery, rationalization, and modernization efforts.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
|
Outcomes |
1-Day Snapshot |
3-Day Snapshot and Foundations (Key Apps) |
4-Day Snapshot and Foundations (Pilot Area) |
|---|---|---|---|
|
APM Snapshot
|
✓ | ✓ | ✓ |
|
APM Foundations
|
✓ Establish APM practice with a small sample set of apps and capabilities. |
✓ Establish APM practice with a pilot group of apps and capabilities. |
|
APM Lead/Owner (Recommended) ☐ Applications Lead or the individual responsible for application portfolio management, along with any applications team members, if available Key Corporate Stakeholders Depending on size and structure, participants could include: ☐ Head of IT (CIO, CTO, IT Director, or IT Manager) ☐ Head of shared services (CFO, COO, VP HR, etc.) ☐ Compliance Officer, Steering Committee ☐ Company owner or CEO Application Subject Matter Experts Individuals who have familiarity with a specific subset of applications ☐ Business owners (product owners, Head of Business Function, power users) ☐ Support owners (Operations Manager, IT Technician) Delivery Leads ☐ Development Managers ☐ Solution Architects ☐ Project Managers |
1.Diagnostic 
|
5. Foundations: Chart
|
|
2. Data Journey
|
6. App Comparison
|
|
3. Snapshot
|
7. Roadmap
|
|
4. Foundations: Results
|
|
Examples and explanations of these tools are located on the following slides and within the phases where they occur.
One of the primary purposes of application portfolio management is to get what we know and need to know on paper so we can share a common vision and understanding of our portfolio. This enables better discussions and decisions with your application owners and stakeholders.
|
|
TCO, compared relatively to business value, helps determine the practicality of a disposition and the urgency of any call to action. Application alignment is factored in when assessing redundancies and has a separate set of dispositions.
|
Phase 1 1.1 Assess Your Current Application Portfolio 1.2 Determine Narrative 1.3 Define Goals and Metrics 1.4 Define Application Categories 1.5 Determine APM Steps and Roles |
Phase 2 2.1 Populate Your Inventory 2.2 Align to Business Capabilities |
Phase 3 3.1 Assess Business Value 3.2 Assess Technical Health 3.3 Assess End-User Perspective 3.4 Assess Total Cost of Ownership |
Phase 4 4.1 Review APM Snapshot Results 4.2 Review APM Foundations Results 4.3 Determine Dispositions 4.4 Assess Redundancies (Optional) 4.5 Determine Dispositions for Redundant Applications (Optional) 4.6 Prioritize Initiatives 4.7 Determine Ongoing APM Cadence |
This phase involves the following participants:
Applications Lead
Key Corporate Stakeholders
Additional Resources
Building an APM process requires a proper understanding of the underlying business goals and objectives of your organization’s strategy. Effectively identifying these drivers is paramount to gaining buy-in and the approval for any changes you plan to make to your application portfolio.
After identifying these goals, you will need to ensure they are built into the foundations of your APM process.
“What is most critical?” but also “What must come first?”
|
Discover |
Improve |
Transform |
|---|---|---|
|
Collect Inventory Uncover Shadow IT Uncover Redundancies Anticipate Upgrades Predict Retirement |
Reduce Cost Increase Efficiency Reduce Applications Eliminate Redundancy Limit Risk |
Improve Architecture Modernize Enable Scalability Drive Business Growth Improve UX |
One of the primary purposes of application portfolio management is to get what we know and need to know on paper so we can share a common vision and understanding of our portfolio. This enables better discussions and decisions with your application owners and stakeholders.
Estimated time: 1 hour
Download the Application Portfolio Management Diagnostic Tool
| Input | Output |
|
|
| Materials | Participants |
|
|
|
|
|
|
|
|
Portfolio Governance |
Transformative Initiatives |
Event-Driven Rationalization |
|
Improves:
Impact on your rationalization framework:
|
Enables:
Impact on your rationalization framework:
|
Responds to:
Impact on your rationalization framework:
|
Different motivations will influence the appropriate approach to and urgency of APM or, specifically, rationalizing the portfolio. When rationalizing is directly related to enabling or in response to a broader initiative, you will need to create a more structured approach with a formal budget and resources.
Estimated time: 30 minutes-2 hours
Record the results in the APM Snapshot and Foundations Tool
| Input | Output |
|
|
| Materials | Participants |
|
|
|
Root Cause |
IT Pain Points |
Business Pain Points |
Business Goals |
Narrative |
Technical Objectives |
|---|---|---|---|---|---|
|
Sprawl Shadow IT/decentralized oversight Neglect over time Poor delivery processes |
Back-End Complexity Disparate Data/Apps Poor Architectural Fit Redundancy Maintenance Demand/ Low Maintainability Technical Debt Legacy, Aging, or Expiring Apps Security Vulnerabilities Unsatisfied Customers |
Hurdles to Growth/Change Poor Business Analytics Process Inefficiency Software Costs Business Continuity Risk Data Privacy Risk Data/IP Theft Risk Poor User Experience Low-Value Apps |
Scalability Flexibility/Agility Data-Driven Insights M&A Transition Business Unit Consolidation/ Centralization Process Improvement Process Modernization Cost Reduction Stability Customer Protection Security Employee Enablement Business Enablement Innovation |
Create Strategic Alignment Identify specific business capabilities that are incompatible with strategic initiatives. Reduce Application Intensity Highlight the capabilities that are encumbered due to functional overlaps and complexity. Reduce Software Costs Specific business capabilities come at an unnecessarily or disproportionately high cost. Mitigate Business Continuity Risk Specific business capabilities are at risk of interruption or stoppages due to unresolved back-end issues. Mitigate Security Risk Specific business capabilities are at risk due to unmitigated security vulnerabilities or breaches. Increase Satisfaction Applications Specific business capabilities are not achieving their optimal business value. |
Platform Standardization Platform Standardization Consolidation Data Harmonization Removal/Consolidation of Redundant Applications Legacy Modernization Application Upgrades Removal of Low-Value Applications |
Estimated time: 1 hour
Record the results in the APM Snapshot and Foundations Tool
| Input | Output |
|
|
| Materials | Participants |
|
|
|
Goals |
Metric |
Target |
||
|---|---|---|---|---|
|
Short Term |
Improve ability to inform the business |
Leading Indicators |
|
|
|
Improve ownership of applications |
|
|
||
|
Reduce costs of portfolio |
|
|
||
|
Long Term |
Migrate platform |
Lagging Indicators |
|
|
|
Improve overall satisfaction with portfolio |
|
|
||
|
Become more customer-centric |
|
|
|
Code: A body of code that's seen by developers as a single unit. |
|
Functionality: A group of functionality that business customers see as a single unit. |
|
|
Funding: An initiative that those with the money see as a single budget. |
|
| ?: What else? |
“Essentially applications are social constructions.”
Source: Martin Fowler
APM focuses on business applications.
“Software used by business users to perform a business function.”
Unfortunately, that definition is still quite vague.
|
1. Many individual items can be considered applications on their own or components within or associated with an application. |
2. Different categories of applications may be out of scope or handled differently within the activities and artifacts of APM. |
|
Different categories of applications may be out of scope or handled differently within the activities and artifacts of APM.
|
Apps can be categorized by generic categories
|
|
Apps can be categorized by bought vs. built or install types
|
|
|
Apps can be categorized by the application family
|
Apps can be categorized by the group managing them
|
|
Apps can be categorized by tiers
|
Set boundaries on what is an application or the individual unit that you’re making business decisions on. Also, determine which categories of applications are in scope and how they will be included in the activities and artifacts of APM. Use your product families defined in Deliver Digital Products at Scale to help define your application categories, groups, and boundaries.
Estimated time: 1 hour
Record the results in the APM Snapshot and Foundations Tool
| Input | Output |
|
|
| Materials | Participants |
|
|
|
Category |
Definition/Description |
Examples |
Documented in your application inventory? |
Included in application rationalization? |
Listed in your application portfolio roadmap? |
|
Business Application |
End-user facing applications that directly enable specific business functions. This includes enterprise-wide and business-function-specific applications. Separate modules will be considered a business application when appropriate. |
ERP system, CRM software, accounting software |
Yes |
Yes. Unless currently in dev. TCO of the parent application will be divided among child apps. |
Yes |
|
Software Components |
Back-end solutions are self-contained units that support business functions. |
ETL, middleware, operating systems |
No. Documentation in CMDB. These will be listed as a dependency in the application inventory. |
No. These will be linked to a business app and included in TCO estimates and tech health assessments. |
No |
|
Productivity Tools |
End-user-facing applications that enable standard communication of general document creation. |
MS Word, MS Excel, corporate email |
Yes |
No |
Yes |
|
End-User- Built Microsoft Tools |
Single instances of a Microsoft tool that the business has grown dependent on. |
Payroll Excel tool, Access databases |
No. Documentation in Business Tool Glossary. |
No | No |
|
Partner Applications |
Partners or third-party applications that the business has grown dependent on but are internally owned or managed. |
Supplier’s ERP portal, government portal |
No | No |
Yes |
|
Shadow IT |
Business-managed applications. |
Downloaded tools |
Yes |
Yes. However, just from a redundancy perspective. |
Yes |
|
Application Portfolio Manager
|
Business Owner
|
|
Support Owner
|
Project Portfolio Manager
|
Corner-of-the-Desk Approach
Dedicated Approach
Create the full list of applications and capture all necessary attributes.
Engage with appropriate SMEs and collect necessary data points for rationalization.
Apply rationalization framework and toolset to determine dispositions.
Present dispositions for validation and communicate any decisions or direction for applications.
Estimated time: 1-2 hours
Record the results in the APM Snapshot and Foundations Tool
| Input | Output |
|
|
| Materials | Participants |
|
|
|
Suppliers |
Inputs |
Process |
Outputs |
Customers |
|---|---|---|---|---|
|
|
Build Inventory Create the full list of applications and capture all necessary attributes. Resp: Applications Manager & IT team member |
|
|
|
|
Collect & Compile Engage with appropriate SMEs and collect necessary data points for rationalization. Resp: IT team member |
|
|
|
|
Assess & Recommend Apply rationalization framework and toolset to determine dispositions. Resp: Applications Manager |
|
|
|
|
Validate & Roadmap Present dispositions for validation and communicate any decisions or direction for applications. Resp: Applications Manager |
|
|
|
|
Project Intake Build business case for project request. Resp: Project Manager |
|
|
| Discovery | Rationalization | Disposition | Roadmap |
|---|---|---|---|
|
Enter your pilot inventory.
|
Score your pilot apps to refine your rationalization criteria and scoring.
|
Determine recommended disposition for each application.
|
Populate your application roadmap.
|
Phase 1 1.1 Assess Your Current Application Portfolio 1.2 Determine Narrative 1.3 Define Goals and Metrics 1.4 Define Application Categories 1.5 Determine APM Steps and Roles | Phase 2 2.1 Populate Your Inventory 2.2 Align to Business Capabilities | Phase 3 3.1 Assess Business Value 3.2 Assess Technical Health 3.3 Assess End-User Perspective 3.4 Assess Total Cost of Ownership | Phase 4 4.1 Review APM Snapshot Results 4.2 Review APM Foundations Results 4.3 Determine Dispositions 4.4 Assess Redundancies (Optional) 4.5 Determine Dispositions for Redundant Applications (Optional) 4.6 Prioritize Initiatives 4.7 Determine Ongoing APM Cadence |
This phase involves the following participants:
Additional Resources
Document Your Business Architecture
The more information you plan to capture, the larger the time and effort, especially as you move along toward advanced and strategic items. Capture the information most aligned to your objectives to make the most of your investment.
If you completed Deliver Digital Products at Scale, use your product families and products to help define your applications.
Learn more about automated application discovery:
High Application Satisfaction Starts With Discovering Your Application Inventory
Estimated time: 1-4 hours per group
Record the results in the APM Snapshot and Foundations Tool
| Input | Output |
|
|
| Materials | Participants |
|
|
For the purposes of an inventory, business capabilities help all stakeholders gain a sense of the functionality the application provides.
However, the true value of business capability comes with rationalization.
Upon linking all the organization’s applications to a standardized and consistent set of business capabilities, you can then group your applications based on similar, complementary, or overlapping functionality. In other words, find your redundancies and consolidation opportunities.
Important Consideration
Defining business capabilities and determining the full extent of redundancy is a challenging undertaking and often is a larger effort than APM all together.
Business capabilities should be defined according to the unique functions and language of your organization, at varying levels of granularity, and ideally including target-state capabilities that identify gaps in the future strategy.
This blueprint provides a simplified and generic list for the purpose of categorizing similar functionality. We strongly encourage exploring Document Your Business Architecture to help in the business capability defining process, especially when visibility into your portfolio and knowledge of redundancies is poor.
For a more detailed capability mapping, use the Application Portfolio Snapshot and the worksheets in your current workbook.
A business capability map (BCM) is an abstraction of business operations that helps describe what the enterprise does to achieve its vision, mission, and goals. Business capabilities are the building blocks of the enterprise. They are typically defined at varying levels of granularity and include target-state capabilities that identify gaps in the future strategy. These are the people, process, and tool units that deliver value to your teams and customers.
Info-Tech’s Industry Coverage and Reference Architectures give you a head start on producing a BCM fit for your organization. The visual to the left is an example of a reference architecture for the retail industry.
These are the foundational piece for our Application Portfolio Snapshot. By linking capabilities to your supporting applications, you can better visualize how the portfolio supports the organization at a single glance. More specifically, you can highlight how issues with the portfolio are impacting capability delivery.
Reminder: Best practices imply that business capabilities are methodologically defined by business stakeholders and business architects to capture the unique functions and language of your organization.
The approach laid out in this service is about applying minimal time and effort to make the case for proper investment into the best practices, which can include creating a tailored BCM. Start with a good enough example to produce a useful visual and generate a positive conversation toward resourcing and analyses.
We strongly encourage exploring Document Your Business Architecture and the Application Portfolio Snapshot to understand the thorough methods and tactics for BCM.
Having to address redundancy complicates the application rationalization process. There is no doubt that assessing applications in isolation is much easier and allows you to arrive at dispositions for your applications in a timelier manner.
Rationalization has two basic steps: first, collect and compile information, and second, analyze that information and determine a disposition for each application. When you don’t have redundancy, you can analyze an application and determine a disposition in isolation. When you do have redundancies, you need to collect information for multiple applications, likely across departments or lines of business, then perform a comparative analysis.
Most likely your approach will fall somewhere between the examples below and require a hybrid approach.
Benefits of a high-level application alignment:
Estimated time: 1-4 hours per grouping
The APM tool provides up to three different grouping comparisons to assess how well your applications are supporting your enterprise. Although business capabilities are important, identify your organizational perspectives to determine how well your portfolio supports these functions, departments, or value streams. Each grouping should be a consistent category, type, or arrangement of applications.
Record the results in the APM Snapshot and Foundations Tool
| Input | Output |
|
|
| Materials | Participants |
|
|
|
Capability, Department, or Function 1 |
Capability, Department, or Function 2 |
Capability, Department, or Function 3 |
Capability, Department, or Function 4 |
Capability, Department, or Function 5 |
Capability, Department, or Function 6 |
|
|---|---|---|---|---|---|---|
|
Application A |
x | |||||
|
Application B |
x | |||||
|
Application C |
x | |||||
|
Application D |
x | |||||
|
Application E |
x | x | ||||
|
Application F |
x | |||||
|
Application G |
x | |||||
|
Application H |
x | |||||
|
Application I |
x | |||||
|
Application J |
x |
In this example:
BC 1 is supported by App A
BC 2 is supported by App B
BC 3 is supported by Apps C & D
BCs 4 & 5 are supported by App E
BC 6 is supported by Apps F-G. BC 6 shows an example of potential redundancy and portfolio complexity.
The APM tool supports three different Snapshot groupings. Repeat this exercise for each grouping.
Phase 1 1.1 Assess Your Current Application Portfolio 1.2 Determine Narrative 1.3 Define Goals and Metrics 1.4 Define Application Categories 1.5 Determine APM Steps and Roles | Phase 2 2.1 Populate Your Inventory 2.2 Align to Business Capabilities | Phase 3 3.1 Assess Business Value 3.2 Assess Technical Health 3.3 Assess End-User Perspective 3.4 Assess Total Cost of Ownership | Phase 4 4.1 Review APM Snapshot Results 4.2 Review APM Foundations Results 4.3 Determine Dispositions 4.4 Assess Redundancies (Optional) 4.5 Determine Dispositions for Redundant Applications (Optional) 4.6 Prioritize Initiatives 4.7 Determine Ongoing APM Cadence |
This phase involves the following participants:
Additional Resources
Application Rationalization | Additional Information Sources | Ideal Stakeholders |
|---|---|---|
| Business Value
| |
| End User
| |
| TCO
| |
| Technical Health
| |
| Application Alignment
|
Disposition: The intended strategic direction or course of action for an application.
|
Directionless portfolio of applications |
Assigned dispositions for individual apps High-level examples: |
|---|---|
|
|
Maintain: Keep the application but adjust its support structure.
Modernize: Create a new project to address an inadequacy.
Consolidate: Create a new project to reduce duplicate functionality.
Retire: Phase out the application.
|
Directionless portfolio of applications | Info-Tech’s Five Lens Model | Assigned dispositions for individual apps | ||||
| Application Alignment | Business Value | Technical Health | End-User Perspective | Total Cost of Ownership (TCO) | Maintain: Keep the application but adjust its support structure. Modernize: Create a new initiative to address an inadequacy. Consolidate: Create a new initiative to reduce duplicate functionality. Retire: Phase out the application. Disposition: The intended strategic direction or implied course of action for an application. |
How well do your apps support your core functions and teams? | How well are your apps aligned to value delivery? | Do your apps meet all IT quality standards and policies? | How well do your apps meet your end users’ needs? | What is the relative cost of ownership and operation of your apps? | ||
Application rationalization requires the collection of several data points that represent these perspectives and act as the criteria for determining a disposition for each of your applications. Disposition: The intended strategic direction or implied course of action for an application. | ||||||
| The Business | Business Value of Applications | IT |
|---|---|---|
| Keepers of the organization’s mission, vision, and value statements that define IT success. The business maintains the overall ownership and evaluation of the applications. | Technical subject matter experts of the applications they deliver and maintain. Each IT function works together to ensure quality applications are delivered to stakeholder expectations. |
First, the authorities on business value need to define and weigh their value drivers that describe the priorities of the organization.
This will then allow the applications team to apply a consistent, objective, and strategically aligned evaluation of applications across the organization.
In this context…business value is the value of the business outcome that the application produces and how effective the application is at producing that outcome.
Business value IS NOT the user’s experience or satisfaction with the application.
|
Financial vs. Human Benefits Financial benefits refer to the degree to which the value source can be measured through monetary metrics and are often quite tangible. Human benefits refer to how an application can deliver value through a user’s experience. Inward vs. Outward Orientation Inward orientation refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations. Outward orientation refers to value sources that come from your interaction with external factors, such as the market or your customers. |
|
|---|
|
Increased Revenue |
Reduced Costs |
Enhanced Services |
Reach Customers |
|---|---|---|---|
|
Application functions that are specifically related to the impact on your organization’s ability to generate revenue and deliver value to your customers. |
Reduction of overhead. The ways in which an application limits the operational costs of business functions. |
Functions that enable business capabilities that improve the organization’s ability to perform its internal operations. |
Application functions that enable and improve the interaction with customers or produce market information and insights. |
Record the results in the APM Snapshot and Foundations Tool
| Input | Output |
|
|
| Materials | Participants |
|
|
For additional support in implementing a balanced value framework, refer to Build a Value Measurement Framework.
MAINTAINABILITY (RAS)
RAS refers to an app’s reliability, availability, and serviceability. How often, how long, and how difficult is it for your resources to keep an app functioning, and what are the resulting continuity risks? This can include root causes of maintenance challenges.
SECURITY
Applications should be aligned and compliant with ALL security policies. Are there vulnerabilities or is there a history of security incidents? Remember that threats are often internal and non-malicious.
ADAPTABILITY
How easily can the app be enhanced or scaled to meet changes in business needs? Does the app fit within the business strategy?
INTEROPERABILITY
The degree to which an app is integrated with current systems. Apps require comprehensive technical planning and oversight to ensure they connect within the greater application architecture. Does the app fit within your enterprise architecture strategy?
BUSINESS CONTINUITY/DISASTER RECOVERY
The degree to which the application is compatible with business continuity/disaster recovery (BC/DR) policies and plans that are routinely tested and verified.
Unfortunately, the business only cares about what they can see or experience. Rationalization is your opportunity to get risk on the business’ radar and gain buy-in for the necessary action.
Estimated time: 1-4 hours
| Input | Output |
|
|
| Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
Data Quality
To what degree do the end users find the data quality sufficient to perform their role and achieve their desired outcome?
Effectiveness
To what degree do the end users find the application effective for performing their role and desired outcome?
Usability
To what degree do the end users find the application reliable and easy to use to achieve their desired outcome?
Satisfaction
To what degree are end users satisfied with the features of this application?
What else matters to you?
Tune your criteria to match your values and priorities.
When facing large user groups, do not make assumptions or use lengthy methods of collecting information. Use Info-Tech’s Application Portfolio Assessment to collect data by surveying your end users’ perspectives.
Estimated time: 1-4 hours
| Input | Output |
|
|
| Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
LICENSING AND SUBSCRIPTIONS: Your recurring payments to a vendor.
Many commercial off-the-shelf applications require a license on a per-user basis. Review contracts and determine costs by looking at per-user or fixed rates charged by the vendor.
MAINTENANCE COSTS: Your internal spending to maintain an app.
These are the additional costs to maintain an application such as support agreements, annual maintenance fees, or additional software or hosting expenses.
INDIRECT COSTS: Miscellaneous expenses necessary for an app’s continued use.
Expenses like end-user training, developer education, and admin are often neglected, but they are very real costs organizations pay regularly.
RETURN ON INVESTMENT: Perceived value of the application related to its TCO.
Some of our most valuable applications are the most expensive. ROI is an optional criterion to account for the value and importance of the application.
The TCO assessment is one area where what you are considering the ”application” matters quite a bit. An application’s peripherals or software components need to be considered in your estimates. For additional help calculating TCO, use the Application TCO Calculator from Build a Rationalization Framework.
Estimated time: 1-4 hours
| Input | Output |
|
|
| Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
Phase 1 1.1 Assess Your Current Application Portfolio 1.2 Determine Narrative 1.3 Define Goals and Metrics 1.4 Define Application Categories 1.5 Determine APM Steps and Roles | Phase 2 2.1 Populate Your Inventory 2.2 Align to Business Capabilities | Phase 3 3.1 Assess Business Value 3.2 Assess Technical Health 3.3 Assess End-User Perspective 3.4 Assess Total Cost of Ownership | Phase 4 4.1 Review APM Snapshot Results 4.2 Review APM Foundations Results 4.3 Determine Dispositions 4.4 Assess Redundancies (Optional) 4.5 Determine Dispositions for Redundant Applications (Optional) 4.6 Prioritize Initiatives 4.7 Determine Ongoing APM Cadence |
his phase involves the following participants:
Additional Resources
Estimated time: 1-2 hours
| Input | Output |
|
|
Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
Estimated time: 1-2 hours
The APM Foundations Results dashboard (“App Rationalization Results” worksheet) provides a detailed summary of your relative app scoring to serve as input to demand planning.
| Input | Output |
|
|
| Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
|
|
|
TCO, compared relatively to business value, helps determine the practicality of a disposition and the urgency of any call to action. Application alignment is factored in when assessing redundancies and has a separate set of dispositions.
Estimated time: 1-4 hours
| Input | Output |
|
|
| Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
Solving application redundancy is a lot more complicated than simply keeping one application and eliminating the others.
First, you need to understand the extent of the redundancy. The applications may support the same capability, but do they offer the same functions? Determine which apps offer which functions within a capability. This means you cannot accurately arrive at a disposition until you have evaluated all applications.
Next, you need to isolate the preferred system. This is completed by comparing the same data points collected for rationalization and the application alignment analysis. Cost and coverage of all necessary functions become the more important factors in this decision-making process.
Lastly, for the non-preferred redundant applications you need to determine: What will you do with the users? What will you do with the data? And what can you do with the functionality (can the actual coding be merged onto a common platform)?
|
Disposition |
Description & Additional Analysis |
Call to Action (Priority) |
|---|---|---|
|
Keep & Absorb Higher value, health satisfaction, and cost than alternatives |
These are the preferred apps to be kept. However, additional efforts are still required to migrate new users and data and potentially configure the app to new processes. |
Application or Process Initiative (Moderate) |
|
Shift & Retire Lower value, health satisfaction, and cost than alternatives |
These apps will be decommissioned alongside efforts to migrate users and data to the preferred system. *Confirm there are no unique and necessary features. |
Process Initiative & Decommission (Moderate) |
|
Merge Lower value, health satisfaction, and cost than alternatives but still has some necessary unique features |
These apps will be merged with the preferred system onto a common platform. *Determine the unique and necessary features. *Determine if the multiple applications are compatible for consolidation. |
Application Initiative (Moderate) |
Estimated rime: 1 hour per group
This exercise is best performed after aligning business capabilities to applications across the portfolio and identifying your areas of redundancy. At this stage, this is still an information collection exercise, and it will not yield a consolidation-based disposition until applied to all relevant applications. Lastly, this exercise may still be at too high a level to outline the full details of redundancy, but it is still vital information to collect and a starting point to determine which areas require more concentrated analysis.
| Input | Output |
|
|
| Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
|
Account Management |
Call Management |
Order/Transaction Processing |
Contract Management |
Lead/Opportunity Management |
Forecasting/Planning |
Customer Surveying |
Email Synchronization |
|
|---|---|---|---|---|---|---|---|---|
| M | M | M | M | S | S | C | W | |
|
CRM 1 |
✓ |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
|
CRM 2 |
✓ | ✓ | ✓ | ✓ | ||||
|
CRM 3 |
✓ | ✓ | ✓ |
Estimated time: 1 hour per group
| Input | Output |
|
|
| Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
Roadmaps are used for different communication purposes and at varying points in your application delivery practice. Some use a roadmap to showcase strategy and act as a feedback mechanism that allows stakeholders to validate any changes (process 1). Others may use it to illustrate and communicate approved and granular elements of a change to an application to inform appropriate stakeholders of what to anticipate (process 2).
|
Select Dispositions & Identify New Initiatives |
Add to Roadmap |
Validate Direction |
Plan Project |
Execute Project |
|
Select Dispositions & Identify New Initiatives |
|
Approve Project |
Add to Roadmap |
Execute Project |
The steps between selecting a disposition and executing on any resulting project will vary based on the organization’s project intake standards (or lack thereof).
This blueprint focuses on building a strategic portfolio roadmap prior to any in-depth assessments related to initiative/project intake, approval, and prioritization. For in-depth support related to intake, approval, prioritization, or planning, review the following resources.
|
|
A roadmap should not be limited to what is approved or committed to. A roadmap should be used to present the items that need to happen and begin the discussion of how or if this can be put into place. However, not every idea should make the cut and end up in front of key stakeholders.
Estimated time: 1-4 hours
| Input | Output |
|
|
| Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
Info-Tech’s Build an Application Rationalization Framework provides additional TCO and value tools to help build out your portfolio strategy.
| Determine scope and categories | Build your list of applications and capabilities | Score each application based on your values | Determine outcomes based on app scoring and support for capabilities |
|---|---|---|---|
|
1. Lay Your Foundations
|
2. Improve Your Inventory
|
3. Rationalize Your Apps
|
4. Populate Your Roadmap
|
Repeat according to APM cadence and application changes
Estimated time: 1-2 hours
| Input | Output |
|
|
| Materials | Participants |
|
|
Record the results in the APM Snapshot and Foundations Tool
Artifact | Owner | Update Cadence | Update Scope | Audience | Presentation Cadence |
|---|---|---|---|---|---|
Inventory | Greg Dawson |
|
|
|
|
Rationalization Tool | Judy Ng |
|
|
|
|
Portfolio Roadmap | Judy Ng |
|
|
|
|
Worksheet Data Mapping | Application and Capability List | Group Alignment Matrix (1-3) | Rationalization Inputs | Group 1-3 Results | Application Inventory Details | App Rationalization Results | Roadmap | App Redundancy Comparison |
|---|---|---|---|---|---|---|---|---|
Application and Capability List | App list, Groupings | App list | App list, Groupings | App list, Categories | App list, Categories | App list | App list | |
Groups 1-3 Alignment Matrix | App to Group Tracing | |||||||
Application Categories | Category | Category | Category | |||||
Rationalization Inputs | Lens Scores (weighted input to Group score) | Lens Scores (weighted input) | ||||||
Disposition Options | Disposition list, Priorities list, Recommended Disposition and Priority | Lens Scores (weighted input) | ||||||
App Rationalization Results | Disposition |
| Attribute | Description | Common Collection Method |
|---|---|---|
| Name | Organization’s terminology used for the application. | Auto-discovery tools will provide names for the applications they reveal. However, this may not be the organizational nomenclature. You may adapt the names by leveraging pre-existing documentation and internal knowledge or by consulting business users. |
| ID | Unique identifiers assigned to the application (e.g. app number). | Typically an identification system developed by the application portfolio manager. |
| Description | A brief description of the application, often referencing core capabilities. | Typically completed by leveraging pre-existing documentation and internal knowledge or by consulting business users. |
| Business Units | A list of all business units, departments, or user groups. | Consultation, surveys, or interviews with business unit representatives. However, this doesn’t always expose hidden applications. Application-capability mapping is the most effective way to determine all the business units/user groups of an app. |
| Business Capabilities | A list of business capabilities the application is intended to enable. | Application capability mapping completed via interviews with business unit representatives. |
| Criticality | A high-level grading of the importance of the application to the business, typically used for support prioritization purposes (i.e. critical, high, medium, low). | Typically the criticality rating is determined by a committee representing IT and business leaders. |
| Ownership | The individual accountable for various aspect of the application (e.g. product owner, product manager, application support, data owner); typically includes contact information and alternatives. | If application ownership is an established accountability in your organization, typically consulting appropriate business stakeholders will reveal this information. Otherwise, application capability mapping can be an effective means of identifying who that owner should be. |
| Application SMEs | Any relevant subject matter experts who can speak to various aspects of the application (e.g. business process owners, development managers, data architects, data stewards, application architects, enterprise architects). | Technical SMEs should be known within an IT department, but shadow IT apps may require interviews with the business unit. Application capability mapping will determine the identity of those key users/business process SMEs. |
| Type | An indication of whether the application was developed in-house, commercial off-the-shelf, or a hybrid option. | Consultation, surveys, or interviews with product owners or development managers. |
| Active Status | An indication of whether the application is currently active, out of commission, in repair, etc. | Consultation, surveys, or interviews with product owners or operation managers. |
| Attribute | Description | Common Collection Method |
|---|---|---|
| Vendor Information | Identification of the vendor from whom the software was procured. May include additional items such as the vendor’s contact information. | Consultation with business SMEs, end users, or procurement teams, or review of vendor contracts or license agreements. |
| Links to Other Documentation | Pertinent information regarding the other relevant documentation of the application (e.g. SLA, vendor contracts, data use policies, disaster recovery plan). Typically includes links to documents. | Consultation with product owners, service providers, or SMEs, or review of vendor contracts or license agreements. |
| Number of Users | The current number of users for the application. This can be based on license information but will often require some estimation. Can include additional items of quantities at different levels of access (e.g. admin, key users, power users). | Consultation, surveys, or interviews with product owners or appropriate business SMEs or review of vendor contracts or license agreements. Auto-discovery tools can reveal this information. |
| Software Dependencies | List of other applications or operating components required to run the application. | Consultation with application architects and any architectural tools or documentation. This information can begin to reveal itself through application capability mapping. |
| Hardware Dependencies | Identification of any hardware or infrastructure components required to run the application (i.e. databases, platform). | Consultation with infrastructure or enterprise architects and any architectural tools or documentation. This information can begin to reveal itself through application capability mapping. |
| Development Language | Coding language used for the application. | Consultation, surveys, or interviews with development managers or appropriate technical SMEs. |
| Platform | A framework of services that application programs rely on for standard operations. | Consultation, surveys, or interviews with infrastructure or development managers. |
| Lifecycle Stage | Where an application is within the birth, growth, mature, end-of-life lifecycle. | Consultation with business owners and technical SMEs. |
| Scheduled Updates | Any major or minor updates related to the application, including the release date. | Consultation with business owners and vendor managers. |
| Planned or In-Flight Projects | Any projects related to the application, including estimated project timeline. | Consultation with business owners and project managers. |
”2019 Technology & Small Business Survey.” National Small Business Association (NSBA), n.d. Accessed 1 April 2020.
“Application Rationalization – Essential Part of the Process for Modernization and Operational Efficiency.” Flexera, 2015. Web.
“Applications Rationalization during M&A: Standardize, Streamline, Simplify.” Deloitte Consulting, 2016. Web.
Bowling, Alan. “Clearer Visibility of Product Roadmaps Improves IT Planning.” ComputerWeekly.com, 1 Nov. 2010. Web.
Brown, Alex. “Calculating Business Value.” Agile 2014 Orlando, 13 July 2014. Scrum Inc. 2014. Web.
Brown, Roger. “Defining Business Value.” Scrum Gathering San Diego 2017. Agile Coach Journal. Web.
“Business Application Definition.” Microsoft Docs, 18 July 2012. Web.
“Connecting Small Businesses in the US.” Deloitte Consulting, 2017. Accessed 1 April. 2020.
Craveiro, João. “Marty meets Martin: connecting the two triads of Product Management.” Product Coalition, 18 Nov. 2017. Web.
Curtis, Bill. “The Business Value of Application Internal Quality.” CAST, 6 April 2009. Web.
Fleet, Neville, Joan Lasselle, and Paul Zimmerman. “Using a Balance Scorecard to Measure the Productivity and Value of Technical Documentation Organizations.” CIDM, April 2008. Web.
Fowler, Martin. “Application Boundary.” MartinFowler.com, 11 Sept. 2003. Web.
Harris, Michael. “Measuring the Business Value of IT.” David Consulting Group, 2007. Web.
“How Application Rationalization Contributes to the Bottom Line.” LeanIX, 2017. Web.
Jayanthi, Aruna. “Application Landscape Report 2014.” Capgemini, 4 March 2014. Web.
Lankhorst, Marc., et al. “Architecture-Based IT Valuation.” Via Nova Architectura, 31 March 2010. Web.
“Management of business application.” ServiceNow, Jan.2020. Accessed 1 April 2020.
Mauboussin, Michael J. “The True Measures of Success.” HBR, Oct. 2012. Web.
Neogi, Sombit., et al. “Next Generation Application Portfolio Rationalization.” TATA, 2011. Web.
Riverbed. “Measuring the Business Impact of IT Through Application Performance.” CIO Summits, 2015. Web.
Rouse, Margaret. “Application Rationalization.” TechTarget, March 2016. Web.
Van Ramshorst, E.A. “Application Portfolio Management from an Enterprise Architecture Perspective.” Universiteit Utrecht, July 2013.
“What is a Balanced Scorecard?” Intrafocus, n.d. Web.
Whitney, Lance. “SMBs share their biggest constraints and great challenges.” Tech Republic, 6 May 2019. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Evaluate the infrastructure requirements and the ability to undergo modernization from legacy technology.
Build and document a formal set of business requirements using Info-Tech's pre-populated template after identifying stakeholders, aligning business and user needs, and evaluating deployment options.
Draft an RFP for a UC solution and gain project approval using Info-Tech’s executive presentation deck.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Identify pain points.
Build a skills inventory.
Define and rationalize template configuration needs.
Define standard service requests and map workflow.
Discuss/examine site type(s) and existing technology.
Determine network state and readiness.
IT skills & process understanding.
Documentation reflecting communications infrastructure.
Reviewed network readiness.
Completed current state analysis.
1.1 Build a skills inventory.
1.2 Document move, add, change, delete (MACD) processes.
1.3 List relevant communications and collaboration technologies.
1.4 Review network readiness checklist.
Clearly documented understanding of available skills
Documented process maps
Complete list of relevant communications and collaboration technologies
Completed readiness checklist
Hold focus group meeting.
Define business needs and goals.
Define solution options.
Evaluate options.
Discuss business value and readiness for each option.
Completed value and readiness assessment.
Current targets for service and deployment models.
2.1 Conduct internal focus group.
2.2 Align business needs and goals.
2.3 Evaluate deployment options.
Understanding of user needs, wants, and satisfaction with current solution
Assessment of business needs and goals
Understanding of potential future-state solution options
Identify gaps.
Examine and evaluate ways to remedy gaps.
Determine specific business requirements and introduce draft of business requirements document.
Completed description of future state.
Identification of gaps.
Identification of key business requirements.
3.1 Identify gaps and brainstorm gap remedies.
3.2 Complete business requirements document.
Well-defined gaps and remedies
List of specific business requirements
Introduce Unified Communications Solution RFP Template.
Develop statement of work (SOW).
Document technical requirements.
Complete cost-benefit analysis.
Unified Communications RFP.
Documented technical requirements.
4.1 Draft RFP (SOW, tech requirements, etc.).
4.2 Conduct cost-benefit analysis.
Ready to release RFP
Completed cost-benefit analysis
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
State the success criteria of your SDLC practice through the definition of product quality and organizational priorities. Define your SDLC current state.
Build your SDLC diagnostic framework based on your practice’s product and process objectives. Root cause your improvement opportunities.
Learn of today’s good SDLC practices and use them to address the root causes revealed in your SDLC diagnostic results.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Discuss your quality and product definitions and how quality is interpreted from both business and IT perspectives.
Review your case for strengthening your SDLC practice.
Review the current state of your roles, processes, and tools in your organization.
Grounded understanding of products and quality that is accepted across the organization.
Clear business and IT objectives and metrics that dictate your SDLC practice’s success.
Defined SDLC current state people, process, and technologies.
1.1 Define your products and quality.
1.2 Define your SDLC objectives.
1.3 Measure your SDLC effectiveness.
1.4 Define your current SDLC state.
Product and quality definitions.
SDLC business and technical objectives and vision.
SDLC metrics.
SDLC capabilities, processes, roles and responsibilities, resourcing model, and tools and technologies.
Discuss the components of your diagnostic framework.
Review the results of your SDLC diagnostic.
SDLC diagnostic framework tied to your SDLC objectives and definitions.
Root causes to your SDLC issues and optimization opportunities.
2.1 Build your diagnostic framework.
2.2 Diagnose your SDLC.
SDLC diagnostic framework.
Root causes to SDLC issues and optimization opportunities.
Discuss the SDLC practices used in the industry.
Review the scope and achievability of your SDLC optimization initiatives.
Knowledge of good practices that can improve the effectiveness and efficiency of your SDLC.
Realistic and achievable SDLC optimization roadmap.
3.1 Learn and adopt SDLC good practices.
3.2 Build your optimization roadmap.
Optimization initiatives and target state SDLC practice.
SDLC optimization roadmap, risks and mitigations, and stakeholder communication flow.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Read our concise Executive Brief to find out why you should automate testing, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.
Develop and implement practices that mature your automated testing capabilities.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand the goals of and your vision for your automated testing practice.
Develop your automated testing foundational practices.
Adopt good practices for each test type.
Level set automated testing expectations and objectives.
Learn the key practices needed to mature and streamline your automated testing across all test types.
1.1 Build a foundation.
1.2 Automate your test types.
Automated testing vision, expectations, and metrics
Current state of your automated testing practice
Ownership of the implementation and execution of automated testing foundations
List of practices to introduce automation to for each test type
IT specialists often instinctively focus on technical issues, such as server failures or network problems, because they are trained to address the broken parts. However, it's important to consider the context in which these occur. But what if the real problem isn't just the part but the entire system it operates in?
I want you to take a step back and to stop thinking about your company as a collection of departments and IT systems. Start seeing it for what it truly is: a complex, living, breathing economic system. This isn't some academic analogy. It’s a powerful model that will change how you approach resilience.
An economic system involves production, resource allocation, and distribution of goods and services, which parallels how a company operates internally. It includes the combination of various departments, the people doing things, the business units, and even the decision-making steps that make up the economic structure of your company. Once you see this, you can never unsee it.
Let’s quickly demystify this. Forget textbooks and complex theories for a moment. Think about a national economy. It does three basic things:
Production: It makes things. Factories build cars, farms grow food, and programmers write software. This is the creation of value.
Resource Allocation: This process decides who gets what to make those things. Who gets the steel for the cars? The land for the farms? The funding for the software developers? These are all decisions about how to use scarce resources.
Distribution: This process gets the finished products to the people who need them. Cars go to importers, then dealerships then the customers, food goes to grocery stores, and software gets deployed to servers and then used by clients (in the general sense).
That's it. Production, allocation, distribution. Every economy, from a simple bartering tribe to the global financial market, operates on these principles. And so does your company.
Your company doesn't just “do work.” It produces, allocates, and distributes services in its own internal market (and eventually sells outside, otherwise… trouble).
The production is everywhere. The human resources department produces a “payroll service.” The sales department produces “revenue contracts.” And the IT department? It produces a vast array of services: “compute cycles,” “data storage,” “network connectivity,” and “application uptime.” These are the goods and services that every other part of the company consumes to do their jobs.
Resource allocation is the lifeblood of your corporate economy. It's the annual budgeting process, the project prioritization meetings, and the daily decisions managers make about where to assign their people. In IT, you are equally part of the allocation process. Most people get to decide at least what they will give priority to that day. Perhaps via the daily scrum or stand-up meetings. Perhaps during the review process. As a manager, when you approve a request for a new high-powered virtual machine for one team, you are making an economic choice. You are allocating a scarce resource that another team can no longer use. As a developer, when you decide that task X is now a higher priority than task Y, you make an economic decision to allocate yourself to task X. It's important to understand that there is an opportunity cost to every decision, whether you label it that way or not.
And distribution? That's how these services get to their “consumers.” It’s the internal platforms, the APIs that connect applications, the service desk that fulfills requests, the operations teams that update data via forms into databases, and even the reporting dashboards that deliver information. These are the supply chains and logistics networks of your company’s economy. The consumers are your clients, of course, but also every department that uses a service provided by another department.
The IT department plays a central role in the company's economy, akin to a central bank and infrastructure provider, by managing essential digital resources like compute, storage, and bandwidth. You control its supply and, through your decisions, influence its value. You also build and maintain the “roads” and “power grid”—the networks and platforms—that the entire corporate economy depends on to function.
This is where I feel it gets fascinating. When you start seeing your company as an economic system, your understanding of resilience deepens dramatically. You move beyond simply fixing broken things and start thinking about stabilizing a complex, interconnected market.
When a core database goes down, an engineer sees a technical failure. An economist sees a supply chain collapse. That database isn't just a box with blinking lights; it's a critical supplier of a raw material, namely data. Every single business process, application, and team that creates, updates or consumes that data is now starved of a resource they need to produce their own services. The failure cascades not just through technical dependencies but through economic dependencies. Seeing it this way forces you to ask better questions: Who are the biggest “consumers” of this data supplier? What is the total economic impact of this outage, not just the technical impact? This changes the incident's priority and your response strategy.
The traditional engineering approach to resilience is redundancy. If one server is important, have two. This is like a town having two power plants. It's a good start, but it's not true economic resilience. An economist would ask different questions. Can we diversify our suppliers? Can we re-route via another path? If our primary database provider fails, can we switch to a secondary one, even if it's slower or pricier for a short time? This is the principle of substitution. Can a business process continue to function in a degraded mode, producing a lower-quality “good” for a while instead of stopping completely? This is about economic adaptability, not just technical duplication.
You could take this even further and move into the realm of business continuity. Can your process work when your primary resource (the database) is not available? How would you redesign your process to work with an alternative solution? This thinking is at the heart of modern operational resilience regulations worldwide. Authorities are no longer just asking if your backups work; they're asking if your firm can fulfill its economic function in the face of severe adversity. They demand a clear grasp of your entire supply chain and a testable exit plan for critical suppliers, including cloud providers.
You see that this goes way beyond a failing-part view. It goes to the heart of the economic function of your company.
During a major incident, the incident commander is now no longer just a technical coordinator. You are the head of the “central bank” during a "market crash". Your job is to prevent a localized failure from causing a full-blown corporate recession. Think about your actions:
You allocate scarce capital (your top engineers' time) to the most critical problem. The economic cost is the non-delivery of any other product by those people.
You implement fiscal policy by prioritizing certain fixes over others to stimulate the quickest “economic” recovery.
You manage market confidence through clear, calm, and regular communication to stakeholders, preventing panic from spreading.
Each decision is an economic intervention designed to restore stability to the system. (If that is not the job description of a central banker, then I eat my hat.)
Side Note: I often see teams who are obsessed with their own service's uptime, their own local metrics. They proudly report “five nines” of availability, but they do not report on how their service is actually consumed or how critical it is to the company's overall economic output. They've optimized their own factory but don't disclose their output's need level to the company or that their occasional one-hour outage brings the entire company's main assembly line to a halt. Resilience is not about local optimization; it is about the stability of the entire economic system. A dashboard that lists teams in order of availability or whatever other metric is fine, but these numbers must be mapped against their economic relevance. Without the economic relevance weighting, you may be misallocating resources in areas that are not critical or sufficiently important.
This isn't just a theoretical exercise. You can apply this model today to make your organization stronger and yourself more effective to any employer or client.
First, map your economic flows. Go beyond standard architecture diagrams. Create maps that show how value and services are produced, distributed, and consumed across departments. Identify your most important “supply chains.” Ask business units what IT services are essential for their “production lines” and what the financial impact is when those services are unavailable. This gives you a heat map of economic risk.
Second, identify your single points of economic failure. In every economy, there are institutions that are “too big to fail.” What are yours? Is it a single authentication service? A legacy mainframe? A specific team of two people who know how a critical system works? These are the areas where a failure will cause a systemic crisis. They require more than just technical redundancy; they need deep, thoughtful resilience planning, including succession plans for people and substitution options for technology.
Finally, reframe your post-incident reviews. Stop just asking, “What broke and why?” Start asking, “Which economic activity was disrupted?” and “How did the disruption flow through the system?” This shifts the conversation from blaming a component or a team to understanding systemic weaknesses in your company's economy. The goal is not to find a guilty party but to identify where your internal market is fragile and how you can strengthen it with better “monetary policy” (resource allocation) or “infrastructure” (more robust platforms).
In another article, I mentioned that resilience is a mindset.
So what happens when this economic system becomes unstable?
These issues are typically considered failures and they manifest as irritations, perceived slowness and bugs, all the way to (regular) failures of a process or whole system.
If this broken economic system is allowed to remain unstable, people will adopt negative behaviors.
When “the government” (IT) fails to deliver, business teams take matters into their hands and start shadow IT. They may even purchase their own subscriptions.
In a stable economy, participants trust that resources will be available when needed, but in a broken system, that trust is gone and leads to the hoarding of assets. This may be visible in the requested need for time or even budget allocation. And that leads into protectionism where teams build walls around their data and systems.
When failures are common, the focus shifts from resolving the systemic problems to assigning blame for the specific symptom. This is akin to the breakdown of trade relations. The applications team blames the infrastructure team for slow servers. The infrastructure team blames the network team for latency. The network team blames the applications team for inefficient code. And around we go.
Taking it just that little step further: If people live in a failing state long enough, they lose hope. This is learned helplessness. Your most valuable “citizens”—your engineers and business users—become disengaged. They stop reporting bugs because they assume they will never be fixed. They stop suggesting process improvements because they believe their voice doesn't matter.
And lastly: In a functional system, there are clear processes for requesting services. In your broken economy, these official channels are considered worthless. The only way to get anything done is to generate a crisis. Escalation becomes the primary currency. People learn to bypass the ticketing system and send direct messages to senior leaders because they perceive that's the only way to get a response.
To break this cycle, you need to start small and use mechanisms that turn the negative effects of problems into positive effects, like seeing opportunities.
Proposing a grand vision will get you polite nods and zero action. I recommend you pick one irritation and fix it. Repeat multiple times until staff starts to perceive a change. Don't try to move the mountain. Remove the first obstacle and make your way up from there. This can be solving an issue, reducing an uncertainty, or actually spotting a way forward.
It will go easier as you continue this. Accept that on day one, your credibility is zero. It doesn’t matter whether you're a new manager or a seasoned expert. Trust is earned on the factory floor. Fix one small, nagging irritation for one person. Then another. This is how you build the political and social capital needed to tackle the mountain. It takes time.
But what will happen next is crucial. There will be a reduction of the negative behaviors. And when you work it efficiently with enough time, you will eliminate those behaviors. And yes, there will be many ifs and buts, and each of the broken elements of a larger chain may require their own solutions. But it is this act of seeing the bigger picture through the constituent parts that will allow you to assign priorities and move closer to the solution in a structural way.
Seeing step by step results feeds positivism and higher stability. Which in turn again feeds more positivism.
When you view your company through the lens of an economic system, it elevates the practice of resilience from a purely technical discipline to a value function. It gives you a language to communicate impact and risk to leadership in terms they understand: production, supply, and cost.
It forces you to see the interconnectedness of everything you do and to appreciate that the failure of a single, seemingly minor component can have large, cascading effects across the entire organization. By thinking like an economist, you stop being just a firefighter, putting out isolated blazes. You become the architect of a more stable, more robust, and ultimately more resilient economy.
You become the architect of a more stable, more robust, and ultimately more resilient economy. Now, go manage it.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use this research to identify and quantify the potential risk impacts caused by vendors. Utilize Info-Tech's approach to look at the impact from various perspectives to better prepare for issues that may arise.
By playing the “what if” game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.
The risks from the vendor market have become more prevalent as the technologies and organizational strategies shift to a global direction. With this shift in risk comes a necessary perspective change to align with the greater likelihood of an incident occurring from vendors' (or one of their downstream support vendor's) negative actions.
Organizational leadership must become more aware of the increasing risks that engaging vendors impose. To do so, they need to make informed decisions, which can only be provided by engaging expert resources in their organizations to compile a comprehensive look at potential risk impacts.
Research Director, Vendor Management
Info-Tech Research Group
Your ChallengeMore so than at any other time, our world is changing. As a result organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level. It is increasingly likely that one of your vendors, or their n-party support vendors, will cause an incident. Organizations must protect themselves by creating better mechanisms to hold their n-party vendors accountable and validate that they comply. |
Common ObstaclesIdentifying and managing a vendor’s potential risk impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes may affect your organization. Organizational leadership is often taken unaware by changes, and their plans lack the flexibility to adjust to significant regulatory upheavals. |
Info-Tech's ApproachVendor management practices educate organizations on the different potential risks from vendors in your market and suggest creative and alternative ways to avoid and help manage them. Prioritize and classify your vendors with quantifiable, standardized rankings. Prioritize focus on your high-risk vendors. Standardize your processes for identifying and monitoring vendor risks with our Comprehensive Risk Impact Tool to manage potential impacts. |
Organizations must evolve their risk assessments to be more adaptive to respond to changes in the global market. Ongoing monitoring and continual assessment of vendors’ risks is crucial to avoiding negative impacts.
This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.
Out of Scope:
This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.
of IT professionals are more concerned about being a victim of ransomware than they were a year ago.
Info-Tech Tech Trends Survey 2022
of Microsoft non-essential employees shifted to working from home in 2020, joining the 18% already remote.
Info-Tech Tech Trends Survey 2022
of organizations invested in web conferencing technology to facilitate collaboration.
Info-Tech Tech Trends Survey 2022
Odds are at least one of these is currently affecting your strategic plans
Consider implementing vendor management initiatives and practices in your organization to help gain compliance with your expanding vendor landscape.
Your organizational risks may be monitored but are your n-party vendors?
Review your expectations with your vendors and hold them accountable
Regulatory entities are looking beyond your organization’s internal compliance these days. Instead, they are more and more diving into your third-party and downstream relationships, particularly as awareness of downstream breaches increases globally.
Regulatory agencies are putting more enforcement around ESG practices across the globe. As a result, organizations will need to monitor the changing regulations and validate that their vendors and n-party support vendors are adhering to these regulations or face penalties for non-compliance.
Data protection remains an issue. Organizations should ensure that the data their vendors obtain remains protected throughout the vendor’s lifecycle, including post-termination. Otherwise, they could be monitoring for a data breach in perpetuity.
More prominent vendors continuously buy smaller companies to control the market in the IT industry. Organizations should put protections in their contracts to ensure that an IT vendor’s acquisition does not put them in a relationship with someone that could cause them an issue.
Consider the impact of a vendor that fails to perform midway through the implementation. Organizations need to be able to manage the impact of replacing that vendor and cutting their losses rather than continuing to throw good money away after bad performance.
Geopolitical disruptions and natural disasters have caused unprecedented interruptions to business. Incorporate forecasting of product and ongoing business continuity planning into your strategic plans to adapt as events unfold.
Failing to ensure that your vendor-supported systems are properly configured and that your vendors are meeting your IT change control and configuration standards is more commonplace than expected. Proper oversight and management of your support vendors is crucial to ensure they are meeting expectations in this regard.
(Adapted from COSO)
Adapted from Harvard Law School Forum on Corporate Governance
Risk impacts often come from unexpected places and have significant consequences.
Knowing who your vendors are using for their support and supply chain could be crucial in eliminating the risk of non-compliance for your organization.
Having a plan to identify and validate the regulatory compliance of your vendors is a must for any organization to avoid penalties.
For example, Philips’ recall of ventilators impacted its products and the availability of its competitors’ products as demand overwhelmed the market.
Even if you know your complete third-party vendor landscape, you may not be aware of the downstream vendors in play. Ensure that you get visibility into this space as well, and hold your direct vendors accountable for the actions of their vendors.
Make sure you know which vendors are accessing/storing your data, where they are keeping it, and that you can get it back and have the vendors destroy it when the relationship is over. Without adequate protections throughout the lifecycle of the vendor, you could be monitoring for breaches in perpetuity.
Assessing financial impacts is an ongoing, educative, and collaborative multidisciplinary process that vendor management initiatives are uniquely designed to coordinate and manage for organizations.
Operational risk impacts often come from unexpected places and have unforeseen impacts. Knowing where your vendors place in critical business processes and those vendors' business continuity plans concerning your organization should be a priority for those managing the vendors.
For example, do you understand how a simple news article raises your profile for short-term and long-term adverse events?
Vendors routinely get acquired in the IT space. Does your organization have appropriate safeguards from inadvertently entering a negative relationship? Do you have plans for replacing critical vendors purchased in such a manner?
Is your vendor solvent? Do they have enough staff to accommodate your needs? Has their long-term planning been affected by changes in the market? Are they unique in their space?
See the blueprint Build an IT Risk Management Program
Review your risk management plans for new risks on a regular basis.
Keep in mind Risk =
Likelihood x Impact
(R=L*I).
Impact (I) tends to remain the same, while Likelihood (L) is becoming closer to 100% as threat actors become more prevalent.
Organizations must review their risk appetite and tolerance levels, considering their complete landscape.
Changing regulations, acquisitions, new security issues, and events that affect global supply chains are current realities, not unlikely scenarios.
Sometimes disasters occur despite our best plans to manage them.
When this happens, it is important to document the lessons learned and improve our plans going forward.
1-3 hours
Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible adverse outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.
Download the Comprehensive Risk Impact Tool
Input
|
Output
|
Materials
|
Participants
|
Note: Even though a few items are “scored” they have not been added to the overall weight, signaling that the company has noted but does not necessarily hold them against the vendor.
How to mitigate:
Organizations must evolve their risk assessments to be more meaningful to respond to global changes in the market.
Organizations should increase the resources dedicated to monitoring the market as regulatory agencies continue to hold them more and more accountable.
Olaganathan, Rajee. “Impact of COVID-19 on airline industry and strategic plan for its recovery with special reference to data analytics technology.” Global Journal of Engineering and Technology Advances, vol 7, no 1, 2021, pp. 033-046.
Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, 23 Aug. 2012.
Frigo, Mark L., and Richard J. Anderson. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started.” COSO, 2011.
Weak Cybersecurity is taking a toll on Small Businesses (tripwire.com)
SecureLink 2022 White Paper SL_Page_EA+PAM (rocketcdn.me)
Shared Assessments Member Poll March 2021 "Guide: Evolving Work Environments Impact of Covid-19 on Profile and Management of Third Parties“
“Cybersecurity only the tip of the iceberg for third-party risk management”. Help Net Security, April 21, 2021. Accessed: 2022-07-29.
“Third-Party Risk Management (TPRM) Managed Services”. Deloitte, 2022. Accessed: 2022-07-29.
“The Future of TPRM: Third Party Risk Management Predictions for 2022”. OneTrust, December 20th2021. Accessed 2022-07-29.
“Third Party Vendor definition”. Law Insider, Accessed 2022-07-29.
“Third Party Risk”. AWAKE Security, Accessed 2022-07-29.
Glidden, Donna. "Don't Underestimate the Need to Protect Your Brand in Publicity Clauses", Info-Tech Research Group, June 2022.
Greenaway, Jordan. "Managing Reputation Risk: A start-to-finish guide", Transmission Private, July 2022. Accessed June 2022.
Jagiello, Robert D, and Thomas T Hills. “Bad News Has Wings: Dread Risk Mediates Social Amplification in Risk Communication. ”Risk analysis : an official publication of the Society for Risk Analysis vol. 38,10 (2018): 2193-2207.doi:10.1111/risa.13117
Kenton, Will. "Brand Recognition", Investopedia, August 2021. Accessed June 2022. Lischer, Brian. "How Much Does it Cost to Rebrand Your Company?", Ignyte, October 2017. Accessed June 2022.
"Powerful Examples of How to Respond to Negative Reviews", Review Trackers, February 2022. Accessed June 2022.
"The CEO Reputation Premium: Gaining Advantage in the Engagement Era", Weber Shadwick, March 2015. Accessed on June 2022.
"Valuation of Trademarks: Everything You Need to Know",UpCounsel, 2022. Accessed June 2022.
A cost-optimized security budget is one that has the greatest impact on risk for the least amount of money spent.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This phase will help you assess the efficacy of your current technology and service providers.
This phase will help you assess if layoffs are necessary.
This phase will help you revise the pending process-based initiatives in your security strategy.
Members may also be interested in Info-Tech's IT Spend & Staffing Benchmarking Service.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This deck mirrors Info-Tech’s own internal methods for delivering its IT Spend & Staffing Benchmarking Service in a do-it-yourself format. Based on Info-Tech’s proven ITFM Cost Model, it includes an IT spend mapping readiness assessment, expert advice for sourcing and organizing your financial data, a methodology for mapping IT staff and vendor spend according to four key stakeholder views (CFO, CIO, CXO, and CEO), and guidance on how to analyze and share your results.
This workbook offers a step-by-step approach for mapping and visualizing your organization’s true IT spend.
This presentation template offers a recommended structure for introducing key executive stakeholders to your organization’s true IT spending behavior and IT financial management as a whole.
Talking about money is hard. Talking to the CEO, CFO, and other business leaders about money is even harder, especially if IT is seen as just a cost center, is not understood by stakeholders, or is simply taken for granted. In times of economic hardship, already lean IT operations are tasked with becoming even leaner.
When there's little fat to trim, making IT spend decisions without understanding the spend's origin, location, extent, and purpose can lead to mistakes that weaken, not strengthen, the organization.
The first step in optimizing IT spend decisions is setting a baseline. This means having a comprehensive and transparent view of all technology spend, organization-wide. This baseline is the only way to have meaningful, data-driven conversations with stakeholders and approvers around what IT delivers to the business and the implications of making changes to IT funding.
Before stepping forward in your IT financial management journey, know exactly where you're standing today.
Jennifer Perrier
Principal Research Director, ITFM Practice
Info-Tech Research Group
| Your Challenge | Common Obstacles | Info-Tech's Approach |
IT spend has increased in volume and complexity, but how IT spend decisions are made has not kept pace:
|
Meaningful conversations about IT spend don't happen nearly as much as they should. This is often due to:
|
Lay a foundation for meaningful conversations and informed decision-making around IT spend.
|
Info-Tech Insight
Create transparency in your IT financial data to power both collaborative and informed technology spend decisions.
| How IT funds are spent has changed Value demonstration is two-pronged. The first is return on performance investment, focused on formal and objective goals, metrics, and KPIs. The second is stakeholder satisfaction, a more subjective measure driven by IT-business alignment and relationship. IT leaders must do both well to prove and promote IT's value. |
Funding decision cadence has sped up Many organizations have moved from three- to five-year strategic planning cycles to one-year planning horizons or less, most noticeably since the 2008/2009 recession. Not only has the pace of technological change accelerated, but so too has volatility in the broader business and economic environments, forcing rapid response. |
Justification rigor around IT spend has increased The need for formal business cases, proposals, and participation in formal governance processes has increased, as has demand for financial transparency. With many IT departments still reporting into the CFO, there's no getting around it - today's IT leaders need to possess financial management savvy. |
Clearly showing business value has become priority IT spend has moved from the purchase of discrete hardware and software tools traditionally associated with IT to the need to address larger-scale issues around interoperability, integration, and virtualized cloud solutions. Today's focus is more on big-picture architecture than on day-to-day operations. |
Increased integration with the core business has made it a priority for the head of IT to be well-versed in business language and practice, specifically in the areas of measurement and financial management.
However, IT staff across all industries aren't very confident in how well IT is doing in managing its finances via three core processes:
Recent data from 4,137 respondents to Info-Tech's IT Management & Governance Diagnostic shows that while most IT staff feel that these three financial management processes are important, notably fewer feel that IT management is effective at executing them.
IT leadership's capabilities around fundamental cost data capture appear to be lagging, not to mention the essential value-added capabilities around optimizing costs and showing how IT contributes to business value.
Source: IT Management & Governance Diagnostic, Info-Tech Research Group, 2022.
Exactly how is IT spending all that money we give them?
Many IT costs, like back-end infrastructure and apps maintenance, can be invisible to the business.
Why doesn't my department get more support from IT?
Some business needs won't align with spend priorities, while others seem to take more than their fair share.
Does the amount we spend on each IT service make sense?
IT will get little done or fall short of meeting service level requirements without appropriate funding.
I know what IT costs us, but what is it really worth?
Questions about value arise as IT investment and spend increase. How to answer these questions is critical.
At the end of the day, telling IT's spend story to the business is a significant challenge if you don't understand your audience, have a shared vocabulary, or use a repeatable framework.
However, the best methodological framework won't work if the materials and information plugged into it are weak. With IT spend, the materials and information are your staff and your vendor financial data. To achieve true transparency, inputs must have the following three characteristics:
| Availability | Reliability | Usability |
|---|---|---|
| The data and information are up-to-date and accessible when needed. | The data and information are accurate, complete, and verifiable. | The data and information are clearly defined, consistently and predictably organized, consumable, and meaningful for decision-making. |
A framework is an organizing principle. When it comes to better understanding your IT spend, the things being organized by a framework are your method and your data.
If your IT spend information is transparent, you have an excellent foundation for having the right conversations with the right people in order to make strategically impactful decisions.
Put your data to work instead of being put to work by your data.
| 1. Know your objectives | 2. Gather required data | 3. Map your IT staff spend | 4. Map your IT vendor spend | 5. Identify implications for IT | |
|---|---|---|---|---|---|
| Phase Steps |
|
|
|
|
|
| Phase Outcomes | Goals and scope for your IT spend and staffing transparency effort. | Information and data required to perform the IT staff and vendor spend transparency initiative. | A mapping of the allocation of IT staff spend across the four views of the Info-Tech ITFM Cost Model. | A mapping of the allocation of IT vendor spend across the four views of the Info-Tech ITFM Cost Model. | An analysis of your results and a presentation to aid your communication of findings with stakeholders. |
Overarching insight
Take the perspective of key stakeholders and lay out your organization's complete IT spend footprint in terms they understand to enable meaningful conversations and start evolving your IT financial management capability.
Phase 1 insight
Your IT spend transparency efforts are only useful if you actually do something with the outcomes of those efforts. Be clear about where you want your IT transparency journey to take you.
Phase 2 insight
Your IT spend transparency efforts are only as good as the quality of your inputs. Take the time to properly source, clean, and organize your data.
Phase 3 insight
Map your IT staff spend data first. It involves work but is relatively straightforward. Practice your mapping approach here and carry forward your lessons learned.
Phase 4 insight
The importance of good, usable data will become apparent when mapping your IT vendor spend. Apply consistent and meaningful vendor labels to enable true aggregation and insight.
Phase 5 insight
Communicating your final IT spend transparency mapping with executive stakeholders is your opportunity to debut IT financial management as not just an IT issue but an organization-wide concern.
Use this tool in Phases 1-4
IT Spend & Staffing Transparency Workbook
Input your IT staff and vendor spend data to generate visual outputs for analysis and presentation in your communications.
IT Spend & Staffing Transparency Executive Presentation
Create a showcase for your newly-transparent IT staff and vendor spend data and present it to key business stakeholders.
Use this tool in Phase 5
| IT Benefits | Business Benefits |
|---|---|
|
|
In phase 1 of this blueprint, we will help you identify initiatives where you can leverage the outcomes of your IT spend and staffing transparency effort.
In phases 2, 3, and 4, we will guide you through the process of mapping your IT staff and vendor spend data so you can generate your own IT spend metrics based on reliable sources and verifiable facts.
Win #1: Knowing how to reliably source the financial data you need to make decisions.
Win #2: Getting your IT spend data in an organized format that you can actually analyze.
Win #3: Having a framework that puts IT spend in a language stakeholders understand.
Win #4: Gaining a practical starting point to mature ITFM practices like cost optimization.
| DIY Toolkit | Guided Implementation | Workshop | Consulting |
|---|---|---|---|
| "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Diagnostics and consistent frameworks are used throughout all four options.
| Phase 1: Know your objectives | Phase 2: Gather required data | Phase 3: Map your IT staff spend | Phase 4: Map your IT vendor spend | Phase 5: Identify implications for IT |
|---|---|---|---|---|
| Call #1: Discuss your IT spend and staffing transparency objectives and readiness. | Call #2: Review spend and staffing data sources and identify data organization and cleanup needs. | Call #3: Review your mapped IT staff spend and resolve lingering challenges. | Call #4: Review your mapped IT vendor spend and resolve lingering challenges. | Call #5: Analyze your mapping outputs for opportunities and devise next steps. |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between four to six calls over the course of two to three months.
The path to IT financial management maturity starts with knowing exactly where your money is going. To streamline this effort, Info-Tech offers an IT Spend & Staffing Benchmarking service that provides full transparency into where your money is going without any heavy lifting on your part.
This unique service features:
If you'd like Info-Tech to pave the way to IT spend transparency, contact your account manager for more information - we're happy to talk anytime.
This phase will walk you through the following activities:
This phase involves the following participants:
You're at the very beginning of your IT spend transparency journey. In this phase you will:
"I've heard this a lot lately from clients: 'I've got my hands on this data, but it's not structured in a way that will allow me to make any decisions about it. I have these journal entries and they have some accounting codes, GL descriptors, cost objects, and some vendors, but it's not enough detail to make any decisions about my services, my applications, my asset spend.'"
- Angie Reynolds, Principal Research Director, ITFM Practice, Info-Tech Research Group
CFO expense view
CXO business view
CIO service view
CEO innovation view
When determining your end objectives, think about the real questions IT is being asked by the business and how IT spend transparency will help you answer them.
IT spend used to be looked at from a strictly financial accounting perspective - this is the view of the CFO and the finance department. Their question, "exactly how is IT spending all that money we give them," is really about how money is distributed across different asset classes. This question breaks down into other questions that IT leaders needs to ask themselves in order to provide answers:
| Example | |
|---|---|
| Asset Class | % IT Spend |
| Workforce | 42.72% |
| Software - Cloud | 9.26% |
| Software - On Prem | 13.61% |
| Hardware - Cloud | 0.59% |
| Hardware - On Prem | 15.68% |
| Contract Services | 18.14% |
| Info-Tech IT Spend & Staffing Studies, 2022. | |
As the CIO role was adopted, IT spend was viewed from the IT operations management perspective. Optimizing the IT delivery model is a critical step to reducing time to provision services. For the IT leader, the questions they need to ask themselves are:
| Example | |
|---|---|
| Service Area | % IT Spend |
| App Development | 9.06% |
| App Maintenance | 30.36% |
| Hosting/Network | 25.39% |
| End User | 18.59% |
| Data & BI | 3.58% |
| Security & Risk | 5.21% |
| IT Management | 7.82% |
| Info-Tech IT Spend & Staffing Studies, 2022. | |
As business requests have increased, so too has the importance of the business unit perspective. Each business function has a unique mandate to fulfill in the organization and also competes with other business functions for IT resources. By understanding business consumption of IT, organizations can bring transparency and drive a different dialog with their business partners. Every IT leader should find out the answers to these questions:
| Example | |
|---|---|
| Business Function | % IT Spend |
| HR Department | 6.16% |
| Finance Department | 15.15% |
| IT Department | 10.69% |
| Business Function 1 | 23.80% |
| Business Function 2 | 10.20% |
| Business Function 3 | 6.80% |
| Business Function 4 | 27.20% |
| Source: Info-Tech IT Spend & Staffing Studies, 2022. | |
With a business view now available, evaluating IT spend from a strategic standpoint is critical. Simply put, how much is being spent keeping the lights on (KTLO) in the organization versus supporting business or organizational growth versus net-new business innovations? This view is not about what IT costs but rather how it is being prioritized to drive revenue, operating margin, or market share. Here are the questions IT leaders should be asking themselves along with the organization's executive leadership and the CEO:
| Example | |
|---|---|
| Focus Area | % IT Spend |
| KTLO | 89.16% |
| Grow | 7.18% |
| Innovate | 3.66% |
| Info-Tech IT Spend Studies, 2022. | |
I want to ...
Analyze the impact of the cloud on IT operating expenditure to update finance's expectations of a realistic IT CapEx/OpEx ratio now and into the future.
To address the problem of ...
And will use transparency to ...
Duration: One hour
Document your outputs on the slide immediately following the instruction slides for this exercise. Examples are included.
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
| Problem/Issue Statement | Source/ Stakeholder | Associated ITFM Process | Potential Initiative | Initiative Goal | Time Frame |
| "Why is IT's OpEx so high? We need you to increase IT's percentage of CapEx." | CFO | IT spend categorization and reporting. | Analyze the impact of the cloud on IT operating expenditure. | To update finance's expectations of a realistic IT CapEx/OpEx ratio. | <12 months |
| "Why do we need to hire more service desk staff? There are more of them in IT than any other role." | CFO, VP of HR | Business case for hiring IT staff. | Document ongoing IT support requirements for proposed ERP platform migration project. | To ensure sufficient resources for an anticipated increase in service desk tickets due to implementation of a new ERP system. | 1-3 months |
| "Why can't IT just buy this new app we want? It's not very expensive." | CEO, all CXOs/VPs | Total cost of technology ownership. | Develop a mechanism to review the lifecycle impact on IT of proposed technology purchases. | To determine if functionality of new tool already exists in the org. and the total cost of ownership of a new app. | <6 months |
| "Did output increase or decrease last quarter per input unit? IT should be able to run those reports for us." | CEO, CFO, VP of Production | IT service costing. | Develop an organizational business intelligence strategy. | To create a comprehensive plan for evolving BI capability in the organization and transferring report development to users. Select a department for pilot. | <12 months |
| Know your governance culture | Lower Governance
|
Higher Governance
|
| Determine impact on opportunities | How does your governance culture impact IT spend transparency opportunities? | |
|---|---|---|
| Resistance to formality and bureaucracy | Resistance to change and uncertainty | |
| Set expectations and approach | You have plenty of room to implement transparency rigor within the confines of IT, but getting others to give you the time and attention you want will be a challenge. One-on-one, informal relationship building to create goodwill and dialogue is needed before putting forth recommendations or numbers. | Many existing procedures must be accommodated and respected. While you can benefit by working with preexisting mechanisms and touchpoints, expect any changes you want to make to things like IT cost categories or CapEx/OpEx ratios to require a lot of time, meetings, and case-making. |
| Know your ITFM maturity level | Lower ITFM Maturity
|
Higher ITFM Maturity
|
| Determine stakeholders' financial literacy | How does your degree of ITFM maturity impact IT spend transparency opportunities? | |
|---|---|---|
| Improve your own financial literacy first | Determine stakeholders' financial literacy | |
| Set expectations and approach | Brush up on core financial management and accounting concepts before taking the discussion beyond IT's walls. Do start mapping your costs, but just know how to communicate what the data is saying before sharing it. | Not everyone will be at your level, familiar with ITFM language and concepts, or focused on the same things you are. Gauge where your audience is at so you can prepare for meaningful dialogue. |
Duration: One hour
Note: This assessment is general in nature. It's intended to help you identify and prepare for potential challenges in your IT spend and staffing transparency effort.
Document your outputs on the slide immediately following the two instruction slides for this exercise.
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
| Data & Information | |
| Statement | Rating |
| We know how to access all IT department spend records. | |
| We know how to access all non-IT-department technology spend records. | |
| We know how to access all IT vendor/contractor agreements. | |
| We know how to access data about our IT staff costs and allocation, such as organizational charts and salaries/benefits. | |
| Our financial and staffing data is up-to-date. | |
| Our financial and staffing data are labeled, described, and organized so that we know what they're referring to. | |
| Our financial and staffing data are in a format that we can easily manipulate (e.g. export, copy and paste, perform calculations). | |
| Experience, Expertise, & Support | |
| Statement | Rating |
| We have sufficient expertise within the IT department to navigate and accurately interpret financial records. | |
| We have reasonable access to expertise/resources in our finance department to support us in an IT spend transparency exercise. | |
| We can allocate sufficient time (about 40 hours) and resources in the near term to do an IT spend transparency exercise. | |
| We have current accountabilities to track and internally report financial information to others on at least a monthly basis. | |
| There are existing financial policies, procedures, and standards in the organization with which we must closely adhere and comply. | |
| We have had the experience of participating in, or responding to the results of, an internal or external audit. | |
Rating scale:
1 = Strongly Disagree; 2 = Disagree; 3 = Neither agree nor disagree; 4 = Agree; 5 = Strongly agree
Assessment scale:
Less than 30 = Not ready; 30-39 = Challenged; 40-49 = Ready with caveats; 50-65 = Ready
Take a closer look at the statements you rated 1, 2, or 3. These will be areas of challenge no matter what your total score on the assessment scale.
You've now completed the first two steps on your IT spend transparency journey. You have:
"Mapping to a transparency model is labor intensive. You can do it once and never revisit it again, but we would never advise that. What it does is play well into an IT financial management maturity roadmap."
- Monica Braun, Research Director, ITFM Practice, Info-Tech Research Group
This phase will walk you through the following activities:
This phase involves the following participants:
You're now ready to do the final preparation for your IT spend and staffing transparency journey. In this phase you will:
"Some feel like they don't have all the data, so they give up. Don't. Every data point counts."
- Rex Ding, Research Specialist, ITFM Practice, Info-Tech Research Group
Aim for a comprehensive, complete, and accurate set of data and information.
In scope:
IT may have low or no visibility into technologies that exist in the broader business environment beyond IT. Accept that you won't gain 100% visibility right now. However, do get started and be persistent.
Where to look for non-IT technology ...
Who might get you what you need ...
The IT spend and staffing transparency exercise is an opportunity to kick-start a technology discovery process that will give you and the business a true picture of your technology profile, use, and spend.
Key data and information to seek out:
Look for these data descriptors in your files:
Spend data that's out of scope:
Challenging data formats:
This is where your governance culture and ITFM maturity start to come into play.
| Data source | Potential data and information | What to expect |
| IT | Current/past budget, vendor agreements, IT project records, discretionary spend, number of IT employees. | The rigor of your ITFM practice and centralization of data and documents will affect how straightforward this is. |
| Finance | General ledger, cash and income statements, contractor payments and other accounts payable, general revenue. | Secure their expertise early. Let them know what you're trying to do and what you need. They may be willing to prepare data for you in the format you need and help you decipher records. |
| Purchasing | List of vendors/suppliers, vendor agreements, purchase invoices. | Purchasing often has more descriptive information about vendors than finance. They can also point you to tech spend in other departments that you didn't know about. |
| Human Resources | Organizational chart, staff salaries and benefits, number of employees overall and by department. | Data about benefits costs is something you're not likely to have, and there's only one place you can reliably get it. |
| Other Business Units | Non-IT technology spend vendor agreements and purchase invoices, number of department employees. | Other departments may be tracking spend in an entirely different way than you. Be prepared to dig and reconcile. |
There may be some data or information you can't get without a Herculean effort. Don't worry about it too much - these items are usually relatively minor and won't significantly affect the overall picture.
Near-term visibility fix ...
Long-term visibility fix ...
Look for the following anomalies:
These anomalies often explain why IT spend is unusually high in certain areas. There's often a good business reason.
In many cases, doing a separate spend transparency exercise for these anomalous projects or events can isolate their costs from other spend so their true nature and impact can be better understood.
Duration: Variable
Download the IT Spend & Staffing Transparency Workbook
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
The more preparation you do to approach the "good data" intersection point in the diagram below, the easier your mapping effort will be and the more useful and insightful your final findings.
Warning: Never overwrite your original data. Insert new columns/rows and put your alternate information in these instead.
Step 1: Standardize vendor names
Step 2: Consolidate vendor spend
Duration: Variable
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
Common shared business functions:
It may seem odd to see IT on the business functions list since the purpose of this exercise is to map IT spend. For business view purposes, IT spend refers to what IT spends on itself to support its own internal operations.
Examples of industry-specific functions:
See the Appendix of this blueprint for definitions of shared business functions plus sample industry-specific business view categories.
Stay high-level
Getting too granular invites administrative headaches and overhead. Keep things high-level and general:
Limit your number of buckets
Tracking IT spend across more than 8-10 shared and industry-specific business categories is impractical.
Ensure clear boundaries
Mutual exclusivity is key when defining categories in any taxonomical structure.
Identify exclusions
Listing what's out can be just as informative and clarifying as listing what's in.
Duration: Two hours
Download the IT Spend & Staffing Transparency Workbook
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
These baseline data will allow you to calculate high-level metrics like IT spend as a percent of revenue and year-over-year percent change in IT spend, as well as more granular metrics like IT staff spend per employee for a specific IT service.
Baseline data checklist
You may have discovered some things you didn't know about during the mapping process. Revisit your baseline data when your mapping is complete and make adjustments where needed.
Duration: One hour
Download the IT Spend & Staffing Transparency Workbook
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
You've now completed all preparation steps for your IT spend transparency journey. You have:
"As an IT person, you're not speaking the same language at all as the accounting department. There's almost always a session of education that's required first."
- Angie Reynolds, Principal Research Director, ITFM Practice, Info-Tech Research Group
This phase will walk you through the following activities:
This phase involves the following participants:
Now it's time to tackle the first part of your hands-on spend mapping effort, namely IT staff spend. In this phase you will:
"We're working towards the truth. We know the answer, but it's how to get it. Take Data & BI. For some organizations, four FTEs is too many. Are these people really doing Data & BI? Look at the big picture and see if something's missing."
- Rex Ding, Research Specialist, ITFM Practice, Info-Tech Research Group
Staffing spend transparency can do a lot to change the conversation from one where the business thinks that IT management is just being self-protecting to one where they know that IT management is actually protecting the business.
Demonstrating the legitimate reasons behind IT staff spend is critical in both rationalizing past and current spend decisions as well as informing future decisions.
Mapping your IT staffing spend first is a good idea because:
"Some companies will say software developer. Others say application development specialist or engineer.
What are these things? You have to have conversations ..."
- Rex Ding, Research Specialist, ITFM Practice, Info-Tech Research Group
Workforce: The total costs of employing labor in the IT organization. This includes all salary/wages, benefits, travel/training, dues and memberships, and contractor pay. Managed services expenses associated with an external service provider should be excluded from Workforce and included in Contract Services.
Employee: A person employed by the IT organization on a permanent full-time or part-time basis. Costs include salary, benefits, training, travel and expenses, and professional dues and memberships. These relationships are managed under human resources and the bulk of spend transactions via payroll processes.
Contractor: A person serving in a non-permanent staff augmentation role. These relationships are typically managed under procurement or finance and spend transactions handled via invoicing and accounts payable processes. Labor costs associated with an external service provider are excluded.
In the CFO Expense View, all IT spend on staffing is allocated to the Workforce bucket under either Employee or Contractor.
What constitutes a Contractor can be confusing given increased use of long-term labor augmentation strategies, so being absolutely clear about this is imperative. For spend mapping purposes:
Applications Development: Purchase/development, testing, and deployment of application projects. Includes internally developed or packaged solutions.
Applications Maintenance: Software maintenance fees or maintaining current application functionality along with minor enhancements.
Hosting & Networks: Compute, storage, and network functionality for running/hosting applications and providing communications/connectivity for the organization.
End User: Procurement, provision, management, and maintenance (break/fix) of end-user devices (desktop, laptops, tablets, peripherals, and phones) as well as purchase/support and use of productivity software on these devices. The IT service desk is included here as well.
PPM & Projects: People, processes, and technologies dedicated to the management of IT projects and the IT project portfolio as a whole.
Data & BI: Strategy and oversight of the technology used to support data warehousing, business intelligence, and analytics.
IT Management: Senior IT leadership, IT finance, IT strategy and governance, enterprise architecture, process management, vendor management, talent management, and program and portfolio management oversight.
Security: Information security strategy and oversight, practices, procedures, compliance, and risk mitigation to protect and prevent unauthorized access to organizational data and technology assets.
The CIO Service View mirrors how many IT departments are organized into teams or work groups. However, some partial percentage-based allocations are probably required, especially for smaller IT units with more generalized, cross-functional roles. For example:
Info-Tech has found that allocating staffing costs for Data & BI raises the most doubts as it can be very entangled with Applications and other spend. Do the best you can.
Industry Functions: As listed and defined by you for your specific industry.
Human Resources: IT staff and specific application functionality in support of organizational human resource management.
Finance & Accounting: IT staff and specific application functionality in support of corporate finance and accounting.
Shared Services Other: IT staff and specific application functionality in support of all other shared enterprise functions.
Information Technology: IT staff and specific application functionality in support of IT performing its own internal IT operations functions.
Industry Other: IT staff and specific application functionality in support of all other industry-specific functions.
The CXO Expense View also requires percentage-based splitting of role spend, but to a greater extent.
Direct IT costs are those that are dedicated to a specific business unit or user group, such a marketing campaign management app, specialized devices used by a specific subset of workers in the field, or a business analyst embedded full-time in a sales organization.
VS
Indirect IT costs are pretty much everything else that's shared broadly across the organization and can't be tied to just one stakeholder or user group, such as network infrastructure, the service desk, and office productivity apps. These costs must be fairly and evenly distributed.
No indirect mapping method is perfect, but here's a suggestion:
"There is always a conversation about indirect allocations. There's never been an organization I've heard of or worked for which has been able to allocate every technology cost directly to a business consumption or business unit."
Monica Braun, ITFM Research Director, Info-Tech Research Group
Example:
Some indirect costs are shared by multiple business functions, but not all. In these cases, exclude non-participating business functions from the total number of organizational employees and re-calculate a new percent of staff for each participating business function.
Direct IT staffing spend
Definition: Individuals or teams whose total time is formally dedicated to the support of one business unit/function.
Hybrid IT staffing spend
Definition: Teams with a percent of time or entire FTEs formally dedicated to one business unit/function while the remainder of the time or team is generalized.
Indirect IT staffing spend
Definition: Individuals or teams whose total time is generalized to the support of multiple or all business units or functions.
Indirect staff spend only comes into play in the CXO Business View. Thoroughly map the CIO Service View first and leverage its outcomes to inform your allocations to individual business and industry functions.
Business Innovation: IT spend/ activities focused on the development of new business capability, new products and services, and/or introduction of existing products/ services into new markets. It does not include expansion or update of existing capabilities.
Business Growth: IT spend/activities focused on the expansion, scaling, or modernization of an existing business capability, product/service, or market. This is specifically related to growth within a current market.
Keep the Lights On: IT spend/activities focused on keeping the organization running on a day-to-day basis. This includes all activities used to ensure the smooth operation of business functions and overall business continuity.
Important Note
Info-Tech analysts often skip mapping staff for the CEO Innovation View when delivering the IT Spend & Staffing Benchmarking Service.
This is because, for many organizations, either most IT staff spend is allocated to Keep the Lights On or any IT staff allocation to Business Growth and Business Innovation activities is untracked, undocumented, and difficult to parse out.
Overlay a broader assessment of your IT staff
Info-Tech's IT Staffing Assessment diagnostic can expand your view of what's really happening on the staffing front.
Take action
Approach: Be efficient to be effective
Start with what you know best: Map the CFO Expense View first to plug in information you already have. Next, map the CIO Service View since it's most aligned to your organization chart.
Keep a list of questions: You'll need to seek clarifications. Note your questions, but don't reach out until you've done a first pass at the mapping - don't annoy people with a barrage of questions.
Delegate: Your managers and leads have a more accurate view of exactly what their staff do. Consider delegating the CIO Service View and CXO Business View to them or turn the mapping exercise into a series of collaborative leadership team activities.
Biggest challenge: Role/title ambiguity
Key step - validate! If you see services or functions with low or no allocation, or something just doesn't look right, investigate. Someone's doing that work - take the time to figure out who.
Duration: Variable
Download the IT Spend & Staffing Transparency Workbook
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
You've now completed your IT staff spend mapping. You have:
"Some want to allocate everybody to IT, but that's not how we do it. [In one CXO Business View mapping], a client allocated all their sand network people to the IT department. At the end of the process, the IT department itself accounted for 20% of total IT spend. We went back and reallocated those indirect staff costs across the business."
- Kennedy Confurius, Research Analyst, ITFM Practice, Info-Tech Research Group
This phase will walk you through the following activities:
This phase involves the following participants:
Now you're ready to take on the second part of your spend mapping, namely IT vendor spend. In this phase you will:
"[One CIO] said that all technology spend runs through their IT group. But they didn't have hardware in their financial data file - no cellphones or laptops, no network or server expenses. They thought they had everything, but they didn't know what they didn't have. Assume it's out there somewhere."
- Kennedy Confurius, Research Analyst, ITFM Practice, Info-Tech Research Group
"A common financial data problem is no vendor names. I've noticed that, even if the vendor name is there, there are no descriptors. You cannot actually tell what type of service it is. Data security? Infrastructure? Networking? Ask yourself 'What did we purchase and what does it do?'"
- Aman Kumari, Research Specialist, ITFM Practice, Info-Tech Research Group
Vendor: Provider of a good or service in exchange for payment.
Hardware: Costs of procuring, maintaining, and managing all IT hardware, including end-user devices, data center and networking equipment, cabling, and hybrid appliances for both on-premises and cloud-based providers.
Software: Costs for all software (applications, database, middleware, utilities, tools) used across the organization. This includes purchase, maintenance, and licensing costs.
Contract Services: Costs for all third-party services including managed service providers, consultants, and advisory services.
Cloud: Offsite hosting and delivery of an on-demand software or hardware computing function by a third-party provider, often on a subscription-type basis.
On-Prem: On-site hosting and delivery of a software or hardware computing function, often requiring upfront purchase cost and subsequent maintenance costs.
Managed Services: Costs for outsourcing the provision and maintenance of a technical process or function.
Consulting & Advisory: Costs for the third-party provision of professional or technical advice and expertise.
On-Premises
Cloud
Vendors are increasingly "retiring" on-premises software products. This means an older version may be on-prem, a newer one cloud, and you may have both in play.
Applications vs. Data & BI
Applications vs. Security
Putting spend in the right bucket does matter. However, if uncertainty persists, err on the side of consistency. For most organizations Applications Maintenance does end up being the biggest bucket.
| 1 | Sort high to low | Sort your list of vendor spend from highest to lowest. Your top 20 vendors should constitute most of the spend. |
| 2 | Map multi-department enterprise apps | Flag your top apps vendors that have presence in most or all of your business units. Map these first. These tend to be enterprise-level business apps "owned" by core business functions but used broadly across the organization such as enterprise resource planning (ERP), customer relationship management (CRM), and people management systems. |
| 3 | Map end-user spend | Identify top vendors of general end-user technologies like office productivity apps, desktop hardware, and IT service desk tools. Allocate percentages according to your selected indirect spend mapping method. |
| 4 | Map core infrastructure spend | Map the behind-the-scenes network, telecom, and data center technologies that underpin IT, plus any infrastructure managed services. Again, apply your selected indirect spend mapping method. |
| 5 | Map business-unit specific technologies | This is the spend that's often incurred by just one department. This may also be technology spend that's out in the business, not in IT proper. Map it to the right business function or put it in Business Other or Industry Other if the business function doesn't have its own bucket. |
| 6 | Map the miscellaneous | Only smaller spend items likely remain at this point. When in doubt, map them to either Business Other or Industry Other. |
| Remember "when in doubt, map to either the Business Other or Industry Other category"? Know what large Other buckets might really be telling you. | After your first pass at mapping the CXO Business View, review Business Other and Industry Other if either is more than about 10% of your total spend. |
| Diversification: Your organization has a wide array of business functions and/or associated staff that exist outside the core business and industry-specific categories selected. | Are there minor business functions that can reasonably be included with the core categories identified? If not, don't force it. Better to keep your core buckets clean and uncomplicated. |
| Non-core monolith: There's a significant technology installation outside the core that's associated with a comparatively minor business function. | Is there a business function incurring substantial technology spend that should probably be broken out on its own and added to the core? If so, do it. Spend is unlikely to get smaller as the organization grows, so best to shine a light on it now. |
| Shadow IT: There's significant technology spend in several areas of the organization that is unowned, unmanaged, or serving an unknown purpose as far as IT is concerned. | Is a lot of the spend non-IT technology in the business? If yes, flag it and plan to learn more. It's likely that technologies living elsewhere in the organization will become IT concerns eventually. Better to be ready than to be surprised. |
Keep the Lights On
Spend usually triggered by a service deck ticket or work order, not a formal project. Includes:
Business Growth
Spend usually in the context of a formal project under a CapEx umbrella. Includes:
Business Innovation
Spend is always in the context of a formal project and should be 100% CapEx in the first year after purchase. Includes:
In many organizations, most technology spend will be allocated to Keep the Lights On. This is normal but should generate conversations with the business about redirecting funds to growth and innovation.
Approach: Move from macro to micro
Biggest challenge: Poor vendor labeling
Key step - validate! If you see services or functions with low or no allocation, or something just doesn't look right, investigate. There's probably a technology out there in the business doing that work.
Duration: Variable
Download the IT Spend & Staffing Transparency Workbook
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
You've now completed your IT vendor spend mapping. You have:
"A lot of organizations log their spending by vendor name with no description of the goods or services they actually purchased from the vendor. It could be hardware, software, consulting services ... anything. Having a clear understanding of what's really in there is an essential aspect of the spend conversation."
- Rex Ding, Research Specialist, ITFM Practice, Info-Tech Research Group
This phase will walk you through the following activities:
This phase involves the following participants:
You're now nearing the end of the first leg in your IT spend transparency journey. In this phase you will:
"Don't plug in numbers just to make yourself look good or please someone else. The only way to improve is to look at real life."
- Monica Braun, Research Director, ITFM Practice, Info-Tech Research Group
Mapping your IT spend is a lot of work, but what you've achieved is impressive (applause!) as well as essential for growing your ITFM maturity. Now put your hard work to work.
The slides that follow show sample data summaries and visualizations generated in the IT Spend & Staffing Transparency Workbook. We'll take a look at the metrics, tables, and graphs you now have available to you post-mapping and how you can potentially use them in conversations with different IT stakeholders.
There are two basic types of benchmarking ...
Internal: Capturing a current-state set of data about an in-house operation to serve as a baseline. Over time, snapshots of the same data are taken and compared to the baseline to track and assess changes. Common uses for internal benchmarking include:
External: Seeking out aggregated, current-state data about a peer-group operation to assess your own relative status or performance on the same operation. Common uses for external benchmarking include:
Both types of benchmarking benefit from some formality and rigor. Info-Tech can help you stand up an ITFM benchmarking approach as well as connect you with actual IT spend peer benchmarks via our IT Spend & Staffing Benchmarking service.
Duration: Variable
Download the IT Spend & Staffing Transparency Workbook
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
OpEx is often seen as a sunk cost (i.e. an IT problem).
CapEx is usually seen as investment (i.e. a business growth opportunity).
Break down the OpEx/CapEx wall. Reference OpEx whenever you talk about CapEx. The best way to do this is via Total Cost of Ownership (TCO).
Traditional categories don't reflect IT reality anymore.
"Software (on-premises)" and "hardware (cloud)" are more meaningful descriptors than "software" and "hardware." Shift the dialogue.
Start the migration from major categories to minor categories.
The decision to go with permanent employees or contractors depends on your ultimate goals.
Far too often, labor-sourcing decisions are driven by controlling near-term costs instead of generating and sustaining long-term value.
Introduce the cost-to-value ratio to your workforce spend conversations.
Now that you've mapped your IT spend data to the CFO Expense View, there are some questions you're better equipped to answer, namely:
You now have:
Exactly like this ...
Major service categories: These values give a high-level snapshot of your general IT service spend priorities. In most organizations, Applications dominates, making it a focus for cost optimization.
Minor service categories: The level of granularity for these values prove more practical when measuring performance and making service management decisions - not too big, not too small. While not reflected in this example, application maintenance is usually the largest relative consumer of IT spend in most organizations.
Data & BI and security: Isolating the exact spend for these services is challenging given that they're often entangled in applications and infrastructure spend respectively, and separate spend tracking for both is a comparatively recent practice.
Is the amount of spend on a given service in parallel with the service's overall importance?
Identify the hot spots and pick your battles.
It's all about how much room you have to move.
Grow your IT service management practice.
Now that you've mapped your IT spend data to the CIO Service View, there are some questions you're better equipped to answer, namely:
You now have:
We have some good opportunities for optimization ...
Share information, don't push recommendations.
If possible, slice the numbers by business unit headcount.
Be transparent in your transparency.
Use questions about indirect IT staff spend distribution to engage stakeholders.
Now that you've mapped your IT spend data to the CXO Business View, there are some questions you're better equipped to answer, namely:
You now have:
Let's look at how you compare to the other departments ...
Use the numbers to get to the real issues.
Focus your KTLO spend conversation on risk and trade-off.
Now that you've mapped your IT spend data to the CEO Innovation View, there are some questions you're better equipped to answer, namely:
You now have:
Here's how tech spend directly supports business objectives ...
Review the real problems and issues you need to address and the key stakeholders.
This will guide what data you focus on or showcase with other business leaders. For example, if IT OpEx is perceived as high, be prepared to examine the CapEx/OpEx ratio as well as cloud-related spend's impact on OpEx.
Flag ITFM processes you'll develop as part of your ITFM maturity improvement plan.
You won't become a TCO math expert overnight, but being able to communicate your awareness of and commitment to developing and applying ITFM capabilities helps build confidence in you and the information you're presenting.
Use your first big presentation to debut ITFM.
ITFM as a formal practice and the changes you hope to make may be a novel concept for your business peers. Use your newfound IT spend and staffing transparency to gently wade into the topic instead of going for the deep dive.
The goal of this first presentation is to showcase IT spend in general and make sure that everyone's getting the same information as everyone else.
Go broad, not deep
Defer any in-depth examinations until after you're sure you have everyone's attention. Only dive deep when you're ready to talk about specific plans via follow-up sessions.
Focus on the CXO
Given your audience, the CXO Business View may be the most interesting for them and will trigger the most questions and discussion. Plan to spend the largest chunk of your time here.
Avoid judgment
Let the numbers speak for themselves. Do point out what's high and what's low, but don't offer your opinion about whether it's good or bad. Let your audience draw their own conclusions.
Ask for impressions
Education and awareness are primary objectives. What comes up will give a good indication of what's known, what's news, who's interested, and where there's work to do.
Pick a starting point
Ask what they see as high-priority areas for both optimizing IT costs as well as improving the organization's approach to making IT spend decisions in general.
What to include in your presentation ...
Duration: Two hours
Note: Refer to your organization's standards and norms for executive-level presentations and either adapt the Info-Tech template accordingly or use your own.
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
Download the IT Spend & Staffing Transparency Executive Presentation TemplateTemplate
You've done the hard part in starting your IT spend transparency journey. You have:
"Having internal conversations, especially if there is doubt, allows for accuracy and confidence in your model. I was showing someone the cost of a service he managed. He didn't believe the service was so expensive. We went through it: here are the people we allocated, the assets we allocated, and the software we allocated. It was right - that was the total cost. He was like, 'No way. Wow.' The costs were high, and the transparency is what allowed for a conversation on cost optimization."
- Monica Braun, Research Director, ITFM Practice, Info-Tech Research Group
This final section will provide you with:
You've now mapped the entirety of technology spend in your organization. You've:
What's next?
With a reliable baseline, you can look forward to more informed and defensible IT budgeting and cost optimization. Use your newly-transparent IT spend as a foundation for improving your financial data hygiene in the near term and evolving your overall ITFM governance maturity in the long-term.
If you would like additional support, have our analysts guide you through an Info-Tech full-service engagement or Guided Implementation.
Contact your account representative for more information.
1-888-670-8889
Monica Braun
Research Director, ITFM Practice
Info-Tech Research Group
Dave Kish
Practice Lead, ITFM Practice
Info-Tech Research Group
Kennedy Confurius
Research Analyst, ITFM Practice
Info-Tech Research Group
Aman Kumari
Research Specialist, ITFM Practice
Info-Tech Research Group
Rex Ding
Research Specialist, ITFM Practice
Info-Tech Research Group
Angie Reynolds
Principal Research Director, ITFM Practice
Info-Tech Research Group
Build Your IT Cost Optimization Roadmap
| Business function | Definition |
| Human Resources | The management of the recruitment, training, development, appraisal, compensation/reward, retention, and departure of employees in an organization. Does not include management of subcontractor or outsourced relationships. |
| Finance and Accounting | The management and analysis of an organization's revenue, funds, spend, investments, financial transactions, accounts, and financial statements. Often includes enterprise asset management. |
| Procurement and Supplier Management | Acquiring materials, goods, and services from an external party, including identifying potential suppliers/providers, managing tendering or bidding processes, negotiating terms and agreements, and managing the relationship with the vendor/provider. |
| Information Technology | The development, management, and optimization of information technology resources and systems over their lifecycle in support of an organization's work priorities and goals. Includes computer-based information and communication systems, but typically excludes industrial operational technologies. |
| Legal | Expertise in interpretation, implication, and application of legislation and regulation that affects the enterprise, including guidance and support in the areas of risk, contracting, compliance, ownership, and litigation. |
| Regulatory Affairs and Compliance Management | Identification, operationalization, monitoring, reporting, and enforcement of the standards, rules, codes, and laws that apply to an organization's operating environment and the products and services it offers. |
| Sales | Transactional provision of a product or service to a buyer at an agreed-upon price. Includes identifying and developing prospective buyers, presenting and explaining the product/service, overcoming prospect objections and concerns to purchase, negotiating terms, developing contracts, and billing or invoicing. |
| Customer Service and Support | A range of activities designed to optimize the customer experience with an organization and its products and services throughout the customer lifecycle with the goals of retaining the customer; encouraging additional spend or consumption; the customer positively influencing other potential customers; and minimizing financial and reputational business risks. |
| Marketing and Advertising | Understanding customer/prospect needs, developing strategies to meet those needs, and promotion of the organization's products/services to a target market via a range of channels to maximize revenue, membership, donations, and/or develop the organization's brand or reputation. Includes market research and analysis and promotion, campaign, and brand management. |
| Industry function | Definition |
| Product Innovation | Research, design, development, and launch of new products, including the engineering of their underlying production processes. |
| Product and Service Portfolio Management | The management of an organization's collection of products and services, including management of the product/service roadmap; product/service portfolio and catalog; product/service quality and performance; and product/service pricing, bundling and markdown. |
| Logistics and Supply Chain Management | Sourcing raw materials or component parts needed and shipping of a finished product. Includes demand planning; procurement/supplier management; inventory management; yard management; allocation management; fulfillment and replenishment; and product distribution and delivery. |
| Production Operations | Manufacture, storage, and tracking of a product and ensuring product and production process quality. Includes operations management, materials management, quality/safety control, packaging management, and management of the tools, equipment, and technologies that support it. |
| Architecture & Engineering | The design and planning of structures or critical infrastructure systems according to scientific, functional, and aesthetic principles. |
| Construction | New construction, assembly, or alteration of buildings and critical infrastructure (e.g. transportation systems; telecommunications systems; utilities generation/transmission/distribution facilities and systems). Includes management of all construction project plans and the people, materials, and equipment required to execute. |
| Real Estate Management | Management of any residential, commercial, or industrial real estate holdings (land and buildings), including any financial dealings such as its purchase, sale, transfer, and rental as well as ongoing maintenance and repair of associated infrastructure and capital assets. |
| Industry function | Definition |
| Core Banking Services | Includes ATM management; account management (opening, deposit/withdrawal, interest calculation, overdraft management, closing); payments processing; funds transfers; foreign currency exchange; cash management. |
| Loan, Mortgage, and Credit Services | Includes application, adjudication, and approval; facility; disbursement/card issuance; authorization management; merchant services; interest calculation; billing/payment; debt/collections management. |
| Investment and Wealth Management | Processes for the investment of premiums/monies received from policy holders/customers to generate wealth. Often two-pronged: internal investment to fund claim payout in the case of insurance, and customer-facing investment as a financial service (e.g. retirement planning/annuities). Includes product development and management, investment management, safety deposit box services, trust management services. |
| Actuarial Analysis & Policy Creation | Development of new policy products based on analysis of past losses and patterns, forecasts of financial risks, and assessment of potential profitability (i.e. actuarial science). These processes also include development of rate schedules (pricing) and the reserves that the insurer needs to have available for potential claim payouts. |
| Underwriting & Policy Administration | Processes for assessing risk of a potential policy holder; determining whether to insure them or not; setting the premiums the policy holder must pay; and administering the policy over the course of its lifecycle (including updates and billing). |
| Claims Processing & Claims Management | Processes for receiving, investigating, evaluating, approving/denying, and disbursing a claim payout. This process is unique to the insurance industry. In health insurance, ongoing case management processes need to be considered here whereby the insurer monitors and approves patient treatments over a long-term basis to ensure that the treatments are both necessary and beneficial. |
| Industry function | Definition |
| Patient Intake & Admissions | Processes whereby key pieces of information about a patient are registered, updated, or confirmed with the healthcare provider in order to access healthcare services. Includes patient triage, intake management, and admissions management. These processes are generally administrative in nature. |
| Patient Diagnosis | A range of methods for determining the medical condition a patient has in order to provide appropriate care or treatment. Includes examination, consultation, testing, and diagnostic imaging. |
| Patient Treatment | The range of medical procedures, methods, and interventions to mitigate, relieve, or cure a patient's symptom, injury, disease, or other medical condition. Includes consultation and referral; treatment and care planning; medical procedure management; nursing and personal support; medicine management; trauma management; diet and nutrition management; and patient transportation. |
| Patient Recovery & Ongoing Care | Processes and methods for tracking the progress of a patient post-treatment; improving their health outcomes; restoring, maintaining, or improving their quality of life; and discharging or transferring them to other providers. Includes remote monitoring of vital parameters, physical therapy, post-trauma care, and a range of restorative and lifestyle modification programs. |
| Industry function | Definition |
| Accommodation | Short-term lodging in hotel facilities. Includes management and maintenance of guest rooms and common spaces, amenities (e.g. swimming pool), and other related services (e.g. valet parking). |
| Gaming | Includes table wagering games and gambling activities such as slot machines or any other activity that includes on premises mobile casino gaming. |
| Food & Beverage Services | Food and beverages prepared, served, or available for sale by the hotel on the hotel premises via restaurants and bars and room service. Excludes catering (see Events Management) and management or operation of independent leased food and beverage establishments located on the hotel premises. |
| Entertainment & Events | Planning, coordination, and on-premises hosting of events including conferences, conventions, trade shows, parties, ceremonies and live entertainment, and other forms of recreation on the hotel premises. Includes all aspects of entertainment operations, facility management and catering for the event. |
Improving software selection is a critical project that will deliver huge value.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Analyze strategic CIO competencies and assess business stakeholder satisfaction with IT using Info-Tech's CIO Business Vision Diagnostic and CXO-CIO Alignment Program.
Evaluate strategic CIO competencies and business stakeholder relationships.
Create a personal development plan and stakeholder management strategy.
Develop a scorecard to track personal development initiatives.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Gather and review information from business stakeholders.
Assess strategic CIO competencies and business stakeholder relationships.
Gathered information to create a personal development plan and stakeholder management strategy.
Analyzed the information from diagnostics and determined the appropriate next steps.
Identified and prioritized strategic CIO competency gaps.
Evaluated the power, impact, and support of key business stakeholders.
1.1 Conduct CIO Business Vision diagnostic
1.2 Conduct CXO-CIO Alignment program
1.3 Assess CIO competencies
1.4 Assess business stakeholder relationships
CIO Business Vision results
CXO-CIO Alignment Program results
CIO competency gaps
Executive Stakeholder Power Map
Create a personal development plan and stakeholder management strategy.
Track your personal development and establish checkpoints to revise initiatives.
Identified personal development and stakeholder engagement initiatives to bridge high priority competency gaps.
Identified key performance indicators and benchmarks/targets to track competency development.
2.1 Create a personal development plan
2.2 Create a stakeholder management strategy
2.3 Establish key performance indicators and benchmarks/targets
Personal Development Plan
Stakeholder Management Strategy
Strategic CIO Competency Scorecard
Implementing exponential IT will require businesses to work with external vendors to facilitate the rapid adoption of cutting-edge technologies such as generative artificial intelligence. IT leaders must:
These challenges require new skills which build trust and collaboration among vendors.
Outcome-based relationships require a higher degree of trust than traditional vendor relationships. Build trust by sharing risks and rewards.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This research walks you through how to assess your capabilities to undertake a new model of vendor relationships and drive exponential IT.
This tool will facilitate your readiness assessment.
|
Exponential IT brings with it an exciting new world of cutting-edge technology and increasingly accelerated growth of business and IT. But adopting and driving change through this paradigm requires new capabilities to grow impactful and meaningful partnerships with external vendors who can help implement technologies like artificial intelligence and virtual reality. Building outcome-based partnerships involves working very closely with vendors who, in many cases, will have just as much to lose as the organizations implementing these new technologies. This requires a greater degree of trust between parties than a standard vendor relationship. It also drastically increases the risks to both organizations; as each loses some control over data and outcomes, they must trust that the other organization will follow through on commitments and obligations. Outcome-based partnerships build upon traditional vendor management practices and create the potential for organizations to embrace emerging technology in new ways. Kim Osborne Rodriguez |
|
Exponential IT drives change |
Vendor relationships must evolve |
To deliver exponential value |
|---|---|---|
|
Implementing exponential IT will require businesses to work with external vendors to facilitate the rapid adoption of cutting-edge technologies such as generative artificial intelligence. IT leaders must:
These challenges require new skills which build trust and collaboration with vendors. |
Traditional vendor management approaches are still important for organizations to develop and maintain. But exponential relationships bring new challenges:
IT leaders must adapt traditional vendor management capabilities to successfully lead this change. |
Outcome-based relationships should not be undertaken lightly as they can significantly impact the risk profile of the organization. Use this research to:
Exponential value relationships will help drive exponential IT and autonomization of the enterprise. |
Info-Tech Insight
Outcome-based partnerships require a higher degree of trust than traditional vendor relationships. Build trust by sharing risks and rewards.
An outcome-based relationship requires a higher level of mutual trust than traditional vendor relationships. This requires shared reward and shared risk.
Don’t forget about traditional vendor management relationships! Not all vendor relationships can (or should) be outcome-based.
INDUSTRY: Technology
SOURCE: Press Release
Microsoft and OpenAI partner on Azure, Teams, and Microsoft Office suite
In January 2023, Microsoft announced a $10 billion investment in OpenAI, allowing OpenAI to continue scaling its flagship large language model, ChatGPT, and giving Microsoft first access to deploy OpenAI’s products in services like GitHub, Microsoft Office, and Microsoft Teams.
Shared risk
Issues with OpenAI’s platforms could have a debilitating effect on Microsoft’s own reputation – much like Google’s $100 billion stock loss following a blunder by its AI platform Bard – not to mention the financial loss if the platform does not live up to the hype.
Shared reward
This was a particularly important strategic move by Microsoft, as its main competitors develop their own AI models in a race to the top. This investment also gave OpenAI the resources to continue scaling and evolving its services much faster than it would be capable of on its own. If OpenAI’s products succeed, there is a significant upside for both companies.
|
Traditional procurement |
Vendor management |
Exponential vendor relationships |
|---|---|---|
|
|
Use this research to successfully |
Use Info-Tech’s research to Jump Start Your Vendor Management Initiative.
Eighty-seven percent of organizations are currently experiencing talent shortages or expect to within a few years.
Sixty-three percent of IT leaders plan to implement AI in their organizations by the end of 2023.
|
Build trust |
Successfully managing exponential relationships requires increased trust and the ability to share both risks and rewards. Outcome-based vendors typically have greater access to intellectual property, customer data, and proprietary methods, which can pose a risk to the organization if this information is used to benefit competitors. Build mutual trust by sharing both risks and rewards. |
|---|---|
|
Manage risk |
Outcome-based relationships with external vendors can drastically affect an organization’s risk profile. Carefully consider third-party risk and shared risk, including ESG risk, as well as the business risk of losing control over capabilities and assets. Qualified risk specialists (such as legal, regulatory, contract, intellectual property law) should be consulted before entering outcome-based relationships. |
|
Drive outcomes |
Fostering strategic relationships can be instrumental in times of crisis, when being the customer of choice for key vendors can push your organization up the line from the vendor’s side – but be careful about relying on this too much. Vendor objectives may not align with yours, and in the end, everyone needs to protect themselves. |
Exponential Relationships Readiness Assessment
Determine your readiness to build exponential value relationships.
Our research indicates that most organizations would take months to prepare this type of assessment without using our research. That’s over 80 person-hours spent researching and gathering data to support due diligence, for a total cost of thousands of dollars. Doesn’t your staff have better things to do?
Start by answering a few brief questions, then return to this slide at the end to see how much your answers have changed.
Use Info-Tech’s research to Exponential Relationships Readiness Assessment.
|
Questions |
Before |
After |
|---|---|---|
|
To what extent are you satisfied with your current vendor management approach? |
||
|
How many of your current vendors would you describe as being of strategic importance? |
||
|
How much do you spend on vendors annually? |
||
|
How much value do you derive from your vendor relationships annually? |
||
|
Do you have a vendor management strategy? |
||
|
What outcomes are you looking to achieve through your vendor relationships? |
||
|
How well do you understand the core capabilities needed to drive successful vendor management? |
||
|
How well do you understand your current readiness to engage in outcome-based vendor relationships? |
||
|
Do you feel comfortable managing the risks when working with organizations to implement artificial intelligence and other autonomous capabilities? |
Manage your budget and spending to stay on track throughout your relationship.
“Most organizations underestimate the amount of time, money, and skill required to build and maintain a successful relationship with another organization. The investment in exponential relationships is exponential in itself – as are the returns.”
This step involves the following participants:
Activities:
Why is this important?
Build it into your practice:
|
Budget procedures |
Financial alignment |
Adaptability |
Financial analysis |
Reporting & compliance |
|---|---|---|---|---|
|
Clearly articulate and communicate budgets, with proactive analysis and reporting. |
There is a strong, direct alignment between financial outcomes and organizational strategy and goals. |
Financial structures can manage many different types of relationships and structures without major overhaul. |
Proactive financial analysis is conducted regularly, with actionable insights. |
This exceeds legal requirements and includes proactive and actionable reporting. |
Drive exponential value by becoming a customer of choice.
“The more complex the business environment becomes — for instance, as new technologies emerge or as innovation cycles get faster — the more such relationships make sense. And the better companies get at managing individual relationships, the more likely it is that they will become “partners of choice” and be able to build entire portfolios of practical and value-creating partnerships.”
This step involves the following participants:
Activities:
Why is this important?
Build it into your practice:
|
Strategic alignment |
Follow-through |
Information sharing |
Shared risk & rewards |
Communication |
|---|---|---|---|---|
|
Work with vendors to create roadmaps and strategies to drive mutual success. |
Ensure demands are reasonable and consistently follow through on commitments. |
Proactively and freely share relevant information between parties. |
Equitably share responsibility for outcomes and benefits from success. |
Ensure clear, proactive, and frequent communication occurs between parties. |
Outcomes management focuses on results, not methods.
According to Jennifer Robinson, senior editor at Gallup, “This approach focuses people and teams on a concrete result, not the process required to achieve it. Leaders define outcomes and, along with managers, set parameters and guidelines. Employees, then, have a high degree of autonomy to use their own unique talents to reach goals their own way.” (Forbes, 2023)
In the context of exponential relationships, vendors can be given a high degree of autonomy provided they meet their objectives.
This step involves the following participants:
Activities:
Why is this important?
Build it into your practice:
|
Goal setting |
Negotiation |
Performance tracking |
Issue |
Scope management |
|---|---|---|---|---|
|
Set specific, measurable and actionable goals, and communicate them with stakeholders. |
Clearly articulate and agree upon measurable outcomes between all parties. |
Proactively track progress toward goals/outcomes and discuss results with vendors regularly. |
Openly discuss potential issues and challenges on a regular basis. Find collaborative solutions to problems. |
Proactively manage scope and discuss with vendors on a regular basis. |
Exponential IT means exponential risk – and exponential rewards.
One of the key differentiators between traditional vendor relationships and exponential relationships is the degree to which risk is shared between parties. This is not possible in all industries, which may limit companies’ ability to participate in this type of exponential relationship.
This step involves the following participants:
Activities:
Why is this important?
Build it into your practice:
Info-Tech Insight
Some highly regulated industries (such as finance) are prevented from transferring certain types of risk. In these industries, it may be much more difficult to form vendor relationships.
Customers care about ESG. You should too.
Protect yourself against third-party ESG risks by considering the environmental and social impacts of your vendors.
Third-party ESG risks can include the following:
Working with vendors that have a poor record of ESG carries a very real reputational risk for organizations who do not undertake appropriate due diligence.
Seventy-seven percent of customers believe companies have a responsibility to manufacture sustainably.
Sixty-eight percent of customers believe businesses should ensure their suppliers meet high social and environmental standards.
Fifty-five percent of customers consider the environmental impact of production in their purchasing decisions.
|
Third-party risk |
Value chain |
Data management |
Regulatory & compliance |
Monitoring & reporting |
|---|---|---|---|---|
|
Understand and assess third-party risk, including ESG risk, in potential relationships. |
Assess risk throughout the value chain for all parties and balance risk among parties. |
Proactively assess and manage potential data risks, including intellectual property and strategic data. |
Manage regulatory and compliance risks, including understanding risk transfer and ultimate risk holder. |
Proactive and open monitoring and reporting of risks, including regular communication among stakeholders. |
Contract management is a critical part of vendor management.
Well-managed contracts include clearly defined pricing, performance-based outcomes, clear roles and responsibilities, and appropriate remedies for failure to meet requirements. In outcome-based relationships, contracts are generally used as a secondary method of enforcing performance, with relationship management being the primary method of addressing challenges and ensuring performance.
This step involves the following participants:
Activities:
|
Pricing |
Performance outcomes |
Roles and responsibilities |
Remedies |
Payment |
|---|---|---|---|---|
|
Pricing is clearly defined in contracts so that the total cost is understood including all fees, optional pricing, and set caps on increases. |
Contracts are performance-based whenever possible, including deliverables, milestones, service levels, due dates, and outcomes. |
Each party's roles and responsibilities are clearly defined in the contract documents with adequate detail. |
Contracts contain appropriate remedies for a vendor's failure to meet SLAs, due dates, and other obligations. |
Payment is made after performance targets are met, approved, or accepted. |
1-3 hours
Download the Exponential Relationships Readiness Assessment tool.
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
This step involves the following participants:
Activities:
Consider the following recommendations based on your readiness assessment scores:
1 hour
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
Jump Start Your Vendor Management Initiative
Create and implement a vendor management framework to begin obtaining measurable results in 90 days.
Elevate Your Vendor Management Initiative
Transform your VMI from tactical to strategic to maximize its impact and value
Evaluate Your Vendor Account Team to Optimize Vendor Relations
Understand the value of knowing your account team’s influence in the organization, and your influence, to drive results.
Build an IT Risk Management Program
Mitigate the IT risks that could negatively impact your organization.
Build an IT Budget
Effective IT budgets are more than a spreadsheet. They tell a story.
Adopt an Exponential IT Mindset
Thrive through the next paradigm shift..
|
|
Kim Osborne Rodriguez |
|
Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach, with a track record of supporting successful projects. Kim holds a Bachelor’s degree in Honours Mechatronics Engineering and an option in Management Sciences from the University of Waterloo. |
|
Jack Hakimian Jack has more than 25 years of technology and management consulting experience. He has served multibillion-dollar organizations in multiple industries including financial services and telecommunications. Jack also served several large public sector institutions. He is a frequent speaker and panelist at technology and innovation conferences and events and holds a Master’s degree in Computer Engineering as well as an MBA from the ESCP-EAP European School of Management. |
|
Michael Tweedie Mike Tweedie brings over 25 years as a technology executive. He’s led several large transformation projects across core infrastructure, application and IT services as the head of Technology at ADP Canada. He was also the Head of Engineering and Service Offerings for a large French IT services firm, focused on cloud adoption and complex ERP deployment and management. Mike holds a Bachelor’s degree in Architecture from Ryerson University. |
|
Scott Bickley Scott Bickley is a Practice Lead & Principal Research Director at Info-Tech Research Group, focused on Vendor Management and Contract Review. He also has experience in the areas of IT Asset Management (ITAM), Software Asset Management (SAM), and technology procurement along with a deep background in operations, engineering, and quality systems management. Scott holds a B.S. in Justice Studies from Frostburg State University. He also holds active IAITAM certification designations of CSAM and CMAM and is a Certified Scrum Master (SCM). |
|
Donna Bales Donna Bales is a Principal Research Director in the CIO Practice at Info-Tech Research Group, specializing in research and advisory services in IT risk, governance, and compliance. She brings over 25 years of experience in strategic consulting and product development and has a history of success in leading complex, multistakeholder industry initiatives. Donna has a bachelor’s degree in economics from the University of Western Ontario. |
|
Jennifer Perrier Jennifer has 25 years of experience in the information technology and human resources research space, joining Info-Tech in 1998 as the first research analyst with the company. Over the years, she has served as a research analyst and research manager, as well as in a range of roles leading the development and delivery of offerings across Info-Tech’s product and service portfolio, including workshops and the launch of industry roundtables and benchmarking. She was also Research Lead for McLean & Company, the HR advisory division of Info-Tech, during its start-up years. Jennifer’s research expertise spans the areas of IT strategic planning, governance, policy and process management, people management, leadership, organizational change management, performance benchmarking, and cross-industry IT comparative analysis. She has produced and overseen the development of hundreds of publications across the full breadth of both the IT and HR domains in multiple industries. In 2022, Jennifer joined Info-Tech’s IT Financial Management Practice with a focus on developing financial transparency to foster meaningful dialogue between IT and its stakeholders and drive better technology investment decisions. |
|
Phil Bode Phil has 30+ years of experience with IT procurement-related topics: contract drafting and review, negotiations, RFXs, procurement processes, and vendor management. Phil has been a frequent speaker at conferences, a contributor to magazine articles in CIO Magazine and ComputerWorld, and quoted in many other magazines. He is a co-author of the book The Art of Creating a Quality RFP. Phil has a Bachelor of Science in Business Administration with a double major of Finance and Entrepreneurship and a Bachelor of Science in Business Administration with a major of Accounting, both from the University of Arizona. |
|
Erin Morgan |
|
Renee Stanley |
Note: Additional contributors did not wish to be identified.
Andrea, Dave. “Plante Moran’s 2022 Working Relations Index® (WRI) Study shows supplier relations can improve amid industry crisis.” Plante Moran, 25 Aug 2022. Accessed 18 May 2023.
Andrea, Dave. “Trust between suppliers and OEMs can better prepare you for the next crisis.” Plante Moran, 9 Sept 2020. Accessed 17 May 2023.
Cleary, Shannon, and Carolan McLarney. “Organizational Benefits of an Effective Vendor Management Strategy.” IUP Journal of Supply Chain Management, Vol. 16, Issue 4, Dec 2019.
De Backer, Ruth, and Eileen Kelly Rinaudo. “Improving the management of complex business partnerships.” McKinsey, 21 March 2019. Accessed 9 May 2023 .
Dennean, Kevin et al. “Let's chat about ChatGPT.” UBS, 22 Feb 2023. Accessed 26 May 2023.
F&I Tools. “Nissan Worldwide Vehicle Sales Report.” Factory Warranty List, 2022. Accessed 18 May 2023.
Gomez, Robin. “Adopting ChatGPT and Generative AI in Retail Customer Service.” Radial, 235, April 2023. Accessed 10 May 2023.
Harms, Thomas and Kristina Rogers. “How collaboration can drive value for you, your partners and the planet.” EY, 26 Oct 2021. Accessed 10 May 2023.
Hedge & Co. “Toyota, Honda finish 1-2; General Motors finishes at 3rd in annual Supplier Working Relations Study.” PR Newswire, 23 May 2022. Accessed 17 May 2023.
Henke Jr, John W., and T. Thomas. "Lost supplier trust, lost profits." Supply Chain Management Review, May 2014. Accessed 17 May 2023.
Information Services Group, Inc. “Global Demand for IT and Business Services Continues Upward Surge in Q2, ISG Index™ Finds.” BusinessWire, 7 July 2021. Accessed 8 May 2023.
Kasanoff, Bruce. “New Study Reveals Costs Of Bad Supplier Relationships.” Forbes, 6 Aug 2014. Accessed 17 May 2023.
Macrotrends. “Nissan Motor Gross Profit 2010-2022.” Macrotrends. Accessed 18 May 2023.
Macrotrends. “Toyota Gross Profit 2010-2022.” Macrotrends. Accessed 18 May 2023.
McKinsey. “Mind the [skills] gap.” McKinsey, 27 Jan 2021. Accessed 18 May 2023.
Morgan, Blake. “7 Examples of How Digital Transformation Impacted Business Performance.” Forbes, 21 Jul 2019. Accessed 10 May 2023.
Nissan Motor Corporation. “Nissan reports strong financial results for fiscal year 2022.” Nissan Global Newsroom, 11 May 2023. Accessed 18 May 2023.
“OpenAI and Microsoft extend partnership.” Open AI, 23 Jan 2023. Accessed 26 May 2023.
Pearson, Bryan. “The Apple Of Its Aisles: How Best Buy Lured One Of The Biggest Brands.“ Forbes, 23 Apr 2015. Accessed 23 May 2023.
Perifanis, Nikolaos-Alexandros and Fotis Kitsios. “Investigating the Influence of Artificial Intelligence on Business Value in the Digital Era of Strategy: A Literature Review.” Information, 2 Feb 2023. Accessed 10 May 2023.
Scott, Tim and Nathan Spitse. “Third-party risk is becoming a first priority challenge.” Deloitte. Accessed 18 May 2023.
Stanley, Renee. Interview by Kim Osborne Rodriguez, 17 May 2023.
Statista. “Toyota's retail vehicle sales from 2017 to 2021.” Statista, 27 Jul 2022. Accessed 18 May 2023.
Tlili, Ahmed, et al. “What if the devil is my guardian angel: ChatGPT as a case study of using chatbots in education.” Smart Learning Environments, 22 Feb 2023. Accessed 9 May 2023.
Vitasek, Kate. “Outcome-Based Management: What It Is, Why It Matters And How To Make It Happen.” Forbes, 12 Jan 2023. Accessed 9 May 2023.
Learn to use metrics in the right way. Avoid staff (subconciously) gaming the numbers, as it is only natural to try to achieve the objective. This is really a case of be careful what you wish for, you may just get it.
Innovation is about people, not ideas or processes. Innovation does not require a formal process, a dedicated innovation team, or a large budget; the most important success factor for innovation is culture. Companies that facilitate innovative behaviors like growth mindset, collaboration, and taking smart risks are most likely to see the benefits of innovation.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This storyboard includes three phases and nine activities that will help you define your purpose, align your people, and build your practice.
Use this template in conjunction with the activities in the main storyboard to create and communicate your innovation program. This template uses sample data from a fictional retailer, Acme Corp, to illustrate an ideal innovation program summary.
This job description can be used to hire your Chief Innovation Officer. There are many other job descriptions available on the Info-Tech website and referenced within the storyboard.
Use this framework to facilitate an ideation session with members of the business. Instructions for how to customize the information and facilitate each section is included within the deck.
This spreadsheet provides an analytical and transparent method to prioritize initiatives based on weighted criteria relevant to your business.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Define your innovation ambitions.
Gain a better understanding of why you are innovating and what your organization will gain from an innovation program.
1.1 Understand your innovation mandate.
1.2 Define your innovation ambitions.
1.3 Determine value proposition & metrics.
Complete the "Our purpose" section of the Innovation Program Template
Complete "Vision and guiding principles" section
Complete "Scope and value proposition" section
Success metrics
Build a culture, operating model, and team that support innovation.
Develop a plan to address culture gaps and identify and implement your operating model.
2.1 Foster a culture of innovation.
2.2 Define your operating model.
Complete "Building an innovative culture" section
Complete "Operating model" section
Create the capability to facilitate innovation.
Create a resourcing plan and prioritization templates to make your innovation program successful.
3.1 Build core innovation capabilities.
3.2 Develop prioritization criteria.
Team structure and resourcing requirements
Prioritization spreadsheet template
Finalize your program and complete the final deliverable.
Walk away with a complete plan for your innovation program.
4.1 Define your methodology to pilot projects.
4.2 Conduct a program retrospective.
Complete "Operating model" section in the template
Notable wins and goals
Many organizations stumble when implementing innovation programs. Innovation is challenging to get right, and even more challenging to sustain over the long term.
One of the common stumbling blocks we see comes from organizations focusing more on the ideas and the process than on the culture and the people needed to make innovation a way of life. However, the most successful innovators are the ones which have adopted a culture of innovation and reinforce innovative behaviors across their organization. Organizational cultures which promote growth mindset, trust, collaboration, learning, and a willingness to fail are much more likely to produce successful innovators.
This research is not just about culture, but culture is the starting point for innovation. My hope is that organizations will go beyond the processes and methodologies laid out here and use this research to dramatically improve their organization's performance.
Kim Osborne Rodriguez
Research Director, CIO Advisory
Info-Tech Research Group
As a leader in your organization, you need to:
In the past, you might have experienced one or more of the following:
This blueprint will help you:
There is no single right way to approach innovation. Begin with an understanding of your innovation ambitions, your existing culture, and the resources available to you, then adopt the innovation operating model that is best suited to your situation.
Note: This research is written for the individual who is leading the development of the innovation. This role is referred to as the Chief Innovation Officer (CINO) throughout this research but could be the CIO, CTO, IT director, or another business leader.
|
75% |
Three-quarters of companies say innovation is a top-three priority. |
|---|---|
|
30% |
But only 30% of executives say their organizations are doing it well. |
Based on a survey of 270 business leaders.
Source: Harvard Business Review, 2018
The most common challenges business leaders experience relate to people and culture. Success is based on people, not ideas.
Politics, turf wars, and a lack of alignment: territorial departments, competition for resources, and unclear roles are holding back the innovation efforts of 55% of respondents.
FIX IT
Senior leadership needs to be clear on the innovation goals and how business units are expected to contribute to them.
Cultural issues: many large companies have a culture that rewards operational excellence and disincentivizes risk. A history of failed innovation attempts may result in significant resistance to new change efforts.
FIX IT
Cultural change takes time. Ensure you are rewarding collaboration and risk-taking, and hire people with fresh new perspectives.
Inability to act on signals crucial to the future of the business: only 18% of respondents indicated their organization was unaware of disruptions, but 42% said they struggled with acting on leading indicators of change.
FIX IT
Build the ability to quickly run pilots or partner with startups and incubators to test out new ideas without lengthy review and approval processes.
Source: Harvard Business Review, 2018
1 Source: Boston Consulting Group, 2021
2 Source: Boston Consulting Group, 2019
3 Source: Harvard Business Review, 2018
Innovators are defined as companies that were listed on Fast Company World's 50 Most Innovative Companies for 2+ years.
A 25-year study by Business Development Canada and Statistics Canada showed that innovation was more important to business success than management, human resources, marketing, or finance.
INDUSTRY: Healthcare
SOURCE: Interview
This Info-Tech member is a nonprofit, community-based mental health organization located in the US. It serves about 25,000 patients per year in community, school, and clinic settings.
This organization takes its innovation culture very seriously and has developed methodologies to assess individual and team innovation readiness as well as innovation types, which it uses to determine everyone's role in the innovation process. These assessments look at knowledge of and trust in the organization, its innovation profile, and its openness to change. Innovation enthusiasts are involved early in the process when it's important to dream big, while more pragmatic perspectives are incorporated later to improve the final solution.
The organization has developed many innovative approaches to delivering healthcare. Notably, they have reimagined patient scheduling and reduced wait times to the extent that some patients can be seen the same day. They are also working to improve access to mental health care despite a shortage of professionals.
|
1. Define Your Purpose |
2. Align Your People |
3. Build Your Practice |
|
|---|---|---|---|
|
Phase Steps |
|
|
|
|
Phase Outcomes |
Understand where the mandate for innovation comes from, and what the drivers are for pursuing innovation. Define what innovation means to your organization, and set the vision, mission, and guiding principles. Articulate the value proposition and key metrics for measuring success. |
Understand what it takes to build an innovative culture, and what types of innovation structure are most suited to your innovation goals. Define an innovation methodology and build your core innovation capabilities and team. |
Gather ideas and understand how to assess and prioritize initiatives based on standardized metrics. Develop criteria for tracking and measuring the success of pilot projects and conduct a program retrospective. |
Innovation Operating Model
The operating model describes how the innovation program delivers value to the organization, including how the program is structured, the steps from idea generation to enterprise launch, and the methodologies used.
Examples: Innovation Hub, Grassroots Innovation.
Innovation Methodology
Methodologies describe the ways the operating model is carried out, and the approaches used in the innovation practice.
Examples: Design Thinking, Weighted Criteria Scoring
Chief Innovation Officer
This research is written for the person or team leading the innovation program – this might be a CINO, CIO, or other leader in the organization.
Innovation Team
The innovation team may vary depending on the operating model, but generally consists of the individuals involved in facilitating innovation across the organization. This may be, but does not have to be, a dedicated innovation department.
Innovation Program
The program for generating ideas, running pilot projects, and building a business case to implement across the enterprise.
Pilot Project
A way of testing and validating a specific concept in the real world through a minimum viable product or small-scale implementation. The pilot projects are part of the overall pilot program.
Innovation is about people, not ideas or processes
Innovation does not require a formal process, a dedicated innovation team, or a large budget; the most important success factor for innovation is culture. Companies that facilitate innovative behaviors like growth mindset, collaboration, and the ability to take smart risk are most likely to see the benefits of innovation.
Very few are doing innovation well
Only 30% of companies consider themselves innovative, and there's a good reason: innovation involves unknowns, risk, and failure – three situations that people and organizations typically do their best to avoid. Counter this by removing the barriers to innovation.
Culture is the greatest barrier to innovation
In a survey of 270 business leaders, the top three most common obstacles were politics, turf wars, and alignment; culture issues; and inability to act on signals crucial to the business (Harvard Business Review, 2018). If you don't have a supportive culture, your ability to innovate will be significantly reduced.
Innovation is a means to an end
It is not the end itself. Don't get caught up in innovation for the sake of innovation – make sure you are getting the benefits from your investments. Measurable success factors are critical for maintaining the long-term success of your innovation engine.
Tackle wicked problems
Innovative approaches are better at solving complex problems than traditional practices. Organizations that prioritize innovation during a crisis tend to outperform their peers by over 30% and improve their market position (McKinsey, 2020).
Innovate or die
Innovation is critical to business growth. A 25-year study showed that innovation was more important to business success than management, human resources, marketing, or finance (Statistics Canada, 2006).
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Sample Job Descriptions and Organization Charts
Determine the skills, knowledge, and structure you need to make innovation happen.
Facilitate an ideation session with your staff to identify areas for innovation.
Initiative Prioritization Workbook
Evaluate ideas to identify those which are most likely to provide value.
Communicate how you plan to innovate with a report summarizing the outputs from this research.
US businesses spend over half a trillion dollars on innovation annually. What are they getting for it?
(1) based on BCG's 50 Most Innovative Companies 2022
30% | The most innovative companies outperform the market by 30%. |
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
| Phase 0 | Phase 1 | Phase 2 | Phase 3 | Finish |
|---|---|---|---|---|
|
Call #1: Scope requirements, objectives, and your specific challenges. |
Call #2: Understand your mandate. Call #3: Innovation vision, guiding principles, value proposition, and scope. |
Call #4: Foster a culture of innovation. (Activity 2.1) Call #5: Define your methodology. (Activity 2.2) Call #6: Build core innovation capabilities. (Activity 2.3) |
Call #7: Build your ideation and pilot programs. (Activities 3.1 and 3.2) Call #8: Identify success metrics and notable wins. (Activity 3.3) |
Call #9: Summarize results and plan next steps. |
A GI is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 8 to 12 calls over the course of three to six months.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
| Session 1 | Session 2 | Session 3 | Session 4 |
Wrap Up |
|
|---|---|---|---|---|---|
|
Activities |
Define Your Ambitions |
Align Your People |
Develop Your Capabilities |
Build Your Program |
Next Steps and |
|
|
|
|
|
|
|
Deliverables |
|
|
|
|
|
Purpose |
People |
Practice |
|---|---|---|
|
|
|
This phase will walk you through the following activities:
This phase involves the following participants:
INDUSTRY: Transportation
SOURCE: Interview
ArcBest
ArcBest is a multibillion-dollar shipping and logistics company which leverages innovative technologies to provide reliable and integrated services to its customers.
An Innovative Culture Starts at the Top
ArcBest's innovative culture has buy-in and support from the highest level of the company. Michael Newcity, ArcBest's CEO, is dedicated to finding better ways of serving their customers and supports innovation across the company by dedicating funding and resources toward piloting and scaling new initiatives.
Having a clear purpose and mandate for innovation at all levels of the organization has resulted in extensive grassroots innovation and the development of a formalized innovation program.
Results
ArcBest has a legacy of innovation, going back to its early days when it developed a business intelligence solution before anything else existed on the market. It continues to innovate today and is now partnering with start-ups to further expand its innovation capabilities.
"We don't micromanage or process-manage incremental innovation. We hire really smart people who are inspired to create new things and we let them run – let them create – and we celebrate it.
Our dedication to innovation comes from the top – I am both the President and the Chief Innovation Officer, and innovation is one of my top priorities."
Michael Newcity
President and Chief Innovation Officer ArcBest
You can only influence what you can control.
Unless your mandate comes from the CEO or Board of Directors, driving enterprise-wide innovation is very difficult. If you do not have buy-in from senior business leaders, use lighthouse projects and a smaller innovation practice to prove the value of innovation before taking on enterprise innovation.
In order to execute on a mandate to build innovation, you don't just need buy-in. You need support in the form of resources and funding, as well as strong leadership who can influence culture and the authority to change policies and practices that inhibit innovation.
For more resources on building relationships in your organization, refer to Info-Tech's Become a Transformational CIO blueprint.
Innovation is often easier to recognize than define.
Align on a useful definition of innovation for your organization before you embark on a journey of becoming more innovative.
Innovation is the practice of developing new methods, products or services which provide value to an organization.
Practice
This does not have to be a formal process – innovation is a means to an end, not the end itself.
New
What does "new" mean to you?
Value
What does value mean to you? Look to your business strategy to understand what goals the organization is trying to achieve, then determine how "value" will be measured.
Some innovations are incremental, while some are radically transformative. Decide what kind of innovation you want to cultivate before developing your strategy.
Evaluate your goals with respect to innovation: focus, strategy, and potential to transform.
Focus: Where will you innovate?
Strategy: To what extent will you guide innovation efforts?
Potential: How radical will your innovations be?
Download the Innovation Program Template.
Input
Output
Materials
Participants
A strong vision statement:
Examples:
"Good business leaders create a vision, articulate the vision, passionately own the vision, and relentlessly drive it to completion." – Jack Welch, Former Chairman and CEO of GE
Strong guiding principles:
Encourage experimentation and risk-taking
Innovation often requires trying new things, even if they might fail. We encourage experimentation and learn from failure, so that new ideas can be tested and refined.
Foster collaboration and cross-functional teams
Innovation often comes from the intersection of different perspectives and skill sets.
Customer-centric
Focus on creating value for the end user. This means understanding their needs and pain points, and using that knowledge to develop new methods, products, or services.
Embrace diversity and inclusivity
Innovation comes from a variety of perspectives, backgrounds, and experiences. We actively seek out and encourage diversity and inclusivity among our team members.
Foster a culture of learning and continuous improvement
Innovation requires continuous learning, development, and growth. We facilitate a culture that encourages learning and development, and that seeks feedback and uses it to improve.
Flexible and adaptable
We adapt to changes in the market, customer needs, and new technologies, so that it can continue to innovate and create value over time.
Data-driven
We use performance metrics and data to guide our innovation efforts.
Transparency
We are open and transparent in our processes and let the business needs guide our innovation efforts. We do not lead innovation, we facilitate it.
Input
Output
Materials
Participants
A strong value proposition not only articulates the value that the business will derive from the innovation program but also provides a clear focus, helps to communicate the innovation goals, and ultimately drives the success of the program.
Focus
Prioritize and focus innovation efforts to create solutions that provide real value to the organization
Communicate
Communicate the mandate and benefits of innovation in a clear and compelling way and inspire people to think differently
Measure Success
Measure the success of your program by evaluating outcomes based on the value proposition
Your success metrics should link back to your organizational goals and your innovation program's value proposition.
Revenue Growth: Increase in revenue generated by new products or services.
Market Share: Percentage of total market that the business captures as a result of innovation.
Customer Satisfaction: Reviews, customer surveys, or willingness to recommend the company.
Employee Engagement: Engagement surveys, performance, employee retention, or turnover.
Innovation Output: The number of new products, services, or processes that have been developed.
Return on Investment: Financial return on the resources invested in the innovation process.
Social Impact: Number of people positively impacted, net reduction in emissions, etc.
Time to Launch: The time it takes for a new product or service to go from idea to launch.
The total impact of innovation is often intangible and extremely difficult to capture in performance metrics. Focus on developing a few key metrics rather than trying to capture the full value of innovation.
| Company | Industry | Revenue(2) (USD billions) |
R&D Spend (USD billions) |
R&D Spend (% of revenue) |
|---|---|---|---|---|
| Apple | Technology | $394.30 | $26.25 | 6.70% |
| Microsoft | Technology | $203.10 | $25.54 | 12.50% |
| Amazon.com | Retail | $502.20 | $67.71 | 13.40% |
| Alphabet | Technology | $282.10 | $37.94 | 13.40% |
| Tesla | Manufacturing | $74.90 | $3.01 | 4.00% |
| Samsung | Technology | $244.39 (2021)(3) | $19.0 (2021) | 7.90% |
| Moderna | Pharmaceuticals | $23.39 | $2.73 | 11.70% |
| Huawei | Technology | $99.9 (2021)4 | Not reported | - |
| Sony | Technology | $83.80 | Not reported | - |
| IBM | Technology | $60.50 | $1.61 | 2.70% |
| Meta | Software | $118.10 | $32.61 | 27.60% |
| Nike | Commercial goods | $49.10 | Not reported | - |
| Walmart | Retail | $600.10 | Not reported | - |
| Dell | Technology | $105.30 | $2.60 | 2.50% |
| Nvidia | Technology | $28.60 | $6.85 | 23.90% |
Innovation requires a dedicated investment of time, money, and resources in order to be successful. The most innovative companies, based on Boston Consulting Group's ranking of the 50 most innovative companies in the world, spend significant portions of their revenue on research and development.
Note: This data uses research and development as a proxy for innovation spending, which may overestimate the total spend on what this research considers true innovation.
(1) Based on Boston Consulting Group's ranking of the 50 most innovative companies in the world, 2022
(2) Macrotrends, based on the 12 months ending Sept 30, 2022
(3) Statista
(4) CNBC, 2022
Input
Output
Materials
Participants
Create a culture that fosters innovative behaviors and puts processes in place to support them.
Purpose | People | Practice |
|---|---|---|
|
|
|
This phase will walk you through the following activities:
This phase involves the following participants:
Info-Tech's Fix Your IT Culture can help you promote innovative behaviors
Refer to Improve IT Team Effectiveness to address team challenges
The following behaviors and key indicators either stifle or foster innovation.
| Stifles Innovation | Key Indicators | Fosters Innovation | Key Indicators |
|---|---|---|---|
| Fixed mindset | "It is what it is" | Growth mindset | "I wonder if there's a better way" |
| Performance focused | "It's working fine" | Learning focused | "What can we learn from this?" |
| Fear of reprisal | "I'll get in trouble" | Psychological safety | "I can disagree" |
| Apathy | "We've always done it this way" | Curiosity | "I wonder what would happen if…" |
| Cynicism | "It will never work" | Trust | "You have good judgement" |
| Punishing failure | "Who did this?" | Willingness to fail | "It's okay to make mistakes" |
| Individualism | "How does this benefit me?" | Collaboration | "How does this benefit us?" |
| Homogeneity | "We never disagree" | Diversity and inclusion | "We appreciate different views" |
| Excessive bureaucracy | "We need approval" | Autonomy | "I can do this" |
| Risk avoidance | "We can't try that" | Appropriate risk-taking | "How can we do this safely?" |
Ensure you are not inadvertently stifling innovation.
Review the following to ensure that the desired behaviors are promoted:
INDUSTRY: Commercial Real Estate and Retail
SOURCE: Interview
This anonymous national organization owned commercial properties across the country and had the goal of becoming the most innovative real estate and retail company in the market.
The organization pursued innovation in the digital solutions space across its commercial and retail properties. Within this space, there were significant differences in risk tolerance across teams, which resulted in the more risk-tolerant teams excluding the risk-averse members from discussions in order to circumvent corporate policies on risk tolerance. This resulted in an adversarial and siloed culture where each group believed they knew better than the other, and the more risk-averse teams felt like they were policing the actions of the risk-tolerant group.
Morale plummeted, and many of the organization's top people left. Unfortunately, one of the solutions did not meet regulatory requirements, and the company faced negative media coverage and legal action. There was significant reputational damage as a result.
Considering differences in risk tolerance and risk appetite is critical when pursuing innovation. While everyone doesn't have to agree, leadership needs to understand the different perspectives and ensure that no one party is dominating the conversation over the others. An understanding of corporate risk tolerance and risk appetite is necessary to drive innovation.
All perspectives have a place in innovation. More risk tolerant perspectives should be involved early in the ideas-generation phase, and risk-averse perspectives should be considered later when ideas are being refined.
Speed should not override safety or circumvent corporate policies.
It is more important to match the level of risk tolerance to the degree of innovation required. Not all innovation needs to be (or can feasibly be) disruptive.
Many factors impact risk tolerance including:
Use Info-Tech's Security Risk Management research to better understand risk tolerance
Input
Output
Materials
Participants
There is no one right way to pursue innovation, but some methods are better than others for specific situations and goals. Consider your existing culture, your innovation goals, and your budget when selecting the right methodology for your innovation.
| Model | Description | Advantages | Disadvantages | Good when… |
|---|---|---|---|---|
| Grassroots Innovation | Innovation is the responsibility of everyone, and there is no centralized innovation team. Ideas are piloted and scaled by the person/team which produces it. |
|
|
|
| Community of Practice | Innovation is led by a cross-divisional Community of Practice (CoP) which includes representation from across the business. Champions consult with their practice areas and bring ideas forward. |
|
|
|
| Innovation Enablement *Most often recommended* |
A dedicated innovation team with funding set aside to support pilots with a high degree of autonomy, with the role of facilitating business-led innovation. |
|
|
|
| Center of Excellence | Dedicated team responsible for leading innovation on behalf of the organization. Generally, has business relationship managers who gather ideas and liaise with the business. |
|
|
|
| Innovation Hub | An arm's length innovation team is responsible for all or much of the innovation and may not interact much with the core business. |
|
|
|
| Outsourced Innovation | Innovation is outsourced to an external organization which is not linked to the primary organization. This can take the form of working with or investing in startups. |
|
|
|
Adapted from Niklaus Gerber via Medium, 2022
For example, design thinking tends to be excellent for earlier innovation planning, while Agile can allow for faster implementation and launch of initiatives later in the process.
Consider combining two or more methodologies to create a custom approach that best suits your organization's capabilities and goals.
A robust innovation methodology ensures that the process for developing, prioritizing, selecting, implementing, and measuring initiatives is aligned with the results you are hoping to achieve.
Different types of problems (drivers for innovation) may necessitate different methodologies, or a combination of methodologies.
Hackathon: An event which brings people together to solve a well-defined problem.
Design Thinking: Creative approach that focuses on understanding the needs of users.
Lean Startup: Emphasizes rapid experimentation in order to validate business hypotheses.
Design Sprint: Five-day process for answering business questions via design, prototyping, and testing.
Agile: Iterative design process that emphasizes project management and retrospectives.
Three Horizons: Framework that looks at opportunities on three different time horizons.
Innovation Ambition Matrix: Helps organizations categorize projects as part of the core offering, an adjacent offering, or completely new.
Global Innovation Management: A process of identifying, developing and implementing new ideas, products, services, or processes using alternative thinking.
Blue Ocean Strategy: A methodology that helps organizations identify untapped market space and create new markets via unique value propositions.
Input
Output
Materials
Participants
Types of roles will depend on the purpose and size of the innovation team.
You don't need to grow them all internally. Consider partnering with vendors and other organizations to build capabilities.
Visionaries who inspire, support, and facilitate innovation across the business. Their responsibilities are to drive the culture of innovation.
Key skills and knowledge:
Sample titles:
Translate ideas into tangible business initiatives, including assisting with business cases and developing performance metrics.
Key skills and knowledge:
Sample titles:
Provide expertise in product design, delivery and management, and responsible for supporting and executing on pilot projects.
Key skills and knowledge:
Sample titles:
Visualize the whole value delivery process end-to-end to help identify the types of roles, resources, and capabilities required. These capabilities can be sourced internally (i.e. grow and hire internally) or through collaboration with centers of excellence, commercial partners, etc.
Input
Output
Materials
Participants
Master Organizational Change Management Practices
Purpose | People | Practice |
|---|---|---|
|
|
|
This phase will walk you through the following activities:
This phase involves the following participants:
INDUSTRY: Government
SOURCE: Interview
The business applications group at this government agency strongly believes that innovation is key to progress and has instituted a formal innovation program as part of their agile operations. The group uses a Scaled Agile Framework (SAFe) with 2-week sprints and a 12-week program cycle.
To support innovation across the business unit, the last sprint of each cycle is dedicated toward innovation and teams do not commit to any other during these two weeks. At the end of each innovation sprint, ideas are presented to leadership and the valuable ones were either implemented initially or were given time in the next cycle of sprints for further development. This has resulted in a more innovative culture across the practice.
There have been several successful innovations since this process began. Notably, the agency had previously purchased a robotic process automation platform which was only being used for a few specific applications. One team used their innovation sprint to expand the use cases for this solution and save nearly 10,000 hours of effort.
Your operating model should include several steps including ideation, validation, evaluation and prioritization, piloting, and a retrospective which follows the pilot. Use the example on this slide when designing your own innovation operating model.
Design Thinking
A structured approach that encourages participants to think creatively about the needs of the end user.
Ideation Workshop
A formal session that is used to understand a problem then generate potential solutions. Workshops can incorporate the other methodologies (such as brainstorming, design thinking, or mind mapping) to generate ideas.
Crowdsourcing
An informal method of gathering ideas from a large group of people. This can be a great way to generate many ideas but may lack focus.
Value Proposition Canvas
A visual tool which helps to identify customer (or user) needs and design products and services that meet those needs.
Evaluation should be transparent and use both quantitative and qualitative metrics. The exact metrics used will depend on your organization and goals.
It is important to include qualitative metrics as these dimensions are better suited to evaluating highly innovative ideas and can capture important criteria like alignment with overall strategy and feasibility.
Develop 5 to 10 criteria that you can use to evaluate and prioritize ideas. Some criteria may be a pass/fail (for example, minimum ROI) and some may be comparative.
Evaluate
The first step is to evaluate ideas to determine if they meet the minimum criteria. This might include quantitative criteria like ROI as well as qualitative criteria like strategic alignment and feasibility.
Prioritize
Ideas that pass the initial evaluation should be prioritized based on additional criteria which might include quantitative criteria such as potential market size and cost to implement, and qualitative criteria such as risk, impact, and creativity.
Quantitative metrics are objective and easily comparable between initiatives, providing a transparent and data-driven process for evaluation and prioritization.
Examples:
Qualitative metrics are less easily comparable but are equally important when it comes to evaluating ideas. These should be developed based on your organization strategy and innovation goals.
Examples:
Input
Output
Materials
Participants
Download the Initiative Prioritization Template
"Learning is as powerful as the outcome." – Brett Trelfa, CIO, Arkansas Blue Cross
Adoption: How many end users have adopted the pilot solution?
Utilization: Is the solution getting utilized?
Support Requests: How many support requests have there been since the pilot was initiated?
Value: Is the pilot delivering on the value that it proposed? For example, time savings.
Feasibility: Has the feasibility of the solution changed since it was first proposed?
Satisfaction: Focus groups or surveys can provide feedback on user/customer satisfaction.
A/B Testing: Compare different methods, products or services.
Ensure standard core metrics are used across all pilot projects so that outcomes can be compared. Additional metrics may be used to refine and test hypotheses through the pilot process.
Input
Output
Materials
Participants
A retrospective is a review of your innovation program with the aim of identifying lessons learned, areas for improvement, and opportunities for growth.
During a retrospective, the team will reflect on past experiences and use that information to inform future decision making and improve outcomes.
The goal of a retrospective is to learn from the past and use that knowledge to improve in the future.
Ensure that the retrospective is based on facts and objective data, rather than personal opinions or biases.
Ensure that the retrospective is a positive and constructive experience, with a focus on finding solutions rather than dwelling on problems.
The retrospective should result in a clear action plan with specific steps to improve future initiatives.
Input
Output
Materials
Participants
Adopt Design Thinking in Your Organization
Prototype With an Innovation Design Sprint
Fund Innovation With a Minimum Viable Business Case
You have now completed your innovation strategy, covering the following topics:
If you would like additional support, have our analysts guide you through an Info-Tech workshop or Guided Implementation.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Accelerate Digital Transformation With a Digital Factory
Sustain and Grow the Maturity of Innovation in Your Enterprise
Define Your Digital Business Strategy
Kim Osborne Rodriguez
Research Director, CIO Advisory
Info-Tech Research Group
Kim is a professional engineer and Registered Communications Distribution Designer with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach, with a track record of supporting successful projects.
Kim holds a Bachelor's degree in Mechatronics Engineering from University of Waterloo.
Joanne Lee
Principal Research Director, CIO Advisory
Info-Tech Research Group
Joanne is an executive with over 25 years of experience in digital technology and management consulting across both public and private entities from solution delivery to organizational redesign across Canada and globally.
Prior to joining Info-Tech Research Group, Joanne was a management consultant within KPMG's CIO management consulting services and the Western Canadas Digital Health Practice lead. She has held several executive roles in the industry with the most recent position as Chief Program Officer for a large $450M EHR implementation. Her expertise spans cloud strategy, organizational design, data and analytics, governance, process redesign, transformation, and PPM. She is passionate about connecting people, concepts, and capital.
Joanne holds a Master's in Business and Health Policy from the University of Toronto and a Bachelor of Science (Nursing) from the University of British Columbia.
Jack Hakimian
Senior Vice President
Info-Tech Research Group
Jack has more than 25 years of technology and management consulting experience. He has served multi-billion-dollar organizations in multiple industries including Financial Services and Telecommunications. Jack also served a number of large public sector institutions.
He is a frequent speaker and panelist at technology and innovation conferences and events and holds a Master's degree in Computer Engineering as well as an MBA from the ESCP-EAP European School of Management.
Michael Tweedie
Practice Lead, CIO Strategy
Info-Tech Research Group
Mike Tweedie brings over 25 years as a technology executive. He's led several large transformation projects across core infrastructure, application, and IT services as the head of Technology at ADP Canada. He was also the Head of Engineering and Service Offerings for a large French IT services firm, focused on cloud adoption and complex ERP deployment and management.
Mike holds a Bachelor's degree in Architecture from Ryerson University.
Mike Schembri
Senior Executive Advisor
Info-Tech Research Group
Mike is the former CIO of Fuji Xerox Australia and has 20+ years' experience serving IT and wider business leadership roles. Mike has led technical and broader business service operations teams to value and growth successfully in organizations ranging from small tech startups through global IT vendors, professional service firms, and manufacturers.
Mike has passion for strategy and leadership and loves working with individuals/teams and seeing them grow.
John Leidl
Senior Director, Member Services
Info-Tech Research Group
With over 35 years of IT experience, including senior-level VP Technology and CTO leadership positions, John has a breadth of knowledge in technology innovation, business alignment, IT operations, and business transformation. John's experience extends from start-ups to corporate enterprise and spans higher education, financial services, digital marketing, and arts/entertainment.
Joe Riley
Senior Workshop Director
Info-Tech Research Group
Joe ensures our members get the most value out of their Info-Tech memberships by scoping client needs, current state and desired business outcomes, and then drawing upon his extensive experience, certifications, and degrees (MBA, MS Ops/Org Mgt, BS Eng/Sci, ITIL, PMP, Security+, etc.) to facilitate our client's achievement of desired and aspirational business outcomes. A true advocate of ITSM, Joe approaches technology and technology practices as a tool and enabler of people, core business, and competitive advantage activities.
Denis Goulet
Senior Workshop Director
Info-Tech Research Group
Denis is a transformational leader and experienced strategist who has worked with 100+ organizations to develop their digital, technology, and governance strategies.
He has held positions as CIO, Chief Administrative Office (City Manager), General Manager, Vice President of Engineering, and Management Consultant, specializing in enterprise and technology strategy.
Cole Cioran
Managing Partner
Info-Tech Research Group
I knew I wanted to build great applications that would delight their users. I did that over and over. Along the way I also discovered that it takes great teams to deliver great applications. Technology only solves problems when people, processes, and organizations change as well. This helped me go from writing software to advising some of the largest organizations in the world on how to how to build a digital delivery umbrella of Product, Agile, and DevOps and create exceptional products and services powered by technology.
Carlene McCubbin
Research Lead, CIO Practice
Info-Tech Research Group
During her tenure at Info-Tech, Carlene has led the development of Info-Tech's Organization and Leadership practice and worked with multiple clients to leverage the methodologies by creating custom programs to fit each organization's needs.
Before joining Info-Tech, Carlene received her Master of Communications Management from McGill University, where she studied development of internal and external communications, government relations, and change management.
Isabelle Hertanto
Principal Research Director
Info-Tech Research Group
Isabelle Hertanto has over 15 years of experience delivering specialized IT services to the security and intelligence community. As a former federal officer for Public Safety Canada, Isabelle trained and led teams on data exploitation and digital surveillance operations in support of Canadian national security investigations. Since transitioning into the private sector, Isabelle has held senior management and consulting roles across a variety of industry sectors, including retail, construction, energy, healthcare, and the broader Canadian public sector.
Hans Eckman
Principal Research Director
Info-Tech Research Group
Hans Eckman is a business transformation leader helping organizations connect business strategy and innovation to operational excellence. He supports Info-Tech members in SDLC optimization, Agile and DevOps implementation, CoE/CoP creation, innovation program development, application delivery, and leadership development. Hans is based out of Atlanta, Georgia.
Valence Howden
Principal Research Director
Info-Tech Research Group
With 30 years of IT experience in the public and private sector, Valence has developed experience in many Information Management and Technology domains, with a particular focus in the areas of Service Management, Enterprise and IT Governance, Development and Execution of Strategy, Risk Management, Metrics Design and Process Design, and Implementation and Improvement. Prior to joining Info-Tech, he served in technical and client-facing roles at Bell Canada and CGI Group Inc., as well as managing the design, integration, and implementation of services and processes in the Ontario Public Sector.
Clayton Gillett
Managing Partner
Info-Tech Research Group
Clayton Gillett is a Managing Partner for Info-Tech, providing technology management advisory services to healthcare clients. Clayton joined Info-Tech with more than 28 years of experience in health care information technology. He has held senior IT leadership roles at Group Health Cooperative of Puget Sound and OCHIN, as well as advisory or consulting roles at ECG Management Consultants and Gartner.
Donna Bales
Principal Research Director
Info-Tech Research Group
Donna Bales is a Principal Research Director in the CIO Practice at Info-Tech Research Group specializing in research and advisory services in IT risk, governance, and compliance. She brings over 25 years of experience in strategic consulting and product development and has a history of success in leading complex, multi-stakeholder industry initiatives.
Igor Ikonnikov
Research Director
Info-Tech Research Group
Igor Ikonnikov is a Research and Advisory Director in the Data and Analytics practice. Igor has extensive experience in strategy formation and execution in the information management domain, including master data management, data governance, knowledge management, enterprise content management, big data, and analytics.
Igor has an MBA from the Ted Rogers School of Management (Toronto, Canada) with a specialization in Management of Technology and Innovation.
Michael Newcity
Chief Innovation Officer
ArcBest
Kevin Yoder
Vice President, Innovation
ArcBest
Gary Boyd
Vice President, Information Systems & Digital Transformation
Arkansas Blue Cross and Blue Shield
Brett Trelfa
Chief Information Officer
Arkansas Blue Cross and Blue Shield
Kristen Wilson-Jones
Chief Technology & Product Officer
Medcurio
Note: additional contributors did not wish to be identified
Altringer, Beth. "A New Model for Innovation in Big Companies" Harvard Business Review. 19 Nov. 2013. Accessed 30 Jan. 2023. https://hbr.org/2013/11/a-new-model-for-innovation-in-big-companies
Arpajian, Scott. "Five Reasons Why Innovation Fails" Forbes Magazine. 4 June 2019. Accessed 31 Jan. 2023. https://www.forbes.com/sites/forbestechcouncil/2019/06/04/five-reasons-why-innovation-fails/?sh=234e618914c6
Baldwin, John & Gellatly, Guy. "Innovation Capabilities: The Knowledge Capital Behind the Survival and Growth of Firms" Statistics Canada. Sept. 2006. Accessed 30 Jan. 2023. https://www.bdc.ca/fr/documents/other/innovation_capabilities_en.pdf
Bar Am, Jordan et al. "Innovation in a Crisis: Why it is More Critical Than Ever" McKinsey & Company, 17 June 2020. Accessed 12 Jan. 2023. <https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/innovation-in-a-crisis-why-it-is-more-critical-than-ever >
Boston Consulting Group, "Most Innovative Companies 2021" BCG, April 2021. Accessed 30 Jan. 2023. https://web-assets.bcg.com/d5/ef/ea7099b64b89860fd1aa3ec4ff34/bcg-most-innovative-companies-2021-apr-2021-r.pdf
Boston Consulting Group, "Most Innovative Companies 2022" BGC, 15 Sept. 2022. Accessed 6 Feb. 2023. https://www.bcg.com/en-ca/publications/2022/innovation-in-climate-and-sustainability-will-lead-to-green-growth
Christensen, Clayton M. The Innovator's Dilemma: When New Technologies Cause Great Firms to Fail. Harvard Business Review Press, 2016.
Gerber, Niklaus. "What is innovation? A beginner's guide into different models, terminologies and methodologies" Medium. 20 Sept 2022. Accessed 7 Feb. 2023. https://world.hey.com/niklaus/what-is-innovation-a-beginner-s-guide-into-different-models-terminologies-and-methodologies-dd4a3147
Google X, Homepage. Accessed 6 Feb. 2023. https://x.company/
Harnoss, Johann D. & Baeza, Ramón. "Overcoming the Four Big Barriers to Innovation Success" Boston Consulting Group, 24 Sept. 2019. Accessed 30 Jan 2023. https://www.bcg.com/en-ca/publications/2019/overcoming-four-big-barriers-to-innovation-success
Jaruzelski, Barry et al. "Global Innovation 1000 Study" Pricewaterhouse Cooper, 30 Oct. 2018. Accessed 13 Jan. 2023. <https://www.strategyand.pwc.com/gx/en/insights/innovation1000.html>
Kharpal, Arjun. "Huawei posts first-ever yearly revenue decline as U.S. sanctions continue to bite, but profit surges" CNBC. 28 March 2022. Accessed 7 Feb. 2023. https://www.cnbc.com/2022/03/28/huawei-annual-results-2021-revenue-declines-but-profit-surges.html
Kirsner, Scott. "The Biggest Obstacles to Innovation in Large Companies" Harvard Business Review, 30 July 2018. Accessed 12 Jan. 2023. <https://hbr.org/2018/07/the-biggest-obstacles-to-innovation-in-large-companies>
Macrotrends. "Apple Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/AAPL/apple/revenue
Macrotrends. "Microsoft Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/MSFT/microsoft/revenue
Macrotrends. "Amazon Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/AMZN/amazon/revenue
Macrotrends. "Alphabet Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/GOOG/alphabet/revenue
Macrotrends. "Tesla Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/TSLA/tesla/revenue
Macrotrends. "Moderna Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/MRNA/moderna/revenue
Macrotrends. "Sony Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/SONY/sony/revenue
Macrotrends. "IBM Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/IBM/ibm/revenue
Macrotrends. "Meta Platforms Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/META/meta-platforms/revenue
Macrotrends. "NIKE Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/NKE/nike/revenue
Macrotrends. "Walmart Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/WMT/walmart/revenue
Macrotrends. "Dell Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/DELL/dell/revenue
Macrotrends. "NVIDIA Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/NVDA/nvidia/revenue
Sloan, Paul. "How to Develop a Vision for Innovation" Innovation Management, 10 Aug. 2009. Accessed 7 Feb. 2023. https://innovationmanagement.se/2009/08/10/how-to-develop-a-vision-for-innovation/
Statista. "Samsung Electronics' global revenue from 2005 to 2021" Statista. Accessed 7 Feb. 2023. https://www.statista.com/statistics/236607/global-revenue-of-samsung-electronics-since-2005/
Tichy, Noel & Ram Charan. "Speed, Simplicity, Self-Confidence: An Interview with Jack Welch" Harvard Business Review, 2 March 2020. Accessed 7 Feb. 2023. https://hbr.org/1989/09/speed-simplicity-self-confidence-an-interview-with-jack-welch
Weick, Karl and Kathleen Sutcliffe. Managing the Unexpected: Sustained Performance in a Complex World, Third Edition. John Wiley & Sons, 2015.
Xuan Tian, Tracy Yue Wang, Tolerance for Failure and Corporate Innovation, The Review of Financial Studies, Volume 27, Issue 1, 2014, Pages 211–255, Accessed https://doi.org/10.1093/rfs/hhr130
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Analyze the current mix of programs and projects in your portfolio and assess the maturity of your current PPM processes.
Enhance and optimize your portfolio management processes to ensure portfolio criteria are clearly defined and consistently applied across the project lifecycle when making decisions about which projects to include or remove from the portfolio.
Implement your portfolio management improvement initiatives to ensure long-term sustainable adoption of new PPM practices.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Analyze the current mix of the portfolio to determine how to better organize it according to organizational goals and constraints.
Assess which PPM processes need to be enhanced to better organize the portfolio.
An analysis of the existing portfolio of projects (highlighting areas of concern).
An analysis of the maturity of current PPM processes and their ability to support the maintenance of an organized portfolio.
1.1 Pre-work: Prepare a complete project list.
1.2 Define existing portfolio categories, criteria, and targets.
1.3 Analyze the current portfolio mix.
1.4 Identify areas of concern with current portfolio mix.
1.5 Review the six COBIT sub-processes for portfolio management (APO05.01-06).
1.6 Assess the degree to which these sub-processes have been currently achieved at the organization.
1.7 Assess the degree to which portfolio-supporting IT governance and management processes exist.
1.8 Perform a gap analysis.
Analysis of the current portfolio mix
Assessment of COBIT alignment and gap analysis.
Define clear and usable portfolio criteria.
Record/design portfolio management processes that will support the consistent use of portfolio criteria at all stages of the project lifecycle.
Clearly defined and usable portfolio criteria.
A portfolio management framework that supports the consistent use of the portfolio criteria across all stages of the project lifecycle.
2.1 Identify determinants of the portfolio mix, criteria, and constraints.
2.2 Define the target mix, portfolio criteria, and portfolio metrics.
2.3 Identify sources of funding and resourcing.
2.4 Review and record the portfolio criteria based upon the goals and constraints.
2.5 Create a PPM improvement roadmap.
Portfolio criteria
Portfolio metrics for intake, monitoring, closure, termination, reprioritization, and benefits tracking
Portfolio Management Improvement Roadmap
Ensure that the portfolio criteria are used to guide decision making at each stage of the project lifecycle when making decisions about which projects to include or remove from the portfolio.
Processes that support decision making based upon the portfolio criteria.
Processes that ensure the portfolio remains consistently organized according to the portfolio criteria.
3.1 Ensure that the metrics used for each sub-process are based upon the standard portfolio criteria.
3.2 Establish the roles, accountabilities, and responsibilities for each sub-process needing improvement.
3.3 Outline the workflow for each sub-process needing improvement.
A RACI chart for each sub-process
A workflow for each sub-process
Ensure that the portfolio management improvement initiatives are sustainably adopted in the long term.
Stakeholder engagement.
Sustainable long-term adoption of the improved portfolio management practices.
4.1 Conduct a change impact analysis.
4.2 Create a stakeholder engagement plan.
Change Impact Analysis
Stakeholder Engagement Plan
Completed Portfolio Management SOP
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand the true drivers of customer satisfaction and build a process for managing and improving customer satisfaction.
EXECUTIVE BRIEF
“Healthy customer relationships are the paramount to long-term growth. When customers are satisfied, they remain loyal, spend more, and promote your company to others in their network. The key to high satisfaction is understanding and measuring the true drivers of satisfaction to enable the delivery of real customer value.
Most companies believe they know who their satisfied customers are and what keeps them satisfied, and 76% of B2B buyers expect that providers understand their unique needs (Salesforce Research, 2020). However, on average B2B companies have customer experience scores of less than 50% (McKinsey, 2016). This disconnect between customer expectations and provider experience indicates that businesses are not effectively measuring and monitoring satisfaction and therefore are not making meaningful enhancements to their service, offerings, and overall experience.
By focusing on the underlying drivers of customer satisfaction, organizations develop a truly accurate picture of what is driving deep satisfaction and loyalty, ensuring that their company will achieve sustainable growth and stay competitive in a highly competitive market.”
Emily Wright
Senior Research Analyst, Advisory
SoftwareReviews
Your Challenge |
Common Obstacles |
SoftwareReviews’ Approach |
|---|---|---|
Getting a truly accurate picture of satisfaction levels among customers, and where to focus efforts to improve satisfaction, is challenging. Providers often find themselves reacting to customer challenges and being blindsided when customers leave. More effective customer satisfaction measurement is possible when providers self-assess for the following challenges:
|
What separates customer success leaders from developing a full view of their customers are several nagging obstacles:
|
Through the SoftwareReviews’ approach, customer success leaders will:
|
All companies measure satisfaction in some way, but many lack understanding of what’s truly driving customers to stay or leave. By understanding the true drivers of satisfaction, solution providers can measure and monitor satisfaction more effectively, pull actionable insights and feedback, and make changes to products and services that customers really care about. This will keep them coming back to you to have their needs met.
Measuring customer satisfaction is critical to understanding the overall health of your customer relationships and driving growth.
Through effective customer satisfaction measurement, organizations can:
Improve Customer Experience |
Increase Retention and CLV |
Increase Profitability |
Reduce Costs |
|---|---|---|---|
|
|
|
|
“Measuring customer satisfaction is vital for growth in any organization; it provides insights into what works and offers opportunities for optimization. Customer satisfaction is essential for improving loyalty rate, reducing costs and retaining your customers.”
-Ken Brisco, NICE, 2019
Direct and Indirect Costs |
Being unaware of true drivers of satisfaction that are never remedied costs your business directly through customer churn, service costs, etc. |
|---|---|
Tarnished Brand |
Tarnished brand through not resolving issues drives dissatisfaction; dissatisfied customers share their negative experiences, which can damage brand image and reputation. |
Waste Limited Resources |
Putting limited resources towards vanity programs and/or fixes that have little to no bearing on core satisfaction drivers wastes time and money. |
“When customer dissatisfaction goes unnoticed, it can slowly kill a company. Because of the intangible nature of customer dissatisfaction, managers regularly underestimate the magnitude of customer dissatisfaction and its impact on the bottom line.”
- Lakshmiu Tatikonda, “The Hidden Costs of Customer Dissatisfaction”, 2013
Most companies struggle to understand what’s truly driving customers to stay or leave. By understanding the true satisfaction drivers, tech providers can measure and monitor satisfaction more effectively, avoiding the numerous harmful consequences that result from average customer satisfaction measurement.
|
|
Surface-level satisfaction has immediate effects, but they are usually short-term or limited to certain groups of users. There are several factors that contribute to satisfaction including:
Deep satisfaction has long-term and meaningful impacts on the way that organizations work. Deep satisfaction has staying power and increases or maintains satisfaction over time, by reducing complexity and delivering exceptional quality for end-users and IT alike. This report found that the following capabilities provided the deepest levels of satisfaction:
The above solve issues that are part of everyday problems, and each drives satisfaction in deep and meaningful ways. While surface-level satisfaction is important, deep and impactful capabilities can sustain satisfaction for a longer time.
Driving deep satisfaction among software customers vs. surface-level measures is key
Vendor capabilities and product features correlate significantly to buyer satisfaction
Yet, it’s the emotional attributes – what we call the “Emotional Footprint”, that correlate more strongly
Software companies looking to improve customer satisfaction will focus on business value created and the Emotional Footprint attributes outlined here.
The essential ingredient is understanding how each is defined by your customers.
Leaders focus on driving improvements as described by customers.
These true drivers of satisfaction should be considered in your customer satisfaction measurement and monitoring efforts. The experience customers have with your product and brand is what will differentiate your brand from competitors, and ultimately, power business growth. Talk to a SoftwareReviews Advisor to learn how users rate your product on these satisfaction drivers in the SoftwareReviews Emotional Footprint Report.
“81% of organizations cite CX as a competitive differentiator. The top factor driving digital transformation is improving CX […] with companies reporting benefits associated with improving CX including:
– Dan Cote, “Advocacy Blooms and Business Booms When Customers and Employees Engage”, Influitive, 2021
1. Identify true customer satisfaction drivers |
2. Develop metrics dashboard |
3. Develop customer satisfaction measurement and management plan |
|
|---|---|---|---|
Phase Steps |
|
|
|
Phase Outcomes |
|
|
|
All software companies measure satisfaction in some way, but many lack understanding of what’s truly driving customers to stay or leave. By understanding the true drivers of satisfaction, solution providers can measure and monitor satisfaction more effectively, pull actionable insights and feedback, and make changes to products and services that customers really care about and which will keep them coming back to you to have their needs met.
Positive experiences drive satisfaction more so than features and cost
According to our analysis of software buyer reviews data*, the biggest drivers of satisfaction and likeliness to recommend are the positive experiences customers have with vendors and their products. Customers want to feel that:
Measure Key Relationship KPIs to gauge satisfaction
Key metrics to track include the Business Value Created score, Net Emotional Footprint, and the Love/Hate score (the strength of emotional connection).
Orient the organization around customer experience excellence
Have a designated committee for customer satisfaction measurement
Best in class organizations create customer satisfaction committees that meet regularly to measure and monitor customer satisfaction, resolve issues quickly, and work towards improved customer experience and profit outcomes.
Use metrics that align to top satisfaction drivers
This will give you a more accurate and fulsome view of customer satisfaction than standard satisfaction metrics alone will.
Identify True Customer Satisfaction Drivers |
Develop Metrics Dashboard | Develop Customer Satisfaction Measurement and Management Plan |
|---|---|---|
Call #1: Discuss current pain points and barriers to successful customer satisfaction measurement, monitoring and maintenance. Plan next call – 1 week. Call #2: Discuss all available data, noting any gaps. Develop plan to fill gaps, discuss feasibility and timelines. Plan next call – 1 week. Call #3: Walk through SoftwareReviews reports to understand EF and satisfaction drivers. Plan next call – 3 days. Call #4: Segment customers and document key satisfaction drivers. Plan next call – 2 week. |
Call #5: Document business goals and align them to metrics. Plan next call – 1 week. Call #6: Complete the SoftwareReviews satisfaction measurement diagnostic. Plan next call – 3 days. Call #7: Score list of metrics that align to satisfaction drivers. Plan next call – 2 days. Call #8: Develop metrics dashboard and definitions. Plan next call – 2 weeks. Call #9: Finalize metrics dashboard and definitions. Plan next call – 1 week. |
Call #10: Discuss committee and determine governance. Plan next call – 2 weeks. Call #11: Map out gaps in satisfaction along customer journey as they relate to top satisfaction drivers. Plan next call –2 weeks. Call #12: Develop plan and roadmap for satisfaction improvement. Plan next call – 1 week. Call #13: Finalize plan and roadmap. Plan next call – 1 week. Call # 14: Review and coach on communication deck. |
A Guided Implementation (GI) is series of calls with a SoftwareReviews Advisory analyst to help implement our best practices in your organization.
For guidance on marketing applications, we can arrange a discussion with an Info-Tech analyst.
Your engagement managers will work with you to schedule analyst calls.
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
|---|---|---|---|
| “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” | “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” | “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” | “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.” |
| Included within Advisory Membership | Optional add-ons | ||
“Are you experienced?” Bain & Company, Apr. 2015. Accessed 6 June. 2022.
Brisco, Ken. “Measuring Customer Satisfaction and Why It’s So Important.” NICE, Feb. 2019. Accessed 6 June. 2022.
CMO.com Team. “The Customer Experience Management Mandate.” Adobe Experience Cloud Blog, July 2019. Accessed 14 June. 2022.
Cote, Dan. “Advocacy Blooms and Business Booms When Customers and Employees Engage.” Influitive, Dec. 2021. Accessed 15 June. 2022.
Fanderl, Harald and Perrey, Jesko. “Best of both worlds: Customer experience for more revenues and lower costs.” McKinsey & Company, Apr. 2014. Accessed 15 June. 2022.
Gallemard, Jeremy. “Why – And How – Should Customer Satisfaction Be Measured?” Smart Tribune, Feb. 2020. Accessed 6 June. 2022.
Kumar, Swagata. “Customer Success Statistics in 2021.” Customer Success Box, 2021. Accessed 17 June. 2022.
Lakshmiu Tatikonda, “The Hidden Costs of Customer Dissatisfaction”, Management Accounting Quarterly, vol. 14, no. 3, 2013, pp 38. Accessed 17 June. 2022.
Loper, Matthew. “Why ‘Customer Satisfaction’ Misses the Mark – And What to Measure Instead.” Newsweek, Jan. 2022. Accessed 16 June. 2022.
Maechler, Nicolas, et al. “Improving the business-to-business customer experience.” McKinsey & Company, Mar. 2016. Accessed 16 June.
“New Research from Dimension Data Reveals Uncomfortable CX Truths.” CISION PR Newswire, Apr. 2017. Accessed 7 June. 2022.
Sheth, Rohan. 75 Must-Know Customer Experience Statistics to move Your Business Forward in 2022.” SmartKarrot, Feb. 2022. Accessed 17 June. 2022.
Smith, Mercer. “111 Customer Service Statistics and Facts You Shouldn’t Ignore.” HelpScout, May 2022. Accessed 17 June. 2022.
“State of the Connected Customer.” Salesforce, 2020. Accessed 14 June. 2022
“The true value of customer experiences.” Deloitte, 2018. Accessed 15 June. 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand what AI really is in the modern world and how AI technologies impact the business functions.
Develop a good understanding of where AI is delivering value in your industry and other verticals. Determine the top three business goals to get value from your AI and give your AI a purpose.
Brainstorm your AI PoC projects, prioritize and sequence your AI ideas, select your first AI PoC, and create a minimum viable business case for this use case.
Engage our corporate security consultancy firm to discover any weaknesses within your company’s security management. Tymans Group has extensive expertise in helping small and medium businesses set up clear security protocols to safeguard their data and IT infrastructure. Read on to discover how our consulting firm can help improve corporate security within your company.
These days, corporate security includes much more than just regulating access to your physical location, be it an office or a store. Corporate security increasingly deals in information and data security, as well as general corporate governance and responsibility. Proper security protocols not only protect your business from harm, but also play an important factor in your overall success. As such, corporate security is all about setting up practical and effective strategies to protect your company from harm, regardless of whether the threat comes from within or outside. As such, hiring a security consulting firm to improve corporate security and security management within your company is not an unnecessary luxury, but a must.
Embed security thinking through aligning your security strategy to business goals and values
As a consultancy firm, Tymans Group can help your business to identify possible threats and help set up strategies to avoid them. However, as not all threats can be avoided, our corporate security consultancy firm also helps you set up protocols to mitigate and manage them, as well as help you develop effective incident management protocols. All solutions are practical, people-oriented and based on our extensive experience and thus have proven effectiveness.
Engage the services of our consulting company to improve corporate security within your small or medium business. Contact us to set up an appointment on-site or book a one-hour talk with expert Gert Taeymans to discuss any security issues you may be facing. We are happy to offer you a custom solution.
Data is a unique resource that keeps growing, presenting opportunities along the way. CIOs and IT leaders can use rapidly evolving technologies and capabilities to harness this data and its value for the organization.
IT leaders must prepare their teams and operations with the right knowledge, capabilities, and strategies to make sure they remain competitive in 2023 and beyond. Nine trends that expand on the three common Vs of data – volume, velocity, and variety – can help guide the way.
The path to becoming more competitive in a data-driven economy differs from one company to the next. IT leaders should use the data and analytics trends that align most with their organizational goals and can lead to positive business outcomes.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Data technologies are rapidly evolving. Understanding data's art of the possible is critical. However, to adapt to these upcoming data trends, a solid data management foundation is required. This report explores nine data trends based on the proven framework of data V's: Volume, Velocity, Variety, Veracity, Value, Virtue, Visualization, Virality, and Viscosity.
In this report, we explore nine data use cases for emerging technologies that can improve on capabilities needed to compete in the data-driven economy. Use cases combine emerging data trends and modernization of existing capabilities.
When organizations begin to prioritize data, they first consider the sheer volume of data, which will influence data system design. Your data systems must consider the existing and growing volume of data by assessing industry initiatives such as digital transformation, Industry 4.0, IoT, consumer digital footprint, etc.
|
The largest data center in the world is a citadel in Reno, Nevada, that stretches over 7.2 million square feet! Source: Cloudwards, 2022 |
IoT devices will generate 79.4 zettabytes of data Source: IDC, 2019 |
There were about 97 Source: “Volume of Data,” Statista, 2022 |
Data attracts more data and an ecosystem of applications and services
SharePoint, OneDrive, Google Drive, and Dropbox offer APIs and integration opportunities for developers to enhance their products.
Social media platforms thought about this early by allowing for an ecosystem of filters, apps, games, and effects that engage their users with little to no additional effort from internal resources.
Focus on data gravity and avoid cloud repatriation
Data gravity is the tendency of data to attract applications, services, and other data. A growing number of cloud migration decisions will be made based on the data gravity concept. It will become increasingly important in data strategies, with failure potentially resulting in costly cloud repatriations.
Emerging technologies and capabilities:
Data Lakehouse, Data Mesh, Data Fabric, Hybrid Data, Cloud Data, Edge Computing
| 47% |
Centralized cloud storage going down in 2 years |
22% |
| 25% |
Hybrid storage (centralized + edge) going up in 2 years |
47% |
Source: CIO, 2022
What worked for terabytes is ineffective for petabytes
When compared to on-premises infrastructure, cloud computing is less expensive and easier to implement. However, poor data replication and data gravity can significantly increase cloud costs to the point of failure. Data gravity will help organizations make better cloud migration decisions.
It is also critical to recognize changes in the industry landscape. The goal of data processing and analytics is to generate the right data for users to act on. In most cases, the user is a human being, but in the case of autonomous driving (AD), the car takes on the role of the user (DXC Technology).
To avoid cloud repatriation, it will become prudent for all organizations to consider data gravity and the timing of cloud migration.
The velocity element of data can be assessed from two standpoints: the speed at which data is being generated and how fast the organization needs to respond to the incoming information through capture, analysis, and use. Traditionally data was processed in a batch format (all at once or in incremental nightly data loads). There is a growing demand to process data continuously using streaming data-processing techniques.
Emerging technologies and capabilities:
Edge Computing
|
Google announced it has a quantum computer that is 100 million times faster than any classical computer in its lab. Source: Science Alert, 2015 |
The number of qubits in quantum computers has been increasing dramatically, from 2 qubits in 1998 to 128 qubits in 2019. Source: Statista, 2019 |
IBM released a 433-qubit quantum chip named Osprey in 2022 and expects to surpass 1,000 qubits with its next chip, Condor, in 2023. Source: Nature, 2023 |
Make data accessible to everyone in real time
Trend in Data Velocity
Data democratization means data is widely accessible to all stakeholders without bottlenecks or barriers. Success in data democratization comes with ubiquitous real-time analytics. Google highlights a need to address democratization in two different frames:
Emerging technologies and capabilities:
Data Lakehouse, Streaming API Ecosystem, Industry 4.0, Zero-Copy Cloning
Nearly 70% of all new vehicles globally will be connected to the internet by 2023.
Source: “Connected light-duty vehicles,” Statista, 2022
Enable real-time processing with API
In the past, data democratization has largely translated into a free data set and open data portals. This has allowed the government to freely share data with the public. Also, the data science community has embraced the availability of large data sets such as weather data, stock data, etc. In the future, more focus will be on the combination of IoT and steaming analytics, which will provide better responsiveness and agility.
Many researchers, media companies, and organizations now have easy access to the Twitter/Facebook API platform to study various aspects of human behavior and sentiments. Large technology companies have already democratized their data using real-time APIs.
Thousands of sources for open data are available at your local municipalities alone.
6G will push Wi-Fi connectivity to 1 terabyte per second! This is expected to become commercially available by 2030.
The variety of data types is increasingly diverse. Structured data often comes from relational databases, while unstructured data comes from several sources such as photos, video, text documents, cell phones, etc. The variety of data is where technology can drive business value. However, unstructured data also poses a risk, especially for external data.
|
The number of IoT devices could rise to 30.9 billion by 2025. Source: “IoT and Non-IoT Connections Worldwide,” Statista, 2022 |
The global edge computing market is expected to reach $250.6 billion by 2024. Source: “Edge Computing,” Statista, 2022 |
Genomics research is expected to generate between 2 and 40 exabytes of data within the next decade. Source: NIH, 2022 |
Employ AI to automate data management
New tools will enhance many aspects of data management:
Enabling AI-assisted decision-making tools
Trend in Data Variety
Augmented data management will enhance or automate data management capabilities by leveraging AI and related advanced techniques. It is quite possible to leverage existing data management tools and techniques, but most experts have recognized that more work and advanced patterns are needed to solve many complex data problems.
Emerging technologies and capabilities:
Data Factory, Data Mesh, Data Fabric, Artificial Intelligence, Machine Learning
Data Fabric vs. Data Mesh: The Data Journey continues at an accelerated pace
|
Data Fabric |
Data Mesh |
|---|---|
|
Data fabric is an architecture that facilitates the end-to-end integration of various data pipelines and cloud environments using intelligent and automated systems. It’s a data integration pattern to unify disparate data systems, embed governance, strengthen security and privacy measures, and provide more data accessibility to workers and particularly to business users. |
The data mesh architecture is an approach that aligns data sources by business domains, or functions, with data owners. With data ownership decentralization, data owners can create data products for their respective domains, meaning data consumers, both data scientists and business users, can use a combination of these data products for data analytics and data science. |
More Unstructured Data
95% of businesses cite the need to manage unstructured data as a problem for their business.
Data veracity is defined as the accuracy or truthfulness of a data set. More and more data is created in semi-structured and unstructured formats and originates from largely uncontrolled sources (e.g. social media platforms, external sources). The reliability and quality of the data being integrated should be a top concern. The veracity of data is imperative when looking to use data for predictive purposes. For example, energy companies rely heavily on weather patterns to optimize their service outputs, but weather patterns have an element of unpredictability.
|
Data quality affects overall labor productivity by as much as 20%, and 30% of operating expenses are due to insufficient data. Source: Pragmatic Works, 2017 |
Bad data costs up to Source: MIT Sloan Management Review, 2017 |
Veracity of data is a true test of your data capabilities
Trend in Data Veracity
Veracity is a concept deeply linked to identity. As the value of the data increases, a greater degree of veracity is required: We must provide more proof to open a bank account than to make friends on Facebook. As a result, there is more trust in bank data than in Facebook data. There is also a growing need to protect marginalized communities.
Emerging technologies and capabilities:
Zero Trust, Blockchain, Data Governance, IoT, Cybersecurity
The identity discussion is no longer limited to people or organizations. The development of new technologies, such as the IoT phenomenon, will lead to an explosion of objects, from refrigerators to shipping containers, coming online as well. If all these entities start communicating with each other, standards will be needed to establish who or what they are.
|
IDENTITY Age Gender Address Fingerprint Face Voice Irises |
IDENTITY Password Passphrase PIN Sequence |
IDENTITY Access badge Smartcard Security token Mobile phone ID document |
IDENTITY Motor skills Handwriting Gestures Keystrokes Applications use |
The IoT market is expected to grow 18% to 14.4 billion in 2022 and 27 billion by 2025.
Source: IoT Analytics, 2022
Data can be valuable if used effectively or dangerous if mishandled. The rise of the data economy has created significant opportunities but also has its challenges. It has become urgent to understand the value of data, which may vary for stakeholders based on their business model and strategy. Organizations first need to understand ownership of their data by establishing a data strategy, then they must improve data maturity by developing a deeper understanding of data value.
|
94% of enterprises say data is essential to business growth. Source: Find stack, 2021 |
Start developing your data business
Data monetization is the transformation of data into financial value. However, this does not imply selling data alone. Monetary value is produced by using data to improve and upgrade existing and new products and services. Data monetization demands an organization-wide strategy for value development.
Emerging technologies and capabilities:
Data Strategy, Data Monetization Strategy, Data Products
Netflix uses big data to save $1 billion per year on customer retention.
Source: Logidots, 2021
Data is a strategic asset
Data is beyond currency, assets, or commodities and needs to be a category
of its own.
Data monetization is currently in the speculative territory, which is unacceptable. It should instead be guided by sound data management theory.
We have become more and more dependent on data, analytics, and organizational protection policies. Data virtue is about leveraging data securely and ethically. This topic has become more critical with the advent of GDPR, the right to be forgotten, and related regulations. Data governance, which seeks to establish an oversight framework that manages the creation, acquisition, integrity, security, compliance, and quality of data, is essential for any organization that makes decisions about data.
|
Cultural obstacles are the greatest barrier to becoming data-driven, according to 91.9% of executives. Source: Harvard Business Review, 2022 |
Fifty million Facebook profiles were harvested for Cambridge Analytica in a major data breach. Source: The Guardian, 2018 |
Encourage noninvasive and automated data governance
Trend in Data Virtue
Adaptive data governance encourages a flexible approach that allows an organization to employ multiple data governance strategies depending on changing business situations. The other aspect of adaptive data governance is moving away from manual (and often slow) data governance and toward aggressive automation.
Emerging technologies and capabilities:
AI-Powered Data Catalog and Metadata Management,
Automated Data Policy Enforcement
|
“To effectively meet the needs and velocity of digital organizations and modern practices, IT governance must be embedded and automated where possible to drive success and value.” Source: Valence Howden, Info-Tech Research Group |
|
“Research reveals that the combination of AI and big data technologies can automate almost 80% of all physical work, 70% of data processing, and 64% of data collection tasks.” Source: Forbes, 2021 |
Simple and easy Data Governance
Tools are not the ultimate answer to implementing data governance. You will still need to secure stakeholders' buy-in and engagement in the data process. Data governance automation should be about simplifying the execution of roles and responsibilities.
“When you can see where your data governance strategy can be improved, it’s time to put in place automation that help to streamline processes.”
Source: Nintex, 2021
Today, data storytelling is led by the user. It’s the manual practice of combining narrative with data to deliver insights in a compelling form to assist decision makers in engaging with data and analytics. A story backed by data is more easily consumed and understood than a dashboard, which can be overwhelming. However, manual data storytelling has some major shortcomings.
Problem # 1: Telling stories on more than just the insights noticed by people
Problem # 2: Poor data literacy and the limitations of manual self-service
Problem # 3: Scaling data storytelling across the business
Use AI to enhance data storytelling
Trend in Data Visualization
AI and natural language processing will drive future visualization and data storytelling. These tools and techniques are improving rapidly and are now designed in a streamlined way to guide people in understanding what their data means and how to act on it instead of expecting them to do self-service analysis with dashboards and charts and know what to do next. Ultimately, being able to understand how to translate emotion, tropes, personal interpretation, and experience and how to tell what’s most relevant to each user is the next frontier for augmented and automated analytics
Emerging technologies and capabilities:
AI-Powered Data Catalog and Metadata Management,
Automated Data Policy Enforcement
Augmented data storytelling is not that far away
Emotions are a cornerstone of human intelligence and decision making. Mastering the art of storytelling is not easy.
Industry experts predict the combination of data storytelling with augmented and automated techniques; these capabilities are more than capable of generating and automating parts of a data story’s creation for end users.
The next challenge for AI is translating emotion, tropes, personal interpretation, and experience into what is most essential to end users.
Source: Yellowfin, 2021
Data virality measures data spread and popularity. However, for data virality to occur, an ecosystem comparable to that of traditional or modern digital marketplaces is required. Organizations must reevaluate their data strategies to ensure investment in appropriate data domains by understanding data virality. Data virality is the exact opposite of dark data.
Dark data is “all the information companies collect in their regular business processes, don’t use, have no plans to use, but will never throw out.”
Source: Forbes, 2019
Make data easily accessible
Trend in Data Virality
The data marketplace can be defined as a dynamic marketplace where users decide what has the most value. Companies can gauge which data is most popular based on usage and decide where to invest. Users can shop for data products within the marketplace and then join these products with other ones they’ve created to launch truly powerful data-driven projects.
Emerging technologies and capabilities:
AI-Powered Data Catalog and Metadata Management,
Automated Data Policy Enforcement
“Data is like garbage. You’d better know what you are going to do with it before you collect it.”
– Mark Twain
Journey from siloed data platforms to dynamic data marketplaces
Data remains a complex topic due to many missing foundational components and infrastructure. Interoperability, security, quality, discoverability, speed, and ease are some of those missing foundational components that most organizations face daily.
Data lacks an ecosystem that is comparable to those of traditional assets or commodities. Data must be available in open or closed data marketplaces to measure its value. These data marketplaces are still in their infancy.
“Data markets are an important component of the data economy that could unleash the full potential of data generated by the digital economy and human activity in general.”
Source: ITU Journal, 2018
Compared to water, a fluid with a high viscosity flows more slowly, like honey. Data viscosity measures the resistance to flow in a volume of data. The data resistance may come from other Vs (variety, velocity, etc.).
Increase efficiency by removing bottlenecks
Consider XOps for a second. It makes no difference what X is. What's important is matching operational requirements to enterprise capabilities.
These Operations guys are demanding!!
Trend in Data Viscosity
The merger of development (Dev) and IT Operations (Ops) started in software development with the concept of DevOps. Since then, new Ops terms have formed rapidly (AIOps, MLOps, ModelOps, PlatformOps, SalesOps, SecOps, etc.). All these methodologies come from Lean manufacturing principles, which seek to identify waste by focusing on eliminating errors, cycle time, collaboration, and measurement. Buzzwords are distractions, and the focus must be on the underlying goals and principles. XOps goals should include the elimination of errors and improving efficiencies.
Emerging technologies and capabilities:
Collaborative Data Management, Automation Tools
Data observability, a subcomponent of DataOps, is a set of technical practices, cultural norms, and architecture that enables low error rates. Data observability focuses on error rates instead of only measuring data quality at a single point in time.
|
Data Quality Dimensions
|
→ |
ERROR RATES Lateness: Missing Your SLA System Processing Issues Code Change That Broke Something Data Quality |
Avoid following trends solely for the sake of following them. It is critical to comprehend the concept and apply it to your industry. Every industry has its own set of problems and opportunities.
Highlight the data trends (or lack thereof) that have been most beneficial to you in your organizations. Follow Info-Tech’s approach to building a data practice and platform to develop your data capabilities through the establishment of data goals.
|
|
|
Rajesh Parab Director, Research & Advisory Data and Analytics |
Chris Dyck Research Lead Data and Analytics |
“Data technologies are rapidly evolving. Understanding what’s possible is critical. Adapting to these upcoming data trends requires a solid data management foundation.”
– Rajesh Parab
|
|
|
Executive Counselor Info-Tech Research Group |
Executive Counselor Info-Tech Research Group |
Bean, Randy. “Why Becoming a Data-Driven Organization Is So Hard.” Harvard Business Review, 24 Feb. 2022. Accessed Oct. 2022.
Brown, Annie. “Utilizing AI And Big Data To Reduce Costs And Increase Profits In Departments Across An Organization.” Forbes, 13 April 2021.
Accessed Oct. 2022.
Burciaga, Aaron. “Five Core Virtues For Data Science And Artificial Intelligence.” Forbes, 27 Feb. 2020. Accessed Aug. 2022.
Cadwalladr, Carole, and Emma Graham-Harrison. “Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach.”
The Guardian, 17 March 2018. Accessed Aug. 2022.
Carlier, Mathilde. “Connected light-duty vehicles as a share of total vehicles in 2023.” Statista, 31 Mar. 2021. Accessed Oct. 2022.
Carter, Rebekah. “The Ultimate List of Big Data Statistics for 2022.” Findstack, 22 May 2021. Accessed Oct. 2022.
Castelvecchi, Davide. “Underdog technologies gain ground in quantum-computing race.” Nature, 6 Nov. 2023. Accessed Feb. 2023.
Clark-Jones, Anthony, et al. “Digital Identity:” UBS, 2016. Accessed Aug 2022.
“The Cost of Bad Data – Infographic.” Pragmatic Works, 25 May 2017. Accessed Oct. 2022.
Demchenko, Yuri, et al. “Data as Economic Goods: Definitions, Properties, Challenges, Enabling Technologies for Future Data Markets.“ ITU Journal: ICT Discoveries, Special Issue, no. 2, vol. 23, Nov. 2018. Accessed Aug 2022.
Feldman, Sarah. ”20 Years of Quantum Computing Growth.” Statista, 6 May 2019. Accessed Oct. 2022.
“Genomic Data Science.” NIH, National Human Genome Research Institute, 5 April 2022. Accessed Oct. 2022.
Hasbe, Sudhir, and Ryan Lippert. “The democratization of data and insights: making real-time analytics ubiquitous.” Google Cloud, 15 Jan. 2021.
Accessed Aug. 2022.
Helmenstine, Anne. “Viscosity Definition and Examples.” Science Notes, 3 Aug. 2021. Accessed Aug. 2022.
“How data storytelling and augmented analytics are shaping the future of BI together.” Yellowfin, 19 Aug. 2021. Accessed Aug. 2022.
“How Netflix Saves $1B Annually using AI?” Logidots, 24 Sept. 2021. Accessed Oct. 2022
Hui, Kenneth. “The AWS Love/Hate Relationship with Data Gravity.” Cloud Architect Musings, 30 Jan. 2017. Accessed Aug 2022.
ICD. “The Growth in Connected IoT Devices Is Expected to Generate 79.4ZB of Data in 2025, According to a New IDC Forecast.” Business Wire, 18 June 2019. Accessed Oct 2022.
Internet of Things (IoT) and non-IoT active device connections worldwide from 2010 to 2025” Statista, 27 Nov. 2022. Accessed Nov. 2022.
Koch, Gunter. “The critical role of data management for autonomous driving development.” DXC Technology, 2021. Accessed Aug. 2022.
Morris, John. “The Pull of Data Gravity.” CIO, 23 Feb. 2022. Accessed Aug. 2022.
Nield, David. “Google's Quantum Computer Is 100 Million Times Faster Than Your Laptop.” ScienceAlert, 9 Dec. 2015. Accessed Oct. 2022.
Redman, Thomas C. “Seizing Opportunity in Data Quality.” MIT Sloan Management Review, 27 Nov. 2017. Accessed Oct. 2022.
Segovia Domingo, Ana I., and Álvaro Martín Enríquez. “Digital Identity: the current state of affairs.” BBVA Research, 2018. Accessed Aug. 2022.
“State of IoT 2022: Number of connected IoT devices growing 18% to 14.4 billion globally.” IOT Analytics, 18 May 2022. Accessed. 14 Nov. 2022.
Strod, Eran. “Data Observability and Monitoring with DataOps.” DataKitchen, 10 May 2021. Accessed Aug. 2022.
Sujay Vailshery, Lionel. “Edge computing market value worldwide 2019-2025.” Statista, 25 Feb. 2022. Accessed Oct 2022.
Sujay Vailshery, Lionel. “IoT and non-IoT connections worldwide 2010-2025.” Statista, 6 Sept. 2022. Accessed Oct. 2022.
Sumina, Vladimir. “26 Cloud Computing Statistics, Facts & Trends for 2022.” Cloudwards, 7 June 2022. Accessed Oct. 2022.
Taulli, Tom. “What You Need To Know About Dark Data.” Forbes, 27 Oct. 2019. Accessed Oct. 2022.
Taylor, Linnet. “What is data justice? The case for connecting digital rights and freedoms globally.“ Big Data & Society, July-Dec 2017. Accessed Aug 2022.
“Twitter: Data Collection With API Research Paper.” IvyPanda, 28 April 2022. Accessed Aug. 2022.
“Using governance automation to reduce data risk.” Nintex, 15 Nov. 2021. Accessed Oct. 2022
“Volume of data/information created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025.” Statista, 8 Sept. 2022. Accessed Oct 2022.
Wang, R. “Monday's Musings: Beyond The Three V's of Big Data – Viscosity and Virality.” Forbes, 27 Feb. 2012. Accessed Aug 2022.
“What is a data fabric?” IBM, n.d. Accessed Aug 2022.
Yego, Kip. “Augmented data management: Data fabric versus data mesh.” IBM, 27 April 2022. Accessed Aug 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Define and align your team on target persona, outline steps to capture and document a robust buyer persona and journey, and capture current team buyer knowledge.
Hold initial buyer interviews, test initial results, and continue with interviews.
Consolidate interview findings, present to product, marketing, and sales teams. Work with them to apply to product design, marketing launch/campaigning, and sales and customer success enablement.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Organize, drive alignment on target persona, and capture initial views.
Steering committee and project team roles and responsibilities clarified.
Product, marketing, and sales aligned on target persona.
Build initial team understanding of persona.
1.1 Outline a vision for buyer persona and journey creation and identify stakeholders.
1.2 Identify buyer persona choices and settle on an initial target.
1.3 Document team knowledge about buyer persona (and journey where possible).
Documented steering committee and working team
Executive Brief on personas and journey
Personas and initial targets
Documented team knowledge
Build list of buyer interviewees, finalize interview guide, and validate current findings with analyst input.
Interview efficiently using 75-question interview guide.
Gain analyst help in persona validation, reducing workload.
2.1 Share initial insights with covering industry analyst.
2.2 Hear from industry analyst their perspectives on the buyer persona attributes.
2.3 Reconcile differences; update “current understanding.”
2.4 Identify interviewee types by segment, region, etc.
Analyst-validated initial findings
Target interviewee types
Validate current persona hypothesis and flush out those attributes only derived from interviews.
Get to a critical mass of persona and journey understanding quickly.
3.1 Identify actual list of 15-20 interviewees.
3.2 Hold interviews and use interview guides over the course of weeks.
3.3 Hold review session after initial 3-4 interviews to make adjustments.
3.4 Complete interviews.
List of interviewees; calls scheduled
Initial review – “are you going in the right direction?”
Completed interviews
Summarize persona and journey attributes and provide activation guidance to team.
Understanding of product market fit requirements, messaging, and marketing, and sales asset content.
4.1 Summarize findings.
4.2 Create action items for supporting team, e.g. messaging, touch points, media spend, assets.
4.3 Convene steering committee/executives and working team for final review.
4.4 Schedule meetings with colleagues to action results.
Complete findings
Action items for team members
Plan for activation
Measure results, adjust, and improve.
Activation of outcomes; measured results.
5.1 Review final copy, assets, launch/campaign plans, etc.
5.2 Develop/review implementation plan.
5.3 Reconvene team to review results.
Activation review
List of suggested next steps
B2B marketers without documented personas and journeys often experience the following:
Without a deeper understanding of buyer needs and how they buy, B2B marketers will waste time and precious resources targeting the incorrect personas.
Despite being critical elements, organizations struggle to build personas due to:
In today’s Agile development environment, combined with the pressure to generate revenues quickly, high tech marketers often skip the steps necessary to go deeper to build buyer understanding.
With a common framework and target output, clients will:
Clients who activate findings from buyer personas and journeys will see a 50% results improvement.
SoftwareReviews Insight:
Buyer personas and buyer journeys are essential ingredients in go-to-market success, as they inform for product, marketing, sales, and customer success who we are targeting and how to engage with them successfully.
Jeff Golterman, Managing Director, SoftwareReviews Advisory
“44% of B2B marketers have already discovered the power of Personas.”
– Hasse Jansen, Boardview.io!, 2016
“It’s easier buying gifts for your best friend or partner than it is for a stranger, right? You know their likes and dislikes, you know the kind of gifts they’ll have use for, or the kinds of gifts they’ll get a kick out of. Customer personas work the same way, by knowing what your customer wants and needs, you can present them with content targeted specifically to their wants and needs.”
– Emma Bilardi, Product Marketing Alliance, 2020
“Marketing eutopia is striking the all-critical sweet spot that adds real value and makes customers feel recognized and appreciated, while not going so far as to appear ‘big brother’. To do this, you need a deep understanding of your audience coming from a range of different data sets and the capability to extract meaning.”
– Plexure, 2020
SoftwareReviews Advisory Insight:
Marketers developing buyer personas and journeys that lack agreement among Marketing, Sales, and Product of personas to target will squander precious time and resources throughout the customer targeting and acquisition process.
| 1. Document Team Knowledge of Buyer Persona and Drive Alignment | 2. Interview Target Buyer Prospects and Customers | 3. Create Outputs and Apply to Marketing, Sales, and Product | |
|---|---|---|---|
| Phase Steps |
|
|
|
| Phase Outcomes |
|
|
|
Our methodology will enable you to align your team on why it’s important to capture the most important attributes of buyer persona including:
| Functional – “to find them” | ||||||
| Job Role | Title | Org. Chart Dynamics | Buying Center | Firmographics | ||
| Emotive – “what they do and jobs to be done” | ||||||
| Initiatives: What programs/projects the persona is tasked with and their feelings and aspirations about these initiatives. Motivations? Build credibility? Get promoted? | Challenges: Identify the business issues, problems, and pain points that impede attainment of objectives. What are their fears, uncertainties, and doubts about these challenges? | Buyer Need: They may have multiple needs; which need is most likely met with the offering? | Terminology: What are the keywords/phrases they organically use to discuss the buyer need or business issue? | |||
| Decision Criteria – “how they decide” | ||||||
| Buyer Role: List decision-making criteria and power level. The five common buyer roles are champion, influencer, decision maker, user, and ratifier (purchaser/negotiator). | Evaluation and Decision Criteria: Which lens – strategic, financial, or operational – does the persona evaluate the impact of purchase through? | |||||
| Solution Attributes – “what does the ideal solution look like” | ||||||
| Steps in “Jobs to Be Done” | Elements of the “Ideal Solution” | Business outcomes from ideal solution | Opportunity scope; other potential users | Acceptable price for value delivered | Alternatives that see consideration | Solution sourcing: channel, where to buy |
| Behavioral Attributes – “how to approach them successfully” | ||||||
| Content Preferences: List the persona’s content preferences – blog, infographic, demo, video – vs. long-form assets (e.g. white paper, presentation, analyst report). | Interaction Preferences: Which are preferred among in-person meetings, phone calls, emails, videoconferencing, conducting research via Web, mobile, and social? | Watering Holes: Which physical or virtual places do they go to network or exchange info with peers (e.g. LinkedIn)? | ||||
“~2/3 of [B2B] buyers prefer remote human interactions or digital self-service.” And during Aug. ‘20 to Feb. ‘21, use of digital self-service to interact with sales reps leapt by more than 10% for both researching and evaluating new suppliers.”
– Liz Harrison, Dennis Spillecke, Jennifer Stanley, and Jenny Tsai McKinsey & Company, 2021
SoftwareReviews Advisory Insight:
Marketers are advised to update their buyer journey annually and with greater frequency when the human vs. digital mix is affected due to events such as COVID-19 and as emerging media such as AR shifts asset-type usage and engagement options.
Because marketing leaders need to reach buyers through the right channel with the right message at the right time during their decision cycle, you’ll benefit by using questionnaires that enable you to build the below easily and quickly.
Buyer personas and buyer journeys are essential ingredients in go-to-market success, as they inform for product, marketing, sales, and customer success who we are targeting and how to engage with them successfully.
Marketers developing buyer personas and journeys that lack agreement among Marketing, Sales, and Product of personas to target will squander precious time and resources throughout the customer targeting and acquisition process.
Marketing leaders leverage the buyer persona knowledge not only from in-house experts in areas such as sales and executives but from analysts that speak with their buyers each and every day.
While leaders will get a fast start by interviewing sellers, executives, and analysts, you will fail to craft the right messages, build the right marketing assets, and design the best buyer journey if you skip buyer interviews.
Leaders will update their buyer journey annually and with greater frequency when the human vs. digital mix is effected due to events such as COVID-19 and as emerging media such as AR and VR shifts the way buyers engage.
Digital marketers that ramp up lead gen engine capabilities to capture “wins” and measure engagement back through the lead gen and nurturing engines will build a more data-driven view of the buyer journey. Target to build this advanced capability in your initial design.
This blueprint is accompanied by supporting deliverables to help you gather team insights, interview customers and prospects, and summarize results for ease in communications.
To support your buyer persona and journey creation, we’ve created the enclosed tools
A PowerPoint template to aid the capture and summarizing of your team’s insights on the buyer persona.
For interviewing customers and prospects, this tool is designed to help you interview personas and summarize results for up to 15 interviewees.
A PowerPoint template into which you can drop your buyer persona and journey interviewees list and summary findings.
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
The "do-it-yourself" step-by-step instructions begin with Phase 1.
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
A Guided Implementation is a series of analysts inquiries with you and your team.
Diagnostics and consistent frameworks are used throughout each option.
A Guided Implementation (GI) is series of calls with a SoftwareReviews Advisory analyst to help implement our best practices in your organization.
For guidance on marketing applications, we can arrange a discussion with an Info-Tech analyst.
Your engagement managers will work with you to schedule analyst calls.
Drive an Aligned Initial Draft of Buyer Persona
Interview Buyers and Validate Persona and Journey
Prepare Communications and Educate Stakeholders
Contact your account representative for more information. workshops@infotech.com 1-888-670-8889
| Day1 | Day 2 | Day 3 | Day 4 | Day 5 | |
|---|---|---|---|---|---|
| Align Team, Identify Persona, and Document Current Knowledge | Validate Initial Work and Identify Buyer Interviewees | Schedule and Hold Buyer interviews | Summarize Findings and Provide Actionable Guidance to Colleagues | Measure Impact and Results | |
| Activities |
1.1 Outline a vision for buyer persona and journey creation and identify stakeholders. 1.2 Identify buyer persona choices and settle on an initial target. 1.3 Document team knowledge about buyer persona (and journey where possible). |
2.1 Share initial insights with covering industry analyst. 2.2 Hear from industry analyst their perspectives on the buyer persona attributes. 2.3 Reconcile differences; update “current understanding.” 2.4 Identify interviewee types by segment, region, etc. |
3.1 Identify actual list of 15-20 interviewees. A gap of up to a week for scheduling of interviews. 3.2 Hold interviews and use interview guides (over the course of weeks). 3.3 Hold review session after initial 3-4 interviews to make adjustments. 3.4 Complete interviews. |
4.1 Summarize findings. 4.2 Create action items for supporting team, e.g. messaging, touch points, media spend, assets. 4.3 Convene steering committee/exec. and working team for final review. 4.4 Schedule meetings with colleagues to action results. |
5.1 Review final copy, assets, launch/campaign plans, etc. 5.2 Develop/review implementation plan. A period of weeks will likely intervene to execute and gather results. 5.3 Reconvene team to review results. |
| Deliverables |
|
|
|
|
|
This Phase walks you through the following activities:
This Phase involves the following stakeholders:
Review the Create a Buyer Persona Executive Brief (Slides 3-14)
Download the Buyer Persona Creation Template
Download the Buyer Persona and Journey Interview Guide and Data Capture Tool
This Phase walks you through the following activities:
This Phase involves the following stakeholders:
Download the Buyer Persona and Journey Interview Guide and Data Capture Tool
Download the Buyer Persona and Journey Interview Guide and Data Capture Tool
Test that you are on the right track:
| Functional – “to find them” | ||||||
| Job Role | Title | Org. Chart Dynamics | Buying Center | Firmographics | ||
| Emotive – “what they do and jobs to be done” | ||||||
| Initiatives: What programs/projects the persona is tasked with and their feelings and aspirations about these initiatives. Motivations? Build credibility? Get promoted? | Challenges: Identify the business issues, problems, and pain points that impede attainment of objectives. What are their fears, uncertainties, and doubts about these challenges? | Buyer Need: They may have multiple needs; which need is most likely met with the offering? | Terminology: What are the keywords/phrases they organically use to discuss the buyer need or business issue? | |||
| Decision Criteria – “how they decide” | ||||||
| Buyer Role: List decision-making criteria and power level. The five common buyer roles are champion, influencer, decision maker, user, and ratifier (purchaser/negotiator). | Evaluation and Decision Criteria: Which lens – strategic, financial, or operational – does the persona evaluate the impact of purchase through? | |||||
| Solution Attributes – “what does the ideal solution look like” | ||||||
| Steps in “Jobs to Be Done” | Elements of the “Ideal Solution” | Business outcomes from ideal solution | Opportunity scope; other potential users | Acceptable price for value delivered | Alternatives that see consideration | Solution sourcing: channel, where to buy |
| Behavioral Attributes – “how to approach them successfully” | ||||||
| Content Preferences: List the persona’s content preferences – blog, infographic, demo, video – vs. long-form assets (e.g. white paper, presentation, analyst report). | Interaction Preferences: Which are preferred among in-person meetings, phone calls, emails, videoconferencing, conducting research via Web, mobile, and social? | Watering Holes: Which physical or virtual places do they go to network or exchange info with peers (e.g. LinkedIn)? | ||||
Because marketing leaders need to reach buyers through the right channel with the right message at the right time during their decision cycle, you’ll benefit by using questionnaires that enable you to build the below easily and quickly.
Download the Buyer Persona and Journey Interview Guide and Data Capture Tool
This Phase walks you through the following activities:
This Phase involves the following stakeholders:
Download the Buyer Persona and Journey Interview Guide and Data Capture Tool
Download the Buyer Persona and Journey Summary Template
Download the Buyer Persona and Journey Summary Template
Activation of key learnings to drive:
Present final persona and journey results to each stakeholder team. Key presentations include:
Download the Buyer Persona and Journey Summary Template
With the help of this blueprint, you have deepened your and your colleagues’ buyer understanding at both the persona “who they are” level and the buyer journey “how do they buy” level. You are among the minority of marketing leaders that have fully documented a buyer persona and journey – congratulations!
The benefits of having led your team through the process are significant and include the following:
And by capturing and documenting your buyer persona and journey even for a single buyer type, you have started to build the “institutional strength” to apply the process to other roles in the decision-making process or for when you go after new and different buyer types for new products. And finally, by bringing your team along with you in this process, you have also led your team in becoming a more customer-focused organization – a strategic shift that all organizations should pursue.
Contact your account representative for more information.
info@softwarereviews.com
1-888-670-8889
Optimize Lead Generation With Lead Scoring
Bilardi, Emma. “How to Create Buyer Personas.” Product Marketing Alliance, July 2020. Accessed Dec. 2021.
Harrison, Liz, Dennis Spillecke, Jennifer Stanley, and Jenny Tsai. “Omnichannel in B2B sales: The new normal in a year that has been anything but.” McKinsey & Company, 15 March 2021. Accessed Dec. 2021.
Jansen, Hasse. “Buyer Personas – 33 Mind Blowing Stats.” Boardview.io!, 19 Feb. 2016. Accessed Jan. 2022.
Raynor, Lilah. “Understanding The Changing B2B Buyer Journey.” Forbes Agency Council, 18 July 2021. Accessed Dec. 2021.
Simpson, Jon. “Finding Your Audience: The Importance of Developing a Buyer Persona.” Forbes Agency Council, 16 May 2017. Accessed Dec. 2021.
“Successfully Executing Personalized Marketing Campaigns at Scale.” Plexure, 6 Jan. 2020. Accessed Dec 2020.
Ulwick, Anthony W. JOBS TO BE DONE: Theory to Practice. E-book, Strategyn, 1 Jan. 2017. Accessed Jan. 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Begin your SAP digital access licensing journey by evaluating licensing changes and options, and then make contractual changes to ensure compliance.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand the fundamental concepts of smart contract technology and get buy-in from stakeholders.
Select a business process, create a smart contract logic diagram, and complete a smart contract use-case deliverable.
[infographic]
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Review blockchain basics.
Understand the fundamental concepts of smart contracts.
Develop smart contract use-case executive buy-in presentation.
Understanding of blockchain basics.
Understanding the fundamentals of smart contracts.
Development of an executive buy-in presentation.
1.1 Review blockchain basics.
1.2 Understand smart contract fundamentals.
1.3 Identify business challenges and smart contract benefits.
1.4 Create executive buy-in presentation.
Executive buy-in presentation
Brainstorm and select a business process to develop a smart contract use case around.
Generate a smart contract logic diagram.
Selected a business process.
Developed a smart contract logic diagram for the selected business process.
2.1 Brainstorm candidate business processes.
2.2 Select a business process.
2.3 Identify phases, actors, events, and transactions.
2.4 Create the smart contract logic diagram.
Smart contract logic diagram
Develop smart contract use-case diagrams for each business process phase.
Complete a smart contract use-case deliverable.
Smart contract use-case diagrams.
Smart contract use-case deliverable.
3.1 Build smart contract use-case diagrams for each phase of the business process.
3.2 Create a smart contract use-case summary diagram.
3.3 Complete smart contract use-case deliverable.
Smart contract use case
Review workshop week and lessons learned.
Develop an action plan to follow through with next steps for the project.
Reviewed workshop week with common understanding of lessons learned.
Completed an action plan for the project.
4.1 Review workshop deliverables.
4.2 Create action plan.
Smart contract action plan
IT is seen as a cost center in most organizations. Your IT spend is fuelled by negative sentiment instead of contributing to business value.
An effective IT budget complements the business story with how you will achieve the expected business targets.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Our concise executive brief shows you why you should develop a budget based on value delivery. We'll show you our methodology and the ways we can help you in completing this.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Evaluate the readiness of the pilot functional group and Agile development processes to adopt scaled Agile practices.
Alleviate scaling issues and risks and introduce new opportunities to enhance business value delivery with Agile practices.
Roll out scaling Agile initiatives in a gradual, iterative approach and define the right metrics to demonstrate success.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Identify the business objectives and functional group drivers for adopting Agile practices to gauge the fit of scaling Agile.
Select the pilot project to demonstrate the value of scaling Agile.
Review and evaluate your current Agile development process and functional group structure.
Understanding of the notable business and functional group gaps that can derail the scaling of Agile.
Selection of a pilot program that will be used to gather metrics to continuously improve implementation and obtain buy-in for wider rollout.
Realization of the root causes behind functional group and process issues in the current Agile implementation.
1.1 Assess your pilot functional group
Fit assessment of functional group to pilot Agile scaling
Selection of pilot program
List of critical success factors
Think of solutions to address the root causes of current communication and process issues that can derail scaling initiatives.
Brainstorm opportunities to enhance the delivery of business value to customers.
Generate a target state for your scaled Agile implementation.
Defined Agile capabilities and services of your functional group.
Optimized functional group team structure, development process, and program framework to support scaled Agile in your context.
Identification and accommodation of the risks associated with implementing and executing Agile capabilities.
2.1 Define Agile capabilities at scale
2.2 Build your scaled Agile target state
Solutions to scaling issues and opportunities to deliver more business value
Agile capability map
Functional group team structure, Agile development process and program framework optimized to support scaled Agile
Risk assessment of scaling Agile initiatives
List metrics to gauge the success of your scaling Agile implementation.
Define the initiatives to scale Agile in your organization and to prepare for a wider rollout.
Strategic selection of the right metrics to demonstrate the value of scaling Agile initiatives.
Scaling Agile implementation roadmap based on current resource capacities, task complexities, and business priorities.
3.1 Create your implementation plan
List of metrics to gauge scaling Agile success
Scaling Agile implementation roadmap
Algorithms are becoming more advanced, data is now richer and easier to collect, and hardware is cheaper and more powerful. All of this is true and contributes to the excitement around enterprise AI applications, but the biggest difference today is that enterprises are redesigning their processes around AI, rather than simply adding AI to their existing processes.
This report outlines six emerging ways AI is being used in the enterprise, with four future scenarios outlining their possible trajectories. These are designed to guide strategic decision making and facilitate future-focused ideation.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This report outlines six emerging ways AI is being used in the enterprise, with four future scenarios outlining their possible trajectories. These are designed to guide strategic decision making and facilitate future-focused ideation.
M365 projects are fraught with obstacles. Common mistakes organizations make include:
There are three primary areas where organizations fail in a successful implementation of M365: training, adoption, and information governance. While it is not up to IT to ensure every user is well trained, it is their initial responsibility to find champions, SMEs, and business-based trainers and manage information governance from the backup, retention, and security aspects of data management.
Migrating to M365 is a disruptive move for most organizations. It poses risk to untrained IT staff, including admins, help desk, and security teams. The aim for organizations, especially in this new hybrid workspace, is to maintain efficiencies through collaboration, share information in a secure environment, and work from anywhere, any time.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
There are three primary goals when deploying Microsoft 365: productivity, security and compliance, and collaborative functionality. On top of these you need to meet the business KPIs and IT’s drive for adoption and usage. This research will guide you through the important considerations that are often overlooked as this powerful suite of tools is rolled out to the organization.
 |
There are three primary objectives when deploying Microsoft 365: from a business perspective, the expectations are based on productivity; from an IT perspective, the expectations are based on IT efficiencies, security, and compliance; and from an organizational perspective, they are based on a digital employee experience and collaborative functionality. Of course, all these expectations are based on one primary objective, and that is user adoption of Teams, OneDrive, and SharePoint Online. A mass adoption, along with a high usage rate and a change in the way users work, is required for your investment in M365 to be considered successful. So, adoption is your first step, and that can be tracked and analyzed through analytics in M365 or other tools. But what else needs to be considered once you have released M365 on your organization? What about backup? What about security? What about sharing data outside your business? What about self-service? What about ongoing training? M365 is a powerful suite of tools, and taking advantage of all that it entails should be IT’s primary goal. How to accomplish that, efficiently and securely, is up to you! |
John Donovan |
Collaboration, efficiencies, and cost savings need to be earned |
Migrating to M365 is a disruptive move for most organizations. Additionally, it poses risk to untrained IT staff, including admins, help desk, and security teams. The aim for organizations, especially in this new hybrid workspace, is to maintain efficiencies through collaboration, share information in a secure environment, and work from anywhere, any time. However, organizations need to manage their licensing and storage costs and build this new way of working through post-deployment planning. By reducing their hardware and software footprint they can ensure they have earned these savings and efficiencies. |
Understand any shortcomings in M365 or pay the price |
Failing to understand any shortcomings M365 poses for your organization can ruin your chances at a successful implementation. Commonly overlooked expenses include backup and archiving, especially for regulated organizations; spending on risk mitigation through third-party tools for security; and paying a premium to Microsoft to use its Azure offerings with Microsoft Sentinel, Microsoft Defender, or any security add-on that comes at a price above your E5 license, which is expensive in itself. |
Spend time with users to understand how they will use M365 |
Understanding business processes is key to anticipating how your end users will adopt M365. By spending time with the staff and understanding their day-to-day activities and interactions, you can build better training scenarios to suit their needs and help them understand how the apps in M365 can help them do their job. On top of this you need to meet the business KPIs and IT’s drive for adoption and usage. Encourage early adopters to become trainers and champions. Success will soon follow. |
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
|---|---|---|
M365 is a full suite of tools for collaboration, communication, and productivity, but organizations find the platform is not used to its full advantage and fail to get full value from their license subscription. Many users are unsure which tool to use when: Do you use Teams or Viva Engage, MS Project or Planner? When do you use SharePoint versus OneDrive? From an IT perspective, finding time to help users at the outset is difficult – it’s quite the task to set up governance, security, and backup. Yet training staff must be a priority if the implementation is to succeed. |
M365 projects are fraught with obstacles. Common mistakes organizations make include:
|
To define your post-migration tasks and projects:
Failure to take meaningful action will not bode well for your M365 journey. |
There are three primary areas where organizations fail in a successful implementation of M365: training, adoption, and information governance. While it is not up to IT to ensure every user is well trained, it is their initial responsibility to find champions, SMEs, and business-based trainers and to manage information governance from backup, retention, and security aspects of data management.
What IT teams are saying
Top IT reasons for adopting M365
61% More collaborative working style
54% Cost savings
51% Improved cybersecurity
49% Greater mobility
Define Vision |
Build Team |
Plan Projects |
Execute |
|---|---|---|---|
Define your vision and what your priorities are for M365. Understand how to reach your vision. |
Ensure you have an executive sponsor, develop champions, and build a team of SMEs. |
List all projects in a to-be scenario. Rank and prioritize projects to understand impact and difficulty. |
Build your roadmap, create timelines, and ensure you have enough resources and time to execute and deliver to the business. |
A clear understanding of the business purpose and processes, along with insight into the organizational culture, will help you align the right apps with the right tasks. This approach will bring about better adoption and collaboration and cancel out the shadow IT products we see in every business silo.
To give organizations insight into the adoption of services in M365, Microsoft provides built-in usage analytics in Power BI, with templates for visualization and custom reports. There are third-party tools out there, but why pay more? However, the template app is not free; you do need a Power BI Pro license.
Usage Analytics pulls data from ActiveDirectory, including location, department, and organization, giving you deeper insight into how users are behaving. It can collect up to 12 months of data to analyze.
Reports that can be created include Adoption, Usage, Communication, Collaboration (how OneDrive and SharePoint are being used), Storage (cloud storage for mailboxes, OneDrive, and SharePoint), and Mobility (which clients and devices are used to connect to Teams, email, Yammer, etc.).
Admin Roles |
Best Practices |
|---|---|
|
Only assign two to four global admins, depending on the size of the organization. Too many admins increases security risk. In larger organizations, segment admin roles using role-based access control. Because admins have access to sensitive data, you’ll want to assign the least permissive role so they can access only the tools and data they need to do their job. Enable MFA for all admins except one break-glass account that is stored in the cloud and not synced. Ensure a complex password, stored securely, and use only in the event of an MFA outage. Due to the large number of admin roles available and the challenges that brings with it, Microsoft has a built-in tool to compare roles in the admin portal. This can help you determine which role should be used for specific tasks. |
Identity Checklist
Determine your training needs and align with your business processes. Choose training modalities that will give users the best chance of success. Consider one or many training methods, such as:
Why is M365 backup so important?
Accidental Data Deletion.
If a user is deleted, that deletion gets replicated across the network. Backup can save you here by restoring that user.
Internal and External Security Threats.
Malicious internal deletion of data and external threats including viruses, ransomware, and malware can severely damage a business and its reputation. A clean backup can easily restore the business’ uninfected data.
Legal and Compliance Requirements.
While e-discovery and legal hold are available to retain sensitive data, a third-party backup solution can easily search and restore all data to meet regulatory requirements – without depending on someone to ensure a policy was set.
Retention Policy Gaps.
Retention policies are not a substitute for backup. While they can be used to retain or delete content, they are difficult to keep track of and manage. Backups offer greater latitude in retention and better security for that data.
Legacy |
Microsoft 365 |
|---|---|
SharePoint 2016/19 |
SharePoint Online |
Microsoft Exchange Server |
Microsoft Exchange in Azure |
Skype for Business Server |
Teams |
Trello |
Planner 2022 |
System Center Configuration Manager (SCCM) |
Endpoint Manager, Intune, Autopilot |
File servers |
OneDrive |
Access |
Power Apps |
To meet the objectives of cost reduction and rationalization, look at synergies that M365 brings to the table. Determine what you are currently using to meet collaboration, storage, and security needs and plan to use the equivalent in your Microsoft entitlement.
There are plenty of preconfigured security features contained in M365, but what’s available to you depends on your license. For example, Microsoft Defender, which has many preset policies, is built-in for E5 licenses, but if you have E3 licenses Defender is an add-on.
Three elements in security policies are profiles, policies, and policy settings.
Check your license entitlement before you start purchasing add-ons or third-party solutions. Security and compliance are not optional in today’s cybersecurity risk world. With many organizations offering hybrid and remote work arrangements and bring-your-own-device (BYOD) policies, it is necessary to protect your data at the tenant level. Defender for Microsoft 365 is a tool that can protect both your exchange and collaboration environments.
More information: Microsoft 365 Defender
NOTE: You must have Azure AD Premium and Windows 10 V1703 or later as well as Intune or other MDM service to use Autopilot. There is a monthly usage fee based on volume of data transmitted. These fees can add up over time.
For more details visit the following Microsoft Learn pages:
Info-Tech’s research on zero-touch provisioning goes into more detail on Intune and Autopilot:
Simplify Remote Deployment With Zero-Touch Provisioning
Drive Ongoing Adoption With an M365 Center of Excellence
Simplify Remote Deployment With Zero-Touch Provisioning
“5 Reasons Why Microsoft Office 365 Backup Is Important.” Apps 4Rent, Dec 2021, Accessed Oct 2022 .
Chandrasekhar, Aishwarya. “Office 365 Migration Best Practices & Challenges 2022.” Saketa, 31 Mar 2022. Accessed Oct. 2022.
Chronlund, Daniel. “The Fundamental Checklist – Secure your Microsoft 365 Tenant”. Daniel Chronlund Cloud Tech Blog,1 Feb 2019. Accessed 1 Oct 2022.
Davies, Joe. “The Microsoft 365 Enterprise Deployment Guide.” Tech Community, Microsoft, 19 Sept 2018. Accessed 2 Oct 2022.
Dillaway, Kevin. “I Upgraded to Microsoft 365 E5, Now What?!.” SpyGlassMTG, 10 Jan 2022. Accessed 4 Oct. 2022.
Hartsel, Joe. “How to Make Your Office 365 Implementation Project a Success.” Centric, 20 Dec 2021. Accessed 2 Oct. 2022.
Jha, Mohit. “The Ultimate Microsoft Office 365 Migration Checklist for Pre & Post Migration.” Office365 Tips.Org, 24 June 2022. Accessed Sept. 2022.
Lang, John. “Why organizations don't realize the full value of Microsoft 365.“Business IT, 29 Nov 202I. Accessed 10 Oct 2022.
Mason, Quinn. “How to increase Office 365 / Microsoft 365 user adoption.” Sharegate, 19 Sept 2019. Accessed 3 Oct 2022.
McDermott, Matt. “6-Point Office 365 Post-Migration Checklist.” Spanning , 12 July 2019 . Accessed 4 Oct 2022.
“Microsoft 365 usage analytics.” Microsoft 365, Microsoft, 25 Oct 2022. Web.
Sharma, Megha. “Office 365 Pre & Post Migration Checklist.’” Kernel Data Recovery, 26 July 2022. Accessed 30 Sept. 2022.
Sivertsen, Per. “How to avoid a failed M365 implementation? Infotechtion, 19 Dec 2021. Accessed 2 Oct. 2022.
St. Hilaire, Dan. “Most Common Mistakes with Office 365 Deployment (and How to Avoid Them).“ KnowledgeWave, 4Mar 2019. Accessed Oct. 2022.
“Under the Hood of Microsoft 365 and Office 365 Adoption.” SoftwareONE, 2019. Web.
Complication
Insights
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Reveal the opportunities to heighten the user experience of your website through a deep understanding of the behaviors, emotions, and needs of your end users in order to design a receptive and valuable website.
Design a satisfying and receptive website by leveraging industry best practices and modern UX trends and ensuring the website is supported with reliable and scalable data and infrastructure.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
List the business objectives of your website.
Describe your user personas, use cases, and user workflow.
Identify current UX issues through simulations, website design, and system reviews.
Strong understanding of the business goals of your website.
Knowledge of the behaviors and needs of your website’s users.
Realization of the root causes behind the UX issues of your website.
1.1 Define the business objectives for the website you want to optimize
1.2 Define your end-user personas and map them to use cases
1.3 Build your website user workflow
1.4 Conduct a SWOT analysis of your website to drive out UX issues
1.5 Gauge the UX competencies of your web development team
1.6 Simulate your user workflow to identify the steps driving down UX
1.7 Assess the composition and construction of your website
1.8 Understand the execution of your website with a system architecture
1.9 Pinpoint the technical reason behind your UX issues
1.10 Clarify and prioritize your UX issues
Business objectives
End-user personas and use cases
User workflows
Website SWOT analysis
UX competency assessment
User workflow simulation
Website design assessment
Current state of web system architecture
Gap analysis of web system architecture
Prioritized UX issues
Design wireframes and storyboards to be aligned to high priority use cases.
Design a web system architecture that can sufficiently support the website.
Identify UX metrics to gauge the success of the website.
Establish a website design process flow.
Implementation of key design elements and website functions that users will find stimulating and valuable.
Optimized web system architecture to better support the website.
Website design process aligned to your current context.
Rollout plan for your UX optimization initiatives.
2.1 Define the roles of your UX development team
2.2 Build your wireframes and user storyboards
2.3 Design the target state of your web environment
2.4 List your UX metrics
2.5 Draw your website design process flow
2.6 Define your UX optimization roadmap
2.7 Identify and engage your stakeholders
Roles of UX development team
Wireframes and user storyboards
Target state of web system architecture
List of UX metrics
List of your suppliers, inputs, processes, outputs, and customers
Website design process flow
UX optimization rollout roadmap
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Assess current maturity, establish a team, and choose a pilot business unit. Identify business processes, dependencies, and alternatives.
Define an objective impact scoring scale, estimate the impact of downtime, and set recovery targets.
Build a workflow of the current steps for business recovery. Identify gaps and risks to recovery. Brainstorm and prioritize solutions to address gaps and mitigate risks.
Present pilot project results and next steps. Create BCMS teams. Update and maintain BCMS documentation.
Use these tools and templates to assist in the creation of your BCP.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Define BCP scope, objectives, and stakeholders.
Prioritize BCP efforts and level-set scope with key stakeholders.
1.1 Assess current BCP maturity.
1.2 Identify key business processes to include in scope.
1.3 Flowchart key business processes to identify business processes, dependencies, and alternatives.
BCP Maturity Scorecard: measure progress and identify gaps.
Business process flowcharts: review, optimize, and allow for knowledge transfer of processes.
Identify workarounds for common disruptions to day-to-day continuity.
Define RTOs and RPOs based on your BIA.
Set recovery targets based business impact, and illustrate the importance of BCP efforts via the impact of downtime.
2.1 Define an objective scoring scale to indicate different levels of impact.
2.2 Estimate the impact of downtime.
2.3 Determine acceptable RTO/RPO targets for business processes based on business impact.
BCP Business Impact Analysis: objective scoring scale to assess cost, goodwill, compliance, and safety impacts.
Apply the scoring scale to estimate the impact of downtime on business processes.
Acceptable RTOs/RPOs to dictate recovery strategy.
Create a recovery workflow.
Build an actionable, high-level, recovery workflow that can be adapted to a variety of different scenarios.
3.1 Conduct a tabletop exercise to determine current recovery procedures.
3.2 Identify and prioritize projects to close gaps and mitigate recovery risks.
3.3 Evaluate options for command centers and alternate business locations (i.e. BC site).
Recovery flow diagram – current and future state
Identify gaps and recovery risks.
Create a project roadmap to close gaps.
Evaluate requirements for alternate business sites.
Extend the results of the pilot BCP and implement governance.
Outline the actions required for the rest of your BCMS, and the required effort to complete those actions, based on the results of the pilot.
4.1 Summarize the accomplishments and required next steps to create an overall BCP.
4.2 Identify required BCM roles.
4.3 Create a plan to update and maintain your overall BCP.
Pilot BCP Executive Presentation
Business Continuity Team Roles & Responsibilities
3. Maintenance plan and BCP templates to complete the relevant documentation (BC Policy, BCP Action Items, Recovery Workflow, etc.)
None of us needs to look very far to find a reason to have an effective business continuity plan.
From pandemics to natural disasters to supply chain disruptions to IT outages, there’s no shortage of events that can disrupt your complex and interconnected business processes. How in the world can anyone build a plan to address all these threats?
Don’t try to boil the ocean. Use these tactics to streamline your BCP project and stay on track:
No one can predict every possible disruption, but by following the guidance in this blueprint, you can build a flexible continuity plan that allows you to withstand the threats your organization may face.
Research Director,
IT Infrastructure & Operations Practice
Info-Tech Research Group
Senior Research Analyst,
IT Infrastructure & Operations Practice
Info-Tech Research Group
IT leaders, because of their cross-functional view and experience with incident management and DR, are often asked to lead BCP efforts.
As an IT leader you have the skill set and organizational knowledge to lead a BCP project, but you must enable business leaders to own their department’s BCP practices and outputs. They know their processes and, therefore, their requirements to resume business operations better than anyone else.
A business continuity plan (BCP) consists of separate but related sub-plans, as illustrated below. This blueprint enables you to:
A plan to restore IT application and infrastructure services following a disruption.
Info-Tech’s disaster recovery planning blueprint provides a methodology for creating the IT DRP. Leverage this blueprint to validate and provide inputs for your IT DRP.
A set of plans to resume business processes for each business unit. This includes:
A plan to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage.
Info-Tech’s Implement Crisis Management Best Practices blueprint provides a framework for planning a response to any crisis, from health and safety incidents to reputational damage.
Back when transactions were recorded on paper and then keyed into the mainframe system later, it was easier to revert to deskside processes. There is very little in the way of paper-based processes anymore, and as a result, it is increasingly difficult to resume business processes without IT.
Think about your own organization. What IT system(s) are absolutely critical to business operations? While you might be able to continue doing business without IT, this requires regular preparation and training. It’s likely a completely offline process and won’t be a viable workaround for long even if staff know how to do the work. If your data center and core systems are down, technology-enabled workarounds (such as collaboration via mobile technologies or cloud-based solutions) could help you weather the outage, and may be more flexible and adaptable for day-to-day work.
The bottom line:
Technology is a critical dependency for business processes. Consider the role IT systems play as process dependencies and as workarounds as part of continuity planning.
BCP for Business Unit A:
Scope → Pilot BIA → Response Plan → Gap Analysis
→ Lessons Learned:
= Ongoing governance, testing, maintenance, improvement, awareness, and training.
By comparison, a traditional BCP approach takes much longer to mitigate risk:
Organizational Risk Assessment and Business Impact Analysis → Solution Design to Achieve Recovery Objectives → Create and Validate Response Plans
A charitable foundation for a major state university engaged Info-Tech to support the creation of their business continuity plan.
With support from Info-Tech analysts and the tools in this blueprint, they worked with their business unit stakeholders to identify recovery objectives, confirm recovery capabilities and business process workarounds, and address gaps in their continuity plans.
The outcome wasn’t a pandemic plan – it was a continuity plan that was applicable to pandemics. And it worked. Business processes were prioritized, gaps in work-from-home and business process workarounds had been identified and addressed, business leaders owned their plan and understood their role in it, and IT had clear requirements that they were able and ready to support.
“The work you did here with us was beyond valuable! I wish I could actually explain how ready we really were for this…while not necessarily for a pandemic, we were ready to spring into action, set things up, the priorities were established, and most importantly some of the changes we’ve made over the past few years helped beyond words! The fact that the groups had talked about this previously almost made what we had to do easy.“ -- VP IT Infrastructure
| Phases | Phase 1: Identify BCP Maturity and Document Process Dependencies | Phase 2: Conduct a BIA to Determine Acceptable RTOs and RPOs | Phase 3: Document the Recovery Workflow and Projects to Close Gaps | Phase 4: Extend the Results of the Pilot BCP and Implement Governance |
|---|---|---|---|---|
| Steps | 1.1 Assess current BCP maturity | 2.1 Define an objective impact scoring scale | 3.1 Determine current recovery procedures | 4.1 Consolidate BCP pilot insights to support an overall BCP project plan |
| 1.2 Establish the pilot BCP team | 2.2 Estimate the impact of downtime | 3.2 Identify and prioritize projects to close gaps | 4.2 Outline a business continuity management (BCM) program | |
| 1.3 Identify business processes, dependencies, and alternatives | 2.3 Determine acceptable RTO/RPO targets | 3.3 Evaluate BC site and command center options | 4.3 Test and maintain your BCP | |
| Tools and Templates | ||||
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
BCP Business Impact Analysis Tool: Conduct and document a business impact analysis using this document.
BCP Recovery Workflows Example: Model your own recovery workflows on this example.
BCP Project Roadmap: Use this tool to prioritize projects that can improve BCP capabilities and mitigate gaps and risks.
BCP Relocation Checklists: Plan for and manage a site relocation – whether to an alternate site or work from home.
Summarize your organization's continuity capabilities and objectives in a 15-page, easy-to-consume template.
This document consolidates data from the supporting documentation and tools to the right.
Download Info-Tech’s BCP Summary Document
Focus less on risk, and more on recovery
Avoid focusing on risk and probability analysis to drive your continuity strategy. You never know what might disrupt your business, so develop a flexible plan to enable business resumption regardless of the event.
Small teams = good pilots
Choose a small team for your BCP pilot. Small teams are better at trialing new techniques and finding new ways to think about problems.
Calculate downtime impact
Develop and apply a scoring scale to develop a more-objective assessment of downtime impact for the organization. This will help you prioritize recovery.
It’s not no, but rather not now…
You can’t address all the organization’s continuity challenges at once. Prioritize high value, low effort initiatives and create a long-term roadmap for the rest.
Show Value Now
Get to value quickly. Start with one business unit with continuity challenges, and a small, focused project team who can rapidly learn the methodology, identify continuity gaps, and define solutions that can also be leveraged by other departments right away.
Lightweight Testing Exercises
Outline recovery capabilities using lightweight, low risk tabletop planning exercises. Our research shows tabletop exercises increase confidence in recovery capabilities almost as much as live exercises, which carry much higher costs and risks.
Info-Tech members told us they save an average of $44,522 and 23 days by working with an Info-Tech analyst on BCP (source: client response data from Info-Tech's Measured Value Survey).
Why do members report value from analyst engagement?
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
Diagnostic and consistent frameworks are used throughout all four options.
A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between eight to twelve calls over the course of four to six months.
Call 1: Scope requirements, objectives, and stakeholders. Identify a pilot BCP project.
Calls 2 - 4: Assess current BCP maturity. Create business process workflows, dependencies, alternates, and workarounds.
Calls 5 – 7: Create an impact scoring scale and conduct a BIA. Identify acceptable RTO and RPO.
Calls 8 – 9: Create a recovery workflow based on tabletop planning.
Call 10: Summarize the pilot results and plan next steps. Define roles and responsibilities. Make the case for a wider BCP program.
Contact your account representative for more information.
workshops@infotech.com | 1-888-670-8889
| Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
|---|---|---|---|---|---|
| Identify BCP Maturity, Key Processes, and Dependencies | Conduct a BIA to Determine Acceptable RTOs and RPOs | Document the Current Recovery Workflow and Projects to Close Gaps | Identify Remaining BCP Documentation and Next Steps | Next Steps and Wrap-Up (offsite) | |
| Activities |
1.1 Assess current BCP maturity. 1.2 Identify key business processes to include in scope. 1.3 Create a flowchart for key business processes to identify business processes, dependencies, and alternatives. |
2.1 Define an objective scoring scale to indicate different levels of impact. 2.2 Estimate the impact of a business disruption on cost, goodwill, compliance, and health & safety. 2.3 Determine acceptable RTOs/RPOs for selected business processes based on business impact. |
3.1 Review tabletop planning – what is it, how is it done? 3.2 Walk through a business disruption scenario to determine your current recovery timeline, RTO/RPO gaps, and risks to your ability to resume business operations. 3.3 Identify and prioritize projects to close RTO/RPO gaps and mitigate recovery risks. |
4.1 Assign business continuity management (BCM) roles to govern BCP development and maintenance, as well as roles required to execute recovery. 4.2 Identify remaining documentation required for the pilot business unit and how to leverage the results to repeat the methodology for remaining business units. 4.3 Workshop review and wrap-up. |
5.1 Finalize deliverables for the workshop. 5.2 Set up review time for workshop outputs and to discuss next steps. |
| Deliverables |
|
|
|
|
|
1.1 Assess Current BCP Maturity
1.2 Establish the pilot BCP team
1.3 Identify business processes, dependencies, and alternatives
Define the scope for the BCP project: assess the current state of the plan, create a pilot project team and pilot project charter, and map the business processes that will be the focus of the pilot.
This step will walk you through the following activities:
This step involves the following participants:
You'll use the following tools & templates:
Establish current BCP maturity using Info-Tech’s ISO 22301-aligned BCP Maturity Scorecard.
This blueprint primarily addresses the first four sections in the scorecard, which align with the creation of the core components of your business continuity plan.
Info-Tech’s maturity scorecard is aligned with ISO 22301, the international standard that describes the key elements of a functioning business continuity management system or program – the overarching set of documents, practices, and controls that support the ongoing creation and maintenance of your BCP. A fully functional BCMS goes beyond business continuity planning to include crisis management, BCP testing, and documentation management.
Audit tools tend to treat every bullet point in ISO 22301 as a separate requirement – which means there’s almost 400 lines to assess. Info-Tech’s BCP Maturity Scorecard has synthesized key requirements, minimizing repetition to create a high-level self-assessment aligned with the standard.
A high score is a good indicator of likely success with an audit.
Download Info-Tech's BCP Maturity Scorecard
"The fact that this aligns with ISO is huge." - Dr. Bernard Jones MBCI, CBCP
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Assign roles and responsibilities for the BCP pilot project. Set milestones and timelines for the pilot.
Though IT is a critical dependency for most processes, IT shouldn’t own the business continuity plan. IT should be an internal BCP process consultant, and each business unit must own their plan.
IT should be an internal BCP consultant.
Why shouldn’t IT own the plan?
Info-Tech Insight
A goal of the pilot is to seed success for further planning exercises. This is as much about demonstrating the value of continuity planning to the business unit, and enabling them to own it, as it is about implementing the methodology successfully.
Outline roles and responsibilities on the pilot team using a “RACI” exercise. Remember, only one party can be ultimately accountable for the work being completed.
| Board | Executive Team | BCP Executive Sponsor | BCP Team Leader | BCP Coordinator | Pilot Bus. Unit Manager | Expert Bus. Unit Staff | IT Manager | |
|---|---|---|---|---|---|---|---|---|
| Communicate BCP project status | I | I | I | A | R | C | C | I |
| Assign resources to pilot BCP project | A | R | C | R | C | R | ||
| Conduct continuity planning activities | I | A/R | R | R | R | R | ||
| Create pilot BCP deliverables | I | A | R | R | C | C | C | |
| Manage BCP documentation | I | A | C | R | I | C | C | |
| Integrate results into BCMS | I | I | A | R | R | I | C | C |
| Create overall BCP project plan | I | I | A | R | C | C |
R: Responsible for doing the work.
A: Accountable to ensure the activity/work happens.
C: Consulted prior to decision or action.
I: Informed of the decision/action once it’s made.
"Large teams excel at solving problems, but it is small teams that are more likely to come up with new problems for their more sizable counterparts to solve." – Wang & Evans, 2019
Small teams tend to be better at trialing new techniques and finding new ways to think about problems, both of which are needed for a BCP pilot project.
Many organizations begin their BCP project with a target business unit in mind. It’s still worth establishing whether this business unit meets the criteria below.
Good candidates for a pilot project:
These short descriptions establish the functions, expectations, and responsibilities of each role at a more granular level.
The Board and executives have an outsized influence on the speed at which the project can be completed. Ensure that communication with these stakeholders is clear and concise. Avoid involving them directly in activities and deliverable creation, unless it’s required by their role (e.g. as a business unit manager).
| Project Role | Description |
|---|---|
| Board & Executive Team |
|
| Executive Sponsor |
|
| Pilot Business Unit Manager |
|
| BCP Coordinator |
|
| Expert Business Unit Staff |
|
| IT Manager |
|
| Other Business Unit Managers |
|
A skilled and committed coordinator is critical to building an effective and durable BCP.
Structure the role of the BCP Coordinator
The BCP Coordinator works with the pilot business unit as well as remaining business units to provide continuity and resolve discrepancies as they come up between business units.
Specifically, this role includes:
"We found it necessary to have the same person work with each business unit to pass along lessons learned and resolve contingency planning conflicts for common dependencies." – Michelle Swessel, PM and IT Bus. Analyst, Wisconsin Compensation Rating Bureau (WCRB)
This step will walk you through the following activities:
This step involves the following participants:
You'll use the following tools & templates:
Documented workflows, process dependencies, and workarounds when dependencies are unavailable.
Process review often results in discovering informal processes, previously unknown workarounds or breakdowns, shadow IT, or process improvement opportunities.
Note: A more in-depth analysis will be conducted later to refine priorities. The goal here is a high-level order of priority for the next steps in the planning methodology (identify business processes and dependencies).
Download Info-Tech’s Business Process Workflows Example
Policies and procedures manuals, if they exist, are often out of date or incomplete. Use these as a starting point, but don’t stop there. Identify the go-to staff members who are well versed in how a process works.
2.1 Define an objective impact scoring scale
2.2 Estimate the impact of downtime
2.3 Determine acceptable RTO/RPO targets
Assess the impact of business process downtime using objective, customized impact scoring scales. Sort business processes by criticality and by assigning criticality tiers, recovery time, and recovery point objectives.
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Define an impact scoring scale relevant to your business, which allows you to more-objectively assess the impact of business process downtime.
The activities in Phase 2 will help you set appropriate, acceptable recovery objectives based on the business impact of process downtime.
For example:
Create Impact Scoring Scales→Assess the impact of process downtime→Review overall impact of process downtime→Set Criticality Tiers→Set Recovery Time and Recovery Point Objectives
Work with the Business Unit Manager and Executive Sponsor to identify the maximum impact in each category to the entire business. Use a worst-case scenario to estimate the maximum for each scale. In the future, you can use this scoring scale to estimate the impact of downtime for other business units.
Cost estimates are like hand grenades and horseshoes: you don’t need to be exact. It’s much easier to get input and validation from other stakeholders when you have estimates. Even weak estimates are far better than a blank sheet.
Use just the impact scales that are relevant to your organization.
This step involves the following participants:
In this step, you’ll use these tools and templates:
Develop an objective view of the impact of downtime for key business processes.
Example: Highest total Goodwill, Compliance, and Safety impact score is 18.
| Tier | Score Range | % of high score |
|---|---|---|
| Tier 1 - Gold | 9-18 | 50-100% |
| Tier 2 - Silver | 5 to 9 | 25-50% |
| Tier 3 - Bronze | 0 to 5 | 0-25% |
This step involves the following participants:
In this step, you’ll use these tools and templates:
Right-size recovery objectives based on business impact.
The impact of downtime for most business processes tends to look something like the increasing impact curve in the image to the right.
In the moments after a disruption, impact tends to be minimal. Imagine, for example, that your organization was suddenly unable to pay its suppliers (don’t worry about the reason for the disruption, for the moment). Chances are, this disruption wouldn’t affect many payees if it lasted just a few minutes, or even a few hours. But if the disruption were to continue for days, or weeks, the impact of downtime would start to spiral out of control.
In general, we want to target recovery somewhere between the point where impact begins, and the point where impact is intolerable. We want to balance the impact of downtime with the investment required to make processes more resilient.
Account for hard copy files as well as electronic data. If that information is lost, is there a backup? BCP can be the driver to remove the last resistance to paperless processes, allowing IT to apply appropriate data protection.
Set recovery time objectives and recovery point objectives in the “Debate Space”
RTOs and RPOs are business-defined, impact-aligned objectives that you may not be able to achieve today. It may require significant investments of time and capital to enable the organization to meet RTO and RPO.
Set a range for RTO for each Tier.
| Tier | RTO |
|---|---|
| Tier 1 | 4 hrs- 24 hrs |
| Tier 2 | 24 hrs - 72 hrs |
| Tier 3 | 72 hrs - 120 hrs |
3.1 Determine current recovery procedures
3.2 Identify and prioritize projects to close gaps
3.3 Evaluate business continuity site and command center options
Outline business recovery processes. Highlight gaps and risks that could hinder business recovery. Brainstorm ideas to address gaps and risks. Review alternate site and business relocation options.
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Establish steps required for business recovery and current recovery timelines.
Identify risks & gaps that could delay or obstruct an effective recovery.
Step 2 - 2 hours
Establish command center.
Step 2: Risks
Step 2: Gaps
A good scenario is one that helps the group focus on the goal of tabletop planning – to discuss and document the steps required to recover business processes. We suggest choosing a scenario for your first exercise that:
An example: a gas leak at company HQ that requires the area to be cordoned off and power to be shut down. The business must resume processes from another location without access to materials, equipment, or IT services at the primary location.
A plan that satisfies the gas leak scenario should meet the needs of other scenarios that affect your normal workspace. Then use BCP testing to validate that the plan meets a wider range of incidents.
Notification
How will you be notified of a disaster event? How will this be escalated to leadership? How will the team responsible for making decisions coordinate (if they can’t meet on-site)? What emergency response plans are in place to protect health and safety? What additional steps are involved if there’s a risk to health and safety?
Assessment
Who’s in charge of the initial assessment? Who may need to be involved in the assessment? Who will coordinate if multiple teams are required to investigate and assess the situation? Who needs to review the results of the assessment, and how will the results of the assessment be communicated (e.g. phone bridge, written memo)? What happens if your primary mode of communication is unavailable (e.g. phone service is down)?
Declaration
Who is responsible today for declaring a disaster and activating business continuity plans? What are the organization’s criteria for activating continuity plans, and how will BCP activation be communicated? Establish a crisis management team to guide the organization through a wide range of crises by Implementing Crisis Management Best Practices.
Do the following:
Tabletop planning is most effective when you keep it simple.
Create one recovery workflow for all scenarios.
Traditional planning calls for separate plans for different “what-if” scenarios. This is challenging not just because it’s a lot more documentation – and maintenance – but because it’s impossible to predict every possible incident. Use the template, aligned to recovery of process dependencies, to create one recovery workflow for each business unit that can be used in and tested against different scenarios.
Download Info-Tech’s BCP Recovery Workflow Example
"We use flowcharts for our declaration procedures. Flowcharts are more effective when you have to explain status and next steps to upper management." – Assistant Director-IT Operations, Healthcare Industry
"Very few business interruptions are actually major disasters. It’s usually a power outage or hardware failure, so I ensure my plans address ‘minor’ incidents as well as major disasters."- BCP Consultant
Add the following data to your copy of the BCP Business Impact Analysis Tool.
Operating at a minimum acceptable functional level may not be feasible for more than a few days or weeks. Develop plans for immediate continuity first, then develop further plans for long-term continuity processes as required. Recognize that for longer term outages, you will evolve your plans in the crisis to meet the needs of the situation.
Work from and update the soft copy of your recovery workflow.
Info-Tech Insight
Remember that health and safety risks must be dealt with first in a crisis. The business unit recovery workflow will focus on restoring business operations after employees are no longer at risk (e.g. the risk has been resolved or employees have been safely relocated). See Implement Crisis Management Best Practices for ideas on how to respond to and assess a wide range of crises.
For some organizations, it’s not practical or possible to invest in the redundancy that would be necessary to recover in a timely manner from certain major events.
Leverage existing risk management practices to identify key high impact events that could present major business continuity challenges that could cause catastrophic disruptions to facility, IT, staffing, suppliers, or equipment. If you don’t have a risk register, review the scenarios on the next slide and brainstorm risks with the working group.
Work through tabletop planning to identify how you might work through an event like this, at a high level. In step 3.2, you can estimate the effort, cost, and benefit for different ideas that can help mitigate the damage to the business to help decision makers choose between investment in mitigation or accepting the risk.
Document any scenarios that you identify as outside the scope of your continuity plans in the “Scope” section of your BCP Summary document.
For example:
A single location manufacturing company is creating a BCP.
The factory is large and contains expensive equipment; it’s not possible to build a second factory for redundancy. If the factory is destroyed, operations can’t be resumed until the factory is rebuilt. In this case, the BCP outlines how to conduct an orderly business shutdown while the factory is rebuilt.
Contingency planning to resume factory operations after less destructive events, as well as a BCP for corporate services, is still practical and necessary.
| Scenario Type | Considerations |
|---|---|
| Local hazard (gas leak, chemical leak, criminal incident, etc.) |
|
| Equipment/building damage (fire, roof collapse, etc.) |
|
| Regional natural disasters |
|
| Supplier failure (IT provider outage, disaster at supplier, etc.) |
|
| Staff (lottery win, work stoppage, pandemic/quarantine) |
|
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Identify and prioritize projects and action items that can improve business continuity capabilities.
Try to avoid debates about feasibility at this point. The goal is to get ideas on the board.
When you’re brainstorming solutions to problems, don’t stop with the first idea, even if the solution seems obvious. The first idea isn’t always the best or only solution – other ideas can expand on it and improve it.
Step 4: No formal process to declare a disaster and invoke business continuity.
Step 7: Alternate site could be affected by the same regional event as the main office.
Step 12: Need to confirm supplier service-level agreements (SLAs).
With COVID-19, most organizations have experience with mass work-from-home.
Review the following case studies. Do they reflect your experience during the COVID-19 pandemic?
Consider where your own work-from-home plans fell short.
People
→
Site & Facilities
→
External Services & Suppliers
→
Technology & Physical Assets
→
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Identify requirements for an alternate business site.
"There are horror stories about organizations that assumed things about their alternate site that they later found out they weren’t true in practice." – Dr. Bernard Jones, MBCI CBCP
If you choose a shared location as a BCP site, a regional disaster may put you in competition with other tenants for space.
For many organizations, a dedicated command center (TVs on the wall, maps and charts in filing cabinets) isn’t necessary. A conference bridge and collaboration tools allowing everyone to work remotely can be an acceptable offsite command center as long as digital options can meet your command center requirements.
Leverage the methodology and tools in this blueprint to define your return to normal (repatriation) procedures:
For more on supporting a business move back to the office from the IT perspective, see Responsibly Resume IT Operations in the Office
4.1 Consolidate BCP pilot insights to support an overall BCP project plan
4.2 Outline a business continuity management (BCM) program
4.3 Test and maintain your BCP
Summarize and consolidate your initial insights and documentation. Create a project plan for overall BCP. Identify teams, responsibilities, and accountabilities, and assign documentation ownership. Integrate BCP findings in DR and crisis management practices. Set guidelines for testing, plan maintenance, training, and awareness.
Participants
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Present results from the pilot BCP, and outline how you’ll use the pilot process with other business units to create an overall continuity program.
Structure the overall BCP program.
The BCP Summary document is the capstone to business unit continuity planning exercises. It consolidates your findings in a short overview of your business continuity requirements, capabilities, and maintenance procedures.
Info-Tech recommends embedding hyperlinks within the Summary to the rest of your BCP documentation to allow the reader to drill down further as needed. Leverage the following documents:
The same methodology described in this blueprint can be repeated for each business unit. Also, many of the artifacts from the BCP pilot can be reused or built upon to give the remaining business units a head start. For example:
You may need to create some artifacts that are site specific. For example, relocation plans or emergency plans may not be reusable from one site to another. Use your judgement to reuse as much of the templates as you can – similar templates simplify audit, oversight, and plan management.
Adjust the pilot charter to answer the following questions:
As with the pilot, choose a business unit, or business units, where BCP will have the greatest impact and where further BCP activities will have the greatest likelihood of success. Prioritize business units that are critical to many areas of the business to get key results sooner.
Work with one business unit at a time if:
Work with several business units at the same time if:
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Document BCP teams, roles, and responsibilities.
Document contact information, alternates, and succession rules.
A BCM program should:
Develop a Business Continuity Management Program
Phase 4 of this blueprint will focus on the following elements of a business continuity management program:
Schedule a call with an Info-Tech Analyst for help building out these core elements, and for advice on developing the rest of your BCM program.
BC management teams (including the secondary teams such as the emergency response team) have two primary roles:
Crisis leaders require strong crisis management skills:
Collectively, the team must include a broad range of expertise as well as strong planning skills:
Note: For specific BC team roles and responsibilities, including key resources such as Legal, HR, and IT SMEs required to prepare for and execute crisis management plans, see Implement Crisis Management Best Practices.
BCM Team: Govern business continuity, DR, and crisis management planning. Support the organization’s response to a crisis, including the decision to declare a disaster or emergency.
Emergency Response Teams: Assist staff and BC teams during a crisis, with a focus first on health and safety. There’s usually one team per location. Develop and maintain emergency response plans.
Emergency Response Teams: Assist staff and BC teams during a crisis, with a focus first on health and safety. There’s usually one team per location. Develop and maintain emergency response plans.
IT Disaster Recovery Team: Manage the recovery of IT services and data following an incident. Develop and maintain the IT DRP.
Business Unit BCP Teams: Coordinate business process recovery at the business unit level. Develop and maintain business unit BCPs.
“Planning Mode”
Executive Team → BC Management Team ↓
“Crisis Mode”
Executive Team ↔Crisis Management Team↓ ↔ Emergency Response Teams (ERT)
For more details on specific roles to include on these teams, as well as more information on crisis management, review Info-Tech’s blueprint, Implement Crisis Management Best Practices.
Track teams, roles, and contacts in this template. It is pre-populated with roles and responsibilities for business continuity, crisis management, IT disaster recovery, emergency response, and vendors and suppliers critical to business operations.
Track contact information in this template only if you don’t have a more streamlined way of tracking it elsewhere.
Download Info-Tech’s Business Continuity Teams and Roles Tool
Suppliers and vendors might include:
Supplier RTOs and RPOs should align with the acceptable RTOs and RPOs defined in the BIA. Where they do not, explore options for improvement.
Confirm the following:
Your BCP isn’t any one document. It’s multiple documents that work together.
Continue to work through any additional required documentation. Build a repository where master copies of each document will reside and can be updated as required. Assign ownership of document management to someone with an understanding of the process (e.g. the BCP Coordinator).
| Governance | Recovery | ||
|---|---|---|---|
| BCMS Policy | BCP Summary | Core BCP Recovery Workflows | |
| Business Process Workflows | Action Items & Project Roadmap | BCP Recovery Checklists | |
| BIA | Teams, Roles, Contact Information | BCP Business Process Workarounds and Recovery Checklists | |
| BCP Maturity Scorecard | BCP Project Charter | Additional Recovery Workflows | |
| Business Unit Prioritization Tool | BCP Presentation | ||
Recovery documentation has a different audience, purpose, and lifecycle than governance documentation, and keeping the documents separate can help with content management. Disciplined document management keeps the plan current and accessible.
Use the following BCP outputs to inform your DRP:
| PCP Outputs | DRP Activities | |
|---|---|---|
| Business processes defined | Identify critical applications | |
|
Dependencies identified:
|
↗ → |
Identify IT dependencies:
|
|
Recovery objectives defined:
|
→ |
Identify recovery objectives:
|
|
Projects identified to close gaps:
|
→ |
Identify projects to close gaps:
|
Info-Tech Insight
Don’t think of inconsistencies between your DRP and BCP as a problem. Discrepancies between the plans are part of the discovery process, and they’re an opportunity to have a conversation that can improve alignment between IT service capabilities and business needs. You should expect that there will be discrepancies – managing discrepancies is part of the ongoing process to refine and improve both plans.
BC/DR Planning Workflow
1. Collect BCP outputs that impact IT DRP (e.g. technology RTOs/RPOs).
2. As BCPs are done, BCP Coordinator reviews outputs with IT DRP Management Team.
3. Use the RTOs/RPOs from the BCPs as a starting point to determine IT recovery plans.
4. Identify investments required to meet business-defined RTOs/RPOs, and validate with the business.
5. Create a DR technology roadmap to meet validated RTOs/RPOs.
6. Review and update business unit BCPs to reflect updated RTOs/RPOs.
Shadow IT can be a symptom of larger service support issues. There should be a process for requesting and tracking non-standard services from IT with appropriate technical, security, and management oversight.
Assign the BCP Coordinator the task of creating a master list of BC projects, and then work with the BC management team to review and reprioritize this list, as described below:
Improving business continuity capabilities is a marathon, not a sprint. Change for the better is still change and introduces risk – massive changes introduce massive risk. Incremental changes help minimize disruption. Use Info-Tech research to deliver organizational change.
"Developing a BCP can be like solving a Rubik’s Cube. It’s a complex, interdepartmental concern with multiple and sometimes conflicting objectives. When you have one side in place, another gets pushed out of alignment." – Ray Mach, BCP Expert
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Create a plan to maintain the BCP.
Mastery comes through practice and iteration. Iterating on and testing your plan will help you keep up to date with business changes, identify plan improvements, and help your organization’s employees develop a mindset of continuity readiness. Maintenance drives continued success; don’t let your plan become stagnant, messy, and unusable.
Your BCM program should structure BCP reviews and updates by answering the following:
At a minimum, review goals should include:
Who leads reviews and updates documents?
The BCP Coordinator is likely heavily involved in facilitating reviews and updating documentation, at least at first. Look for opportunities to hand off document ownership to the business units over time.
How do we track reviews, tests, and updates?
Keep track of your good work by keeping a log of document changes. If you don’t have one, you can use the last tab on the BCP-DRP Maintenance Checklist.
When do we review the plan?
This tool helps you set a schedule for plan update activities, identify document and exercise owners, and log updates for audit and governance purposes.
Info-Tech Insight
Everyone gets busy. If there’s a meeting you can schedule months in advance, schedule it months in advance! Then send reminders closer to the date. As soon as you’re done the pilot BCP, set aside time in everyone’s calendar for your first review session, whether that’s three months, six months, or a year from now.
Use this template to:
If you require more detail to support your recovery procedures, you can use this template to:
Download Info-Tech’s BCP Process Workarounds & Recovery Checklists Template
Use this template to:
Download Info-Tech’s BCP Notification, Assessment, and Disaster Declaration Plan template
Use this template to:
These HR research resources live on the website of Info-Tech’s sister company, McLean & Company. Contact your Account Manager to gain access to these resources.
This blueprint outlined:
If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.
Contact your account representative for more information.
workshops@infotech.com
1-888-670-8889
Dr. Bernard A. Jones, MBCI, CBCP
Professor and Continuity Consultant Berkeley College
Dr. Jones is a professor at Berkeley College within the School of Professional Studies teaching courses in Homeland Security and Emergency Management. He is a member of the National Board of Directors for the Association of Continuity Professionals (ACP) as well as the Information & Publications Committee Chair for the Garden State Chapter of the ACP. Dr. Jones earned a doctorate degree in Civil Security Leadership, Management & Policy from New Jersey City University where his research focus was on organizational resilience.
Kris L. Roberson
Disaster Recovery Analyst Veterans United Home Loans
Kris Roberson is the Disaster Recovery Analyst for Veterans United Home Loans, the #1 VA mortgage lender in the US. Kris oversees the development and maintenance of the Veterans United Home Loans DR program and leads the business continuity program. She is responsible for determining the broader strategies for DR testing and continuity planning, as well as the implementation of disaster recovery and business continuity technologies, vendors, and services. Kris holds a Masters of Strategic Leadership with a focus on organizational change management and a Bachelors in Music. She is a member of Infragard, the National Association of Professional Women, and Sigma Alpha Iota, and holds a Project+ certification.
Trevor Butler
General Manager of Information Technology City of Lethbridge
As the General Manager of Information Technology with the City of Lethbridge, Trevor is accountable for providing strategic management and advancement of the city’s information technology and communications systems consistent with the goals and priorities of the corporation while ensuring that corporate risks are appropriately managed. He has 15+ years of progressive IT leadership experience, including 10+ years with public sector organizations. He holds a B.Mgt. and PMP certification along with masters certificates in both Project Management and Business Analysis.
Robert Miller
Information Services Director Witt/Kieffer
Bob Miller is the Information Services Director at Witt/Kieffer. His department provides end-user support for all company-owned devices and software for Oak Brook, the regional offices, home offices, and traveling employees. The department purchases, implements, manages, and monitors the infrastructure, which includes web hosting, networks, wireless solutions, cell phones, servers, and file storage. Bob is also responsible for the firm’s security planning, capacity planning, and business continuity and disaster preparedness planning to ensure that the firm has functional technology to conduct business and continue business growth.
Create a Right-Sized Disaster Recovery Plan
Close the gap between your DR capabilities and service continuity requirements.
Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind
Go beyond satisfying auditors to drive process improvement, consistent IT operations, and effective knowledge transfer.
Select the Optimal Disaster Recovery Deployment Model
Determine which deployment models, including hybrid solutions, best meet your DR requirements.
“Business Continuity Planning.” IT Examination HandBook. The Federal Financial Institution Examination Council (FFIEC), February 2015. Web.
“Business Continuity Plans and Emergency Contact Information.” FINRA, 12 February 2015. Web.
“COBIT 5: A Business Framework for the Governance and Management of Enterprise IT.” ISACA, n.d. Web.
Disaster Resource GUIDE. Emergency Lifeline Corporation, n.d. Web.
“DR Rules & Regulations.” Disaster Recovery Journal, March 2017. Web.
“Federal Information Security Management Act (FISMA).” Homeland Security, 2014. Web.
FEMA. “Planning & Templates.” FEMA, n.d. Web.
“FINRA-SEC-CFTC Joint Advisory (Regulatory Notice 13-25).” FINRA, August 2013. Web.
Gosling, Mel and Andrew Hiles. “Business Continuity Statistics: Where Myth Meets Fact.” Continuity Central, 24 April 2009. Web.
Hanwacker, Linda. “COOP Templates for Success Workbook.” The LSH Group, 2016. Web.
Potter, Patrick. “BCM Regulatory Alphabet Soup – Part Two.” RSA Link, 28 August 2012. Web.
The Good Practice Guidelines. Business Continuity Institute, 2013. Web.
Wang, Dashun and James A. Evans. “When Small Teams are Better than Big Ones.” Harvard Business Review, 21 February 2019. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Create strategic alignment between the CoE and the organization’s goals, objectives, and vision.
Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization.
Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Create strategic alignment between the CoE and the organization’s goals, objectives, and vision.
Understand how your key stakeholders will impact the longevity of your CoE.
Determine your CoE structure and staff.
Top-down alignment with strategic aims of the organization.
A set of high-level use cases to form the CoE’s service offerings around.
Visualization of key stakeholders, with their current and desired power and involvement documented.
1.1 Identify and prioritize organizational business objectives.
1.2 Form use cases for the points of alignment between your Agile Center of Excellence (ACE) and business objectives.
1.3 Prioritize your ACE stakeholders.
Prioritized business objectives
Business-aligned use cases to form CoE’s service offerings
Stakeholder map of key influencers
Document the functional expectations of the Agile teams.
Refine your business-aligned use cases with your collected data to achieve both business and functional alignment.
Create a capability map that visualizes and prioritizes your key service offerings.
Understanding of some of the identified concerns, pain points, and potential opportunities from your stakeholders.
Refined use cases that define the service offerings the CoE provides to its customers.
Prioritization for the creation of service offerings with a capability map.
2.1 Classified pains and opportunities.
2.2 Refine your use cases to identify your ACE functions and services.
2.3 Visualize your ACE functions and service offerings with a capability map.
Classified pains and opportunities
Refined use cases based on pains and opportunities identified during ACE requirements gathering
ACE Capability Map
Align service offerings with an Agile adoption model so that teams have a structured way to build their skills.
Standardize the way your organization will interact with the Center of Excellence to ensure consistency in best practices.
Mechanisms put in place for continual improvement and personal development for your Agile teams.
Interaction with the CoE is standardized via engagement plans to ensure consistency in best practices and predictability for resourcing purposes.
3.1 Further categorize your use cases within the Agile adoption model.
3.2 Create an engagement plan for each level of adoption.
Adoption-aligned service offerings
Role-based engagement plans
Develop a set of metrics for the CoE to monitor business-aligned outcomes with.
The foundations of continuous improvement are established with a robust set of Agile metrics.
4.1 Define metrics that align with your Agile business objectives.
4.2 Define target ACE performance metrics.
4.3 Define Agile adoption metrics.
4.4 Assess the interaction and communication points of your Agile team.
4.5 Create a communication plan for change.
Business objective-aligned metrics
CoE performance metrics
Agile adoption metrics
Assessment of organizational design
CoE communication plan
"Inconsistent processes and practices used across Agile teams is frequently cited as a challenge to adopting and scaling Agile within organizations. (VersionOne’s 13th Annual State of Agile Report [N=1,319]) Creating an Agile Center of Excellence (ACE) is a popular way to try to impose structure and improve performance. However, simply establishing an ACE does not guarantee you will be successful with Agile. When setting up an ACE you must: Define ACE services based on identified stakeholder needs. Staff the ACE with respected, “hands on” people, who deliver identifiable value to your Agile teams. Continuously evolve ACE service offerings to maximize stakeholder satisfaction and value delivered."
Alex Ciraco, Research Director, Applications Practice Info-Tech Research Group
Implement Agile Practices That Work
Begin your Agile transformation with a comprehensive readiness assessment and a pilot project to adopt Agile development practices and behaviors that fit.
YOU ARE HERE
Spread Best Practices with an Agile Center of Excellence
Form an ACE to support Agile development at all levels of the organization with thought leadership, strategic development support & process innovation.
Enable Organization-Wide Collaboration by Scaling Agile
Extend the benefits of your Agile pilot project into your organization by strategically scaling Agile initiatives that will meet stakeholders’ needs.
Transition to Product Delivery Introduce product-centric delivery practices to drive greater benefits and better delivery outcomes.
1.1 Determine the vision of your ACE
1.2 Define the service offerings of your ACE
2.1 Define an adoption plan for Agile teams
2.2 Create an ACE engagement plan
2.3 Define metrics to measure success
3.1 Optimize the success of your ACE
3.2 Plan change to enhance your Agile initiatives
3.3 Conduct ongoing retrospectives
Remodel the stages of your lifecycle to standardize your definition of a successful product.
Build a Strong Foundation for Quality
Instill quality assurance practices and principles in each stage of your software development lifecycle.
Implement DevOps Practices That Work
Fix, deploy, and support applications quicker though development and operations collaboration.
NOTE: Organizational change is hard and prone to failure. Determine your organization’s level of readiness for Agile transformation (and recommended actions) by completing Info-Tech’s Agile Transformation Readiness Tool.
An ACE amplifies good practices that have been successfully employed within your organization, effectively allowing you to extend the benefits obtained from your Agile pilot(s) to a wider audience.
From the viewpoint of the business, members of the ACE provide expertise and insights to the entire organization in order to facilitate Agile transformation and ensure standard application of Agile good practices.
From the viewpoint of your Agile teams, it provides a community of individuals that share experiences and lessons learned, propagate new ideas, and raise questions or concerns so that delivering business value is always top of mind.
Some organizations prefer Communities of Practice (CoP) to Centers of Excellence (CoE). CoPs are different from CoEs:
“A CoP is an affiliation of people who share a common practice and who have a desire to further the practice itself … and of course to share knowledge, refine best practices, and introduce standards. CoPs are defined by their domain of interest, but the membership is a social structure comprised of volunteer practitioners”
– Wenger, E., R. A. McDermott, et al. (2002) Cultivating communities of practice: A guide to managing knowledge, Harvard Business Press.
“CoPs differ from a CoE mainly in that they tend to have no geographical boundaries, they hold no hierarchical power within a firm, and they definitely can never have structure determined by the company. However, one of the most obvious and telling differences lies in the stated motive of members – CoPs exist because they have active practitioner members who are passionate about a specific practice, and the goals of a CoP are to refine and improve their chosen domain of practice – and the members provide discretionary effort that is not paid for by the employer”
– Matthew Loxton (June 1, 2011) CoP vs CoE – What’s the difference, and Why Should You Care?, Wordpress.com
List based on reported impediments from VersionOne’s 13th Annual State of Agile Report (N=1,319)
Provide services designed to inject evolving good practices into workflows and remove impediments or roadblocks from your Agile team’s ability to deliver value.
Maintain alignment with corporate objectives without impeding business agility in the long term. The ACE functions as an interface layer so that changing expectations can be adapted without negatively impacting Agile teams.
Avoid the risk of innovation and subject-matter expertise being lost or siloed by facilitating knowledge transfer and fostering a continuous learning environment.
Set baselines, monitor metrics, and run retrospectives to help govern process improvements and ensure that Agile teams are delivering expected benefits.
Instill Agile thinking and behavior into the organization. The ACE must encourage innovation and be an effective agent for change.
Being Prescriptive
Doing Agile
Being Agile
“(‘Doing Agile’ is) just some rituals but without significant change to support the real Agile approach as end-to-end, business integration, value focus, and team empowerment.” - Arie van Bennekum
Simply establishing a Center of Excellence for any discipline does not guarantee its success:
The 2019 State of DevOps Report found that organizations which had established DevOps CoEs underperformed compared to organizations which adopted other approaches for driving DevOps transformation. (Accelerate State of DevOps Report 2019 [N=~1,000])
Still, Agile Centers of Excellence can and do successfully drive Agile adoption in organizations. So what sets the successful examples apart from the others? Here’s what some have to say:
“The ACE must be staffed with qualified people with delivery experience! … [It is] effectively a consulting practice, that can evolve and continuously improve its services … These services are collectively about ‘enablement’ as an output, more than pure training … and above all, the ability to empirically measure the progress” – Paul Blaney, TD Bank
“When leaders haven’t themselves understood and adopted Agile approaches, they may try to scale up Agile the way they have attacked other change initiatives: through top-down plans and directives. The track record is better when they behave like an Agile team. That means viewing various parts of the organization as their customers.” – HBR, “Agile at Scale”
“the Agile CoE… is truly meant to be measured by the success of all the other groups, not their own…[it] is meant to be serving the teams and helping them improve, not by telling them what to do, but rather by listening, understanding and helping them adapt.” - Bart Gerardi, PMI
“The CoE must also avoid becoming static, as it’s crucial the team can adjust as quickly as business and customer needs change, and evolve the technology as necessary to remain competitive.” – Forbes, “RPA CoE (what you need to know)”
"The best CoEs are formed from thought leaders and change agents within the CoE domain. They are the process and team innovators who will influence your CoE roadmap and success. Select individuals who feel passionate about Agile." – Hans Eckman, InfoTech
Simply establishing an Agile Center of Excellence does not guarantee its success. When setting up your ACE, optimize its impact on the organization by doing the following 3 things:
Create strategic alignment between the CoE and the organization’s goals, objectives, and vision. This alignment translates into the CoE mandate intended to enhance the way Agile will enable teams to meet business objectives.
Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization. Create and consolidate key performance indicators to measure the CoEs utility and whether or not the expected value is being translated to tangible results.
Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change so that teams can grow within the Agile adoption model and optimize value delivery both within your Agile environment and across functions.
Use Info-Tech’s Practice Adoption Journey model to establish your ACE. Building social capital (stakeholders’ trust in your ability to deliver positive outcomes) incrementally is vital to ensure that everyone is aligned to new mindsets and culture as your Agile practices scale.
Begin to document your development workflow or value chain, implement a tracking system for KPIs, and start gathering metrics and reporting them transparently to the appropriate stakeholders.
Use collected metrics and retrospectives to stabilize team performance by reducing areas of variability in your workflow and increasing the consistency at which targets are met.
Use information to support changes and adopt appropriate practices to make incremental improvements to the existing environment.
Drive behavioral and cultural changes that will empower teams to be accountable for their own success and learning.
Use your built-up trust and support practice innovation, driving the definition and adoption of new practices.
Business justification to continue to fund a Center of Excellence can be a challenge, especially with traditional thinking and rigid stakeholders. Hit the ground running and show value to your key influencers through business alignment and metrics that will ensure that the ACE is worth continuous investment.
The pace of change in customer expectations, competitive landscapes, and business strategy is continuously increasing. It is critical to develop a method to facilitate ongoing alignment to shifting business and development expectations seamlessly and ensure that your Agile teams are able to deliver expected business value.
Monitor your metrics to ensure desired benefits are being realized. The ACE is responsible for ensuring that expected Agile benefits are achievable and on track. Monitor against your defined baselines to create transparency and accountability for desired outcomes.
Run retrospectives to drive improvements and fixes into Agile projects and processes. Metrics falling short of expectations must be diagnosed and their root causes found, and fixes need to be communicated and injected back into the larger organization.
Define metrics and set targets that align with the goals of the ACE. These metrics represent the ACEs expected value to the organization and must be measured against on a regular basis to demonstrate value to your key stakeholders.
Culture clash between Agile teams and larger organization
Agile leverages empowered teams, meritocracy, and broad collaboration for success, but typical organizations are siloed and hierarchical with top down decision making. There needs to be a plan to enable a smooth transition from the current state towards the Agile target state.
Persistence of tribal knowledge
Agile relies on easy and open knowledge sharing, but organizational knowledge can sit in siloes. Employees may also try to protect their expertise for job security. It is important to foster knowledge sharing to ensure that critical know-how is accessible and doesn’t leave the organization with the individual.
Rigid management structures
Rigidity in how managers operate (performance reviews, human resource management, etc.) can result in cultural rejection of Agile. People need to be assessed on how they enable their teams rather than as individual contributors. This can help ensure that they are given sufficient opportunities to succeed. More support and less strict governance is key.
Breakdown due to distributed teams
When face-to-face interactions are challenging, ensure that you invest in the right communication technologies and remove cultural and process impediments to facilitate organization-wide collaboration. Alternative approaches like using documentation or email will not provide the same experience and value as a face-to-face conversation.
Industry - Government
Source - Cathy Novak, Agile Government Leadership
“The Agile CoE in the State of Maine is completely focused on the discipline of the methodology. Every person who works with Agile, or wants to work with Agile, belongs to the CoE. Every member of the CoE tells the same story, approaches the methodology the same way, and uses the same tools. The CoE also functions as an Agile research lab, experimenting with different standards and tools.
The usual tools of project management – mission, goals, roles, and a high-level definition of done – can be found in Maine’s Agile CoE. For story mapping, teams use sticky notes on a large wall or whiteboard. Demonstrating progress this way provides for positive team dynamics and a psychological bang. The State of Maine uses a project management framework that serves as its single source of truth. Everyone knows what’s going on at all times and understands the purpose of what they are doing. The Agile team is continually looking for components that can be reused across other agencies and programs.”
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
| 1. Strategically align the Center of Excellence | 2. Standardize the CoEs service offerings | 3. Operate the Center of Excellence | |
|---|---|---|---|
| Best-Practice Toolkit | 1.1 Determine the vision of your ACE. 1.2 Define the service offerings of your ACE. |
2.1 Define an adoption plan for your Agile teams. 2.2 Create an ACE engagement plan. 2.3 Define metrics to measure success. |
3.1 Optimize the success of your ACE. 3.2 Plan change to enhance your Agile initiatives. 3.3 Conduct ongoing retrospectives of your ACE. |
| Guided Implementations |
|
|
|
| Onsite Workshop | Module 1: Strategically align the ACE | Module 2: Standardize the offerings of the ACE | Module 3: Prepare for organizational change |
| Phase 1 Outcome: Create strategic alignment between the CoE and organizational goals. | Phase 2 Outcome: Build engagement plans and key performance indicators based on a standardized Agile adoption plan. |
Phase 3 Outcome: Operate the CoEs monitoring function, identify improvements, and manage the change needed to continuously improve. |
Contact your account representative or email Workshops@InfoTech.com for more information.
| Workshop Module 1 | Workshop Module 2 | Workshop Module 3 | Workshop Module 4 | |
|---|---|---|---|---|
| Activities | Determine vision of CoE 1.1 Identify and prioritize organizational business objectives. 1.2 Form use cases for the points of alignment between your ACE and business objectives. 1.3 Prioritize your ACE stakeholders. |
Define service offerings of CoE 2.1 Form a solution matrix to organize your pain points and opportunities. 2.2 Refine your use cases to identify your ACE functions and services. 2.3 Visualize your ACE functions and service offerings with a capability map. |
Define engagement plans 3.1 Further categorize your use cases within the Agile adoption model. 3.2 Create an engagement plan for each level of adoption. |
Define metrics and plan communications 4.1 Define metrics that align with your Agile business objectives. 4.2 Define target ACE performance metrics. 4.3 Define Agile adoption metrics. 4.4 Assess the interaction and communication points of your Agile team. 4.5 Create a communication plan for change. |
| Deliverables |
|
|
|
|
The first step to creating a high-functioning ACE is to create alignment and consensus amongst your key stakeholders regarding its purpose. Engage in a set of activities to drill down into the organization’s goals and objectives in order to create a set of high-level use cases that will evolve into the service offerings of the ACE.
Create strategic alignment between the CoE and the organization’s goals, objectives, and vision. This alignment translates into the CoE mandate intended to enhance the way Agile will enable teams to meet business objectives.
Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization. Create and consolidate key performance indicators to measure the CoEs utility and whether or not the expected value is being translated to tangible results.
Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change so that teams can grow within the Agile adoption model and optimize value delivery both within your Agile environment and across functions.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion (in weeks): 1
Start with an analyst kick off call:
Then complete these activities…
1.1.1 Optional: Baseline your ACE maturity.
1.1.2 Identify and prioritize organizational business objectives.
1.1.3 Form use cases for the points of alignment between your ACE and business objectives.
1.1.4 Prioritize your ACE stakeholders.
1.1.5 Select a centralized or decentralized model for your ACE.
1.1.6 Staff your ACE strategically.
Start with an analyst kick off call:
Then complete these activities…
1.2.1 Form the Center of Excellence.
1.2.2 Gather and document your existing Agile practices for the CoE.
1.2.3 Interview stakeholders to align ACE requirements with functional expectations.
1.2.4 Form a solution matrix to organize your pain points and opportunities.
1.2.5 Refine your use cases to identify your ACE functions and services.
1.2.6 Visualize your ACE functions and service offerings with a capability map.
Phase 1 Results & Insights:
1.2 Define the service offerings of your ACE
2.1 Define an adoption plan for your Agile teams
2.2 Create an ACE engagement plan
2.3 Define metrics to measure success
3.1 Optimize the success of your ACE
3.2 Plan change to enhance your Agile initiatives
3.3 Conduct ongoing retrospectives of your ACE
1.1.1 Optional: Baseline your ACE maturity.
1.1.2 Identify and prioritize organizational business objectives.
1.1.3 Form use cases for the points of alignment between your ACE and business objectives.
1.1.4 Prioritize your ACE stakeholders.
1.1.5 Select a centralized or decentralized model for your ACE.
1.1.6 Staff your ACE strategically.
If you already have established an ACE, use Info-Tech’s CoE Maturity Diagnostic Tool to baseline its current maturity level (this will act as a baseline for comparison after you complete this Blueprint). Assessing your ACEs maturity lets you know where you currently are, and where to look for improvements.
Document results in the ACE Communications Deck.
INFO-TECH DELIVERABLE
Download the CoE Maturity Diagnostic Tool.
| Stakeholder | Role | Why they are essential players |
|---|---|---|
| CIO/ Head of IT | Program sponsor: Champion and set the tone for the Agile program. Critical in gaining and maintaining buy-in and momentum for the spread of Agile service offerings. | The head of IT has insight and influence to drive buy-in from executive stakeholders and ensure the long-term viability of the ACE. |
| Applications Director | Program executor: Responsible for the formation of the CoE and will ensure the viability of the initial CoE objectives, use cases, and service offerings. | Having a coordinator who is responsible for collating performance data, tracking results, and building data-driven action plans is essential to ensuring continuous success. |
| Agile Subject-Matter Experts | Program contributor: Provide information on the viability of Agile practices and help build capabilities on existing best practices. | Agile’s success relies on adoption. Leverage the insights of people who have implemented and evangelized Agile within your organization to build on top of a working foundation. |
| Functional Group Experts | Program contributor: Provide information on the functional group’s typical processes and how Agile can achieve expected benefits. | Agile’s primary function is to drive value to the business – it needs to align with the expected capabilities of existing functional groups in order to enhance them for the better. |
Business justification to continue to fund a Center of Excellence can be a challenge, especially with traditional thinking and rigid stakeholders. Hit the ground running and show value to your key influencers through business alignment and metrics that will ensure that the ACE is worth continuous investment.
The pace of change in customer expectations, competitive landscapes, and business strategy is continuously increasing. It is critical to develop a method to facilitate ongoing alignment to shifting business and development expectations seamlessly and ensure that your Agile teams are able to deliver expected business value.
1.1.2 2 Hours
While there is tremendous pressure to align IT functions and the business due to the accelerating pace of change and technology innovation, you need to be aware that there are limitations in achieving this goal. Keep these challenges at the top of mind as you bring together your stakeholders to position the service offerings of your ACE. It is beneficial to make your stakeholders self-aware of these biases as well, so they come to the table with an open mind and are willing to find common ground.
There are a plethora of moving pieces within an organization and total alignment is not a plausible outcome.
The aim of a group should not be to achieve total alignment, but rather reframe and consider ways to ensure that stakeholders are content with the ways they interact and that misalignment does not occur due to transparency or communication issues.
While it may seem like the business is one unified body, the reality is that the business can include individuals or groups (CEO, CFO, IT, etc.) with conflicting priorities. While there are shared business goals, these entities may all have competing visions of how to achieve them. Alignment means compromise and agreement more than it means accommodating all competing views.
There is a political component to alignment, and sometimes individual aspirations can impede collective gain.
While the business side may be concerned with cost, those on the IT side of things can be concerned with taking on career-defining projects to bolster their own credentials. This conflict can lead to serious breakdowns in alignment.
Industry Food Services
Source Scott Ambler and Associates, Case Study
Being in an industry with high competition, Panera Bread needed to improve its ability to quickly deliver desired features to end customers and adapt to changing business demands from high internal growth.
Panera Bread engaged in an Agile transformation through a mixture of Agile coaching and workshops, absorbing best practices from these engagements to drive Agile delivery frameworks across the enterprise.
Adopting Agile delivery practices resulted in increased frequency of solution delivery, improving the relationship between IT and the business. Business satisfaction increased both with the development process and the outcomes from delivery.
The transparency that was needed to achieve alignment to rapidly changing business needs resulted in improved communication and broad-scale reduced risk for the organization.
"Agile delivery changed perception entirely by building a level of transparency and accountability into not just our software development projects, but also in our everyday working relationships with our business stakeholders. The credibility gains this has provided our IT team has been immeasurable and immediate."
– Mike Nettles, VP IT Process and Architecture, Panera Bread
Input arrows represent functional group needs, feedback from Agile teams, and collaboration with other CoEs and CoPs
Output arrows represent the services the CoE delivers and the benefits realized across the organization.
Governance & Metrics involves enabling success through the management of the ACEs resources and services, and ensuring that organizational structures evolve in concert with Agile growth and maturity. Your focus should be on governing, measuring, implementing, and empowering improvements.
Effective governance will function to ensure the long-term effectiveness and viability of your ACE. Changes and improvements will happen continuously and you need a way to decide which to adopt as best practices.
"Organizations have lengthy policies and procedures (e.g. code deployment, systems design, how requirements are gathered in a traditional setting) that need to be addressed when starting to implement an Agile Center of Excellence. Legacy ideas that end up having legacy policy are the ones that are going to create bottlenecks, waste resources, and disrupt your progress." – Doug Birgfeld, Senior Partner, Agile Wave
Services refers to the ability to deliver resourcing, guidance, and assistance across all Agile teams. By creating a set of shared services, you enable broad access to specialized resources, knowledge, and insights that will effectively scale to more teams and departments as Agile matures in your organization.
A Services model:
Technology refers to a broad range of supporting tools to enable employees to complete their day-to-day tasks and effectively report on their outcomes. The key to technological support is to strike the right balance between flexibility and control based on your organization's internal and external constraints (policy, equipment, people, regulatory, etc.).
"We sometimes forget the obvious truth that technology provides no value of its own; it is the application of technology to business opportunities that produces return on investment." – Robert McDowell, Author, In Search of Business Value
Staff is all about empowerment. The ACE should support and facilitate the sharing of ideas and knowledge sharing. Create processes and spaces where people are encouraged to come together, learn from, and share with each other. This setting will bring up new ideas to enhance productivity and efficiency in day-to-day activities while maintaining alignment with business objectives.
"An Agile CoE is legitimized by its ability to create a space where people can come together, share, and learn from one another. By empowering teams to grow by themselves and then re-connect with each other you allow the creativity of your employees to flow back into the CoE." – Anonymous, Founder, Agile consultancy group
A use case tells a story about how a system will be used to achieve a goal from the perspective of a user of that system. The people or other systems that interact with the use case are called “actors.” Use cases describe what a system must be able to do, not how it will do it.
Use cases are used to guide design by allowing you to highlight the intended function of a service provided by the Center of Excellence while maintaining a business focus. Jumping too quickly to a solution without fully understanding user and business needs leads to the loss of stakeholder buy-in and the Centers of Excellence rejection by teams.
Hypothesized ACE user needs →Use Case←Business objective
1.1.3 2 Hours
| AGILE CENTER OF EXCELLENCE FUNCTIONS: | |||||||
|---|---|---|---|---|---|---|---|
| Guiding | Learning | Tooling | Supporting | Governing | Monitoring | ||
| BUSINESS OBJECTIVES | Reduce time-to-market of product releases | ||||||
| Reduce product delivery costs | |||||||
| Effectively integrate teams from a merger | |||||||
1.1.3 2 Hours
Your goal should be to keep these as high level and generally applicable as possible as they provide an initial framework to further develop your service offerings. Begin to talk about the ways in which the ACE can support the realization of your business objectives and what those interactions may look like to customers of the ACE.
Avoid the rifts in stakeholder representation by ensuring you involve the relevant parties. Without representation and buy-in from all interested parties, your ACE may omit and fail to meet long-term organizational goals.
By ensuring every group receives representation, your service offerings will speak for the broad organization and in turn meet the needs of the organization as a whole.
Organization
1.1.4 1 Hour
1.1.4 1 Hour
An ACE can be organized differently depending on your organization’s specific needs and culture.
The SAFe Model:©
“For smaller enterprises, a single centralized [ACE] can balance speed with economies of scale. However, in larger enterprises—typically those with more than 500 – 1,000 practitioners—it’s useful to consider employing either a decentralized model or a hub-and-spoke model.”
© Scaled Agile, Inc.
The Spotify Model:
Spotify avoids using an ACE and instead spreads agile practices using Squads, Tribes, Chapters, Guilds, etc.
It can be a challenging model to adopt because it is constantly changing, and must be fundamentally supported by your organization’s culture. (Linders, Ben. “Don't Copy the Spotify Model.” InfoQ.com. 6 Oct. 2016.)
Detailed analysis of The Spotify Model is out of scope for this Blueprint.
1.1.5 30 minutes
| Centralized ACE | Decentralized ACE | ||||
|---|---|---|---|---|---|
| Pros | Cons | Pros | Cons | ||
| Centralize Vs De-centralize Considerations | Prioritized Business Objectives |
|
|
||
| ACE Use Cases |
|
|
|||
| Organization Size |
|
|
|||
| Organization Structure |
|
|
|||
| Organization Culture |
|
|
|||
SELECTED MODEL: Centralized ACE
1.1.6 1 Hour
| Candidate: Jane Doe | ||
|---|---|---|
| Rating Criteria | Criteria Weighting | Candidate's Score (1-5) |
| Candidate has strong theoretical knowledge of Agile. | 8% | 4 |
| Candidate has strong hands on experience with Agile. | 18% | 5 |
| Candidate has strong hands on experience with Agile. | 10% | 4 |
| Candidate is highly respected by the Agile teams. | 18% | 5 |
| Candidate is seen as a thought leader in the organization. | 18% | 5 |
| Candidate is seen as a change agent in the organization. | 18% | 5 |
| Candidate has strong desire to be member of ACE staff. | 10% | 3 |
| Total Weighted Score | 4.6 | |
1.1 Determine the vision of your ACE
1.2 Define the service offerings of your ACE
2.1 Define an adoption plan for your Agile teams
2.2 Create an ACE engagement plan
2.3 Define metrics to measure success
3.1 Optimize the success of your ACE
3.2 Plan change to enhance your Agile initiatives
3.3 Conduct ongoing retrospectives of your ACE
1.2.1 Form the Center of Excellence.
1.2.2 Gather and document your existing Agile practices for the CoE.
1.2.3 Interview stakeholders to align ACE requirements with functional expectations.
1.2.4 Form a solution matrix to organize your pain points and opportunities.
1.2.5 Refine your use cases to identify your ACE functions and services.
1.2.6 Visualize your ACE functions and service offerings with a capability map.
By operating within a group of your key players, you can legitimize your Center of Excellence by propagating the needs and interests of those who interface and evangelize the CoE within the larger organization.
The group of key stakeholders will extend the business alignment you achieved earlier by refining your service offerings to meet the needs of the ACEs customers. Multiple representations at the table will generate a wide arrangement of valuable insights and perspectives.
While holistic representation is necessary, ensure that the list is not too comprehensive and will not lead to progress roadblocks. The goal is to ensure that all factors relevant to the organization are represented; too many conflicting opinions may create an obstruction moving forward.
ACE
Choose the ACE funding model which is most aligned to your current system based on the scenarios provided below. Both models will offer the necessary support to ensure the success of your Agile program going forward.
| Funding Model | Funding Scenario I | Funding Scenario II |
|---|---|---|
| Funded by the CIO | Funded by the CIO office and a stated item within the general IT budget. | Charged back to supported functional groups with all costs allocated to each functional group’s budget. |
| Funded by the PMO | Charged back to supported functional groups with all costs allocated to each functional group’s budget. | Charged back to supported functional groups with all costs allocated to each functional group’s budget. |
Your funding model may add additional key influencers into the mix. After you choose your funding model, ensure that you review your stakeholder map and add anyone who will have a direct impact in the viability and stability of your ACE.
An Agile Center of Excellence is unique in the way you must govern the actions of its customers. Enable “flexible governance” to ensure that Agile teams have the ability to locally optimize and innovate while still operating within expected boundaries.
ACE Governing Body
↑ Agile Team → ACE ← Agile Team ↑
The governing body can be the existing executive or standing committees, or a newly formed committee involving your key ACE influencers and stakeholders.
Flexible governance means that your ACE set boundaries based on your cultural, regulatory, and compliance requirements, and your governance group monitors your Agile teams’ adherence to these boundaries.
There is no right answer to how your Center of Excellence should be resourced. Consider your existing organizational structure and culture, the quality of relationships between functional groups, and the typical budgetary factors that would weigh on choosing between a virtual and dedicated CoE structure.
| COE | Advantages | Disadvantages |
|---|---|---|
| Virtual |
|
|
| Dedicated |
|
|
1.2.1 1 Hour
Document results in the ACE Communications Deck.
The synergy between Agile and CoE relies on its ability to build on existing best practices. Agile cannot grow without a solid foundation. ACE gives you the way to disseminate these practices and facilitate knowledge transfer from a centralized sharing environment. As part of defining your service offerings, engage with stakeholders across the organization to evaluate what is already documented so that it can be accommodated in the ACE.
Info-Tech Insight
When considering existing practices, it is important to evaluate the level of adherence to these practices. If they have been efficiently utilized, injecting them into ACE becomes an obvious decision. If they have been underutilized, however, it is important to understand why this occurred and discuss how you can drive higher adherence.
The success of your Center of Excellence relies on the ability to build sound best practices within your organization’s context. Use your previous lessons learned and growing pains as shared knowledge of past Agile implementations within the ACE.
Draw on the experiences of your initial pilot where you learned how to adapt the Agile manifesto and practices to your specific context. These lessons will help onboard new teams to Agile since they will likely experience some of the same challenges.
Documents for review include:
Draw on previous scaling Agile experiences to help understand how to interface, facilitate, and orchestrate cross-functional teams and stakeholders for large and complex projects. These lessons will help your ACE teams develop collaboration and problem-solving techniques involving roles with different priorities and lines of thinking.
Documents for review include:
1.2.2 Variable time commitment based on current documentation state
| Name | Type | Adherence Level | CoE Best Fit | Source | |
|---|---|---|---|---|---|
| 1 | Tailored Scrum process | Process | High | Shared Services | Internal Wiki |
| 2 | |||||
| 3 |
1.2.3 30-60 Minutes per interview
Interview Stakeholders (from both Agile teams and functional areas) on their needs from the ACE. Ensure you capture both pain points and opportunities. Capture these as either Common Agile needs or Functional needs. Document using the tables below:
| Common Agile Needs | |
|---|---|
| Common Agile Needs |
|
| Functional Needs | Ent Arch Needs |
|---|---|
|
PMO Needs
Operations Needs
1.2.4 Half day
| Governance | Shared Services | Technology | People | |
|---|---|---|---|---|
| Pain Points | ||||
| Opportunities |
Document results in the ACE Communications Deck.
1.2.5 1 Hour
Document results in the ACE Communications Deck.
1.2.6 1 Hour
Document results in the ACE Communications Deck.
Policy Management (Medium Potential)
Change Management (High Potential)
Risk Management (High Potential)
Stakeholder Management (High Potential)
Metrics/Feedback Monitoring (High Potential)
Engagement Planning (High Potential)
Knowledge Management (High Potential)
Subject-Matter Expertise (High Potential)
Agile Team Evaluation (High Potential)
Operations Support (High Potential)
Onboarding (Medium Potential)
Coaching (High Potential)
Learning Facilitation (High Potential)
Internal Certification Program (Low Potential)
Communications Training (Medium Potential)
Vendor Management (Medium Potential)
Application Support (Low Potential)
Tooling Standards (High Potential)
1.1 Determine the vision of your ACE
1.2 Define the service offerings of your ACE
2.1 Define an adoption plan for your Agile teams
2.2 Create an ACE engagement plan
2.3 Define metrics to measure success
Our analyst team will help you organize and prioritize your business objectives for the year in order to ensure that the service offerings the ACE offers are delivering consistent business value.
Our analyst team will help you turn your prioritized business objectives into a set of high-level use cases that will provide the foundation for defining user-aligned services.
Our analysts will walk you through an exercise of mapping and prioritizing your Centers of Excellence stakeholders based on impact and power within so you can ensure appropriate presentation of interests within the organization.
Our analyst team will help you solidify the direction of your Center of Excellence by overlaying your identified needs, pain points, and potential opportunities in a matrix guided by Info-Tech’s CoE operating model.
Our analyst team will help you further refine your business-aligned use cases with the functional expectations from your Agile teams and stakeholders, ensuring the ACEs long-term utility.
Our analysts will walk you through creating your Agile Centers of Excellence capability map and help you to prioritize which service offerings are critical to the success of your Agile teams in meeting their objectives.
Now that you have aligned the CoE to the business and functional expectations, you need to ensure its service offerings are consistently accessible. To effectively ensure accessibility and delegation of shared services in an efficient way, the CoE needs to have a consistent framework to deliver its services.
Create strategic alignment between the CoE and the organization’s goals, objectives, and vision. This alignment translates into the CoE mandate intended to enhance the way Agile will enable teams to meet business objectives.
Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization. Create and consolidate key performance indicators to measure the CoEs utility and whether or not the expected value is being translated to tangible results.
Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change so that teams can grow within the Agile adoption model and optimize value delivery both within your Agile environment and across functions.
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion (in weeks): 2
Start with an analyst kick off call:
Then complete these activities…
2.1.1 Further categorize your use cases within the Agile adoption model.
Start with an analyst kick off call:
Then complete these activities…
2.2.1 Create an engagement plan for each level of adoption.
Finalize phase deliverable:
Then complete these activities…
2.3.1 Collect existing team-level metrics.
2.3.2 Define metrics that align with your Agile business objectives.
2.3.3 Define target ACE performance metrics.
2.3.4 Define Agile adoption metrics.
2.3.5 Consolidate metrics for stakeholder impact.
2.3.6 Use Info-Tech’s ACE Benefits Tracking Tool to monitor, evaluate, refine, and ensure continued business value.
1.1 Determine the vision of your ACE
1.2 Define the service offerings of your ACE
2.1 Define an adoption plan for your Agile teams
2.2 Create an ACE engagement plan
2.3 Define metrics to measure success
3.1 Optimize the success of your ACE
3.2 Plan change to enhance your Agile initiatives
3.3 Conduct ongoing retrospectives of your ACE
2.1.1 Further categorize your use cases within the Agile adoption model.
Culture clash between ACE and larger organization
It is important to carefully consider the compatibility between the current organizational culture and Agile moving forward. Agile compels empowered teams, meritocracy, and broad collaboration for success; while typical organizational structures are siloed and hierarchical and decisions are delegated from the top down.
This is not to say that the culture of the ACE has to match the larger organizational culture; part of the overarching aim of the ACE is to evolve the current organizational culture for the better. The point is to ensure you enable a smooth transition with sufficient management support and a team of Agile champions.
The changing role of middle management
Very similar to the culture clash challenge, cultural rigidity in how middle managers operate (performance review, human resource management, etc.) can cause cultural rejection. They need to become enablers for high performance and give their teams the sufficient tools, skills, and opportunities to succeed and excel.
Based on a global survey of Agile practitioners (N=1,319)*:
52% Organizational culture at odds with agile values
44% Inadequate management support and sponsorship
48% General organization resistance to change
*Respondents were able to make multiple selections
(13th Annual State of Agile Report, VersionOne, 2019)
The reality of cultural incompatibility between Agile and traditional organization structures necessitates a structured adoption plan. Systematically build competency so teams can consistently achieve project success and solidify trust in your teams’ ability to meet business needs with Agile.
By incrementally gaining the trust of management as you build up your Agile capabilities, you enable a smooth cultural transition to an environment where teams are empowered, adapt quickly to changing needs, and are trusted to innovate and make successes out of their failures.
Optimized value delivery occurs when there is a direct relationship between competency and trust. There will be unrealized value when competency or trust outweigh the other. That value loss increases as either dimension of adoption continues to grow faster than the other.
Agile adoption at its core, is about building social capital. Your level of trust with key influencers increases as you continuously enhance your capabilities, enabling the necessary cultural changes away from traditional organizational structures.
Begin to document your development workflow or value chain, implement a tracking system for KPIs, and start gathering metrics and reporting them transparently to the appropriate stakeholders.
Use collected metrics and retrospectives to stabilize team performance by reducing areas of variability in your workflow and increasing the consistency at which targets are met.
Use information to support changes and adopt appropriate practices to make incremental improvements to the existing environment.
Drive behavioral and cultural changes that will empower teams to be accountable for their own success and learning.
Use your built-up trust and support practice innovation, driving the definition and adoption of new practices.
Team Organization
Considers the degree to which teams are able to self-organize based on internal organizational structures (hierarchy vs. meritocracy) and inter-team capabilities.
Team Coordination
Considers the degree to which teams can coordinate, both within and across functions.
Business Alignment
Considers the degree to which teams can understand and/or map to business objectives.
Coaching
Considers what kind of coaching/training is offered and how accessible the training is.
Empowerment
Considers the degree to which teams are able and capable to address project, process, and technical challenges without significant burden from process controls and bureaucracy.
Failure Tolerance
Considers the degree to which stakeholders are risk tolerant and if teams are capable of turning failures into learning outcomes.
These key attributes function as qualities or characteristics that, when improved, will successively increase the degree to which the business trusts your Agile teams’ ability to meet their objectives.
Systematically improving these attributes as you graduate levels of the adoption model allows the business to acclimatize to the increased capability the Agile team is offering, and the risk of culture clash with the larger organization decreases.
Start to consider at what level of adoption each of your service offerings become useful. This will allow you to standardize the way your Agile teams interact with the CoE.
2.1.1 1.5 Hours
The same service offering could be offered at different levels of adoption. In these cases, you will need to re-visit the use case and differentiate how the service (if at all) will be delivered at different levels of adoption.
2.1.1 1.5 Hours
| Service Offerings | |
|---|---|
| Level 5: Innovate | |
| Level 4: Empower | |
| Level 3: Collaborate | Coaching -- Communications Training |
| Level 2: Iterate | Tooling Standards |
| Level 1: Conceptualize |
Learning Facilitation
Draw on the service offerings identified in activity 1.2.4
1.1 Determine the vision of your ACE
1.2 Define the service offerings of your ACE
2.1 Define an adoption plan for your Agile teams
2.2 Create an ACE engagement plan
2.3 Define metrics to measure success
3.1 Optimize the success of your ACE
3.2 Plan change to enhance your Agile initiatives
3.3 Conduct ongoing retrospectives of your ACE
2.2.1 Create an engagement plan for each level of adoption.
A Center of Excellence aligned with your service offerings is only valuable if your CoEs customers can effectively access those services. At this stage, you have invested in ensuring that your CoE aligns to your business objectives and that your service offerings align to its customers. Now you need to ensure that these services are accessible in the day-to-day operation of your Agile teams.
Use backwards induction from your delivery method to the service offering. This is an effective method to determine the optimal engagement action for the CoE, as it considers the end customer as the driver for best action for every possible situation.
Info-Tech Insight
Your engagement process should be largely informed by your ACE users. Teams have constraints as well as in-the-trenches concerns and issues. If your service offerings don’t account for these, it can lead to rejection of the culture you are trying to inspire.
A primary function of your ACE is to transfer knowledge to Agile teams to increase their capability to achieve desired outcomes.
While this can take the form of coaching, training sessions, libraries, and wikis, a critical component of ACE is creating interactions where individuals from Agile teams can come together and share their knowledge.
Ideas come from different experiences. By creating communities of practice (CoP) around topics that the ACE is tasked with supporting (e.g. Agile business analysts), you foster social learning and decrease the likelihood that change will result in some sort of cultural rejection.
Consider whether creating CoPs would be beneficial in your organization’s context.
"Communities of practice are a practical way to frame the task of managing knowledge. They provide a concrete organizational infrastructure for realizing the dream of a learning organization." – Etienne Wenger, Digital Habitats: Stewarding technology for communities
Top-down support is critical to validate the CoE to its customers and ensure they feel compelled to engage with its services. Relevancy is a real concern for the long-term viability of a CoE and championing its use from a position of authority will legitimize its function and deter its fading from relevancy of day-to-day use for Agile teams.
Although you are aligning your engagement processes to the customers of your Agile Center of Excellence, you still need your key influencers to champion its lasting organizational relevancy. Don’t let your employees think the ACE is just a coordinating body or a committee that is convenient but non-essential – make sure they know that it drives their own personal growth and makes everyone better as a collective.
"Even if a CoE is positioned to meet a real organizational need, without some measure of top-down support, it faces an uphill battle to remain relevant and avoid becoming simply one more committee in the eyes of the wider organization. Support from the highest levels of the organization help fight the tendency of the larger organization to view the CoE as a committee with no teeth and tip the scales toward relevancy for the CoE." – Joe Shepley, VP and Practice Lead, Doculabs
Info-Tech Insight
Stimulate top-down support with internal certifications. This allows your employees to gain accreditation while at the same time encouraging top-down support and creating a compliance check for the continual delivery and acknowledgement of your evolving best practices.
For your employees to continuously improve, so must the Center of Excellence. Ensure the ACE has the appropriate mechanisms to absorb and disseminate best practices that emerge from knowledge transfer facilitation events.
While facilitating knowledge transfer is key, it is even more important that the Center of Excellence can take localized adaptations from Agile teams and standardize them as best practices when well received. If an individual were to leave without sharing their knowledge, the CoE and the larger organization will lose that knowledge and potential innovation opportunities.
To organically grow your ACE and be cost effective, you want your teams to continuously improve and to share that knowledge. As individual team members develop and climb the adoption model, they should participate as coaches and champions for less experienced groups so that their knowledge is reaching the widest audience possible.
Industry Digital Media
Source Henrik Kniberg & Anders Ivarsson, 2012
Spotify has continuously introduced innovative techniques to facilitate learning and ensure that that knowledge gets injected back into the organization. Some examples are the following:
"As an example of guild work, we recently had a ‘Web Guild Unconference,’ an open space event where all web developers at Spotify gathered up in Stockholm to discuss challenges and solutions within their field."
2.2.1 30 Minutes per role
Document results in the ACE Communications Deck.
2.2.1 30 Minutes per role
| Role: Developer | |||||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | Level 5 | |
| Service Offering |
|
|
|
|
|
| Engagement Process |
|
|
|
|
|
2.2.1 30 Minutes per role
| Role: Tester | |||||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | Level 5 | |
| Service Offering |
|
|
|
|
|
| Engagement Process |
|
|
|
|
|
2.2.1 30 Minutes per role
| Role: Product Owner | |||||
|---|---|---|---|---|---|
| Level 1 | Level 2 | Level 3 | Level 4 | Level 5 | |
| Service Offering |
|
|
|
|
|
| Engagement Process |
|
|
|
|
|
1.1 Determine the vision of your ACE
1.2 Define the service offerings of your ACE
2.1 Define an adoption plan for your Agile teams
2.2 Create an ACE engagement plan
2.3 Define metrics to measure success
3.1 Optimize the success of your ACE
3.2 Plan change to enhance your Agile initiatives
3.3 Conduct ongoing retrospectives of your ACE
2.3.1 Define existing team-level metrics.
2.3.2 Define metrics that align with your Agile business objectives.
2.3.3 Define target ACE performance metrics.
2.3.4 Define Agile adoption metrics.
2.3.5 Consolidate your metrics for stakeholder impact.
2.3.6 Use Info-Tech’s ACE Benefits Tracking Tool to monitor, evaluate, refine, and ensure continued business value.
Quantify measures that demonstrate the effectiveness of your ACE by establishing distinct metrics for each of your service offerings. This will ensure that you have full transparency over the outputs of your CoE and that your service offerings maintain relevance and are utilized.
Specific
Measureable
Achievable
Realistic
Time-bound
Follow the SMART framework when developing metrics for each service offering.
Adhering to this methodology is a key component of the lean management methodology. This framework will help you avoid establishing general metrics that aren’t relevant.
"It’s not about telling people what they are doing wrong. It’s about constantly steering everyone on the team in the direction of success, and never letting any individual compromise the progress of the team toward success." – Mary Poppendieck, qtd. in “Questioning Servant Leadership”
For important advice on how to avoid the many risks associated with metrics, refer to Info-Tech’s Select and Use SDLC Metrics Effectively.
There will be a degree of overlap between the metrics from your business objectives, service offerings, and existing Agile teams. This is a positive thing. If a metric can speak to multiple benefits it is that much more powerful in commuting successes to your key stakeholders.
Existing metrics
Business objective metrics
Service offering metrics
Agile adoption metrics
Finding points of overlap means that you have multiple stakeholders with a vested interest in the positive trend of a specific metric. These consolidated metrics will be fundamental for your CoE as they will help build consensus through communicating the success of the ACE in a common language for a diverse audience.
2.3.1 1 Hour
| Team Objective | Expected Benefits | Metrics |
|---|---|---|
| Improve productivity |
|
|
| Increase team morale and motivation |
|
|
| Improve transparency with business decisions |
|
|
2.3.2 1 Hour
| Business Objectives | Expected Benefits | Metrics |
|---|---|---|
| Decrease time-to-market of product releases |
|
|
| Decrease time-to-market of product releases |
|
|
2.3.3 1 Hour
| Service Offering | Expected Benefits | Metrics |
|---|---|---|
| Knowledge management |
|
|
| Tooling standards |
|
|
2.3.4 1 Hour
| Adoption attributes | Expected Benefits | Metrics |
|---|---|---|
| Team organization |
|
|
| Team coordination |
|
|
| Business alignment |
|
|
| Coaching |
|
|
| Empowerment |
|
|
| Failure tolerance |
|
|
2.3.5 30 Minutes
2.3.6 1 Hour
The CoE governance team can use this tool to take ownership of the project’s benefits, track progress, and act on any necessary changes to address gaps. In the long term, it can be used to identify whether the team is ahead, on track, or lagging in terms of benefits realization.
INFO-TECH DELIVERABLE
Download the ACE Benefits Tracking Tool.
2.1 Define an adoption plan for your Agile teams
2.2 Create an ACE engagement plan
2.3 Define metrics to measure success
↓
3.1 Optimize the success of your ACE
3.2 Plan change to enhance your Agile initiatives
3.3 Conduct ongoing retrospectives of your ACE
Our analyst team will help you categorize the Centers of Excellence service offerings within Info-Tech’s Agile adoption model to help standardize the way your organization engages with the Center of Excellence.
Our analyst team will help you structure engagement plans for each role within your Agile environment to provide a standardized pathway to personal development and consistency in practice.
Our analysts will walk you through defining a set of metrics that align with your Agile business objectives identified in Phase 1 of the blueprint so the CoEs monitoring function can ensure ongoing alignment during operation.
Our analysts will walk you through defining a set of metrics that monitors how successful the ACE has been at providing its services so that business and IT stakeholders can ensure the effectiveness of the ACE.
Our analyst team will help you through defining a set of metrics that aligns with your organization’s fit of the Agile adoption model in order to provide a mechanism to track the progress of Agile teams maturing in capability and organizational trust.
The final step is to engage in monitoring of your metrics program to identify areas for improvement. Using metrics as a driver for operating your ACE will allow you to identify and effectively manage needed change, as well as provide you with the data necessary to promote outcomes to your stakeholders to ensure the long-term viability of the ACE within your organization.
Create strategic alignment between the CoE and the organization’s goals, objectives, and vision. This alignment translates into the CoE mandate intended to enhance the way Agile will enable teams to meet business objectives.
Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization. Create and consolidate key performance indicators to measure the CoEs utility and whether or not the expected value is being translated to tangible results.
Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change so that teams can grow within the Agile adoption model and optimize value delivery both within your Agile environment and across functions.
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion (in weeks): Variable depending on communication plan
Start with an analyst kick off call:
Then complete these activities…
3.1.1 Use Info-Tech’s ACE Satisfaction Survey to help establish your baseline.
3.1.2 Use Info-Tech’s CoE Maturity Diagnostic Tool to measure the maturity level of your ACE.
3.1.3 Prioritize ACE actions by monitoring your metrics.
Start with an analyst kick off call:
Then complete these activities…
3.2.1 Assess the interaction and communication points of your Agile teams.
3.2.2 Determine the root cause of each metric falling short of expectations.
3.2.3 Brainstorm solutions to identified issues.
3.2.4 Review your metrics program.
3.2.5 Create a communication plan for change.
Finalize phase deliverable:
Then complete these activities…
3.3.1 Use the outputs from your metrics tracking tool to communicate progress.
3.3.2 Summarize adjustments in areas where the ACE fell short.
3.3.3 Review the effectiveness of your service offerings.
3.3.4 Evaluate your ACE Maturity.
3.3.5 Use Info-Tech’s ACE Communications Deck to deliver your outcomes to the key stakeholders.
Phase 3 Results & Insights:
Inject improvements into your Agile environment with operational excellence. Plan changes and communicate them effectively, monitor outcomes on a regular basis, and keep stakeholders in the loop to ensure that their interests are being looked after to ensure long-term viability of the CoE.
1.1 Determine the vision of your ACE
1.2 Define the service offerings of your ACE
2.1 Define an adoption plan for your Agile teams
2.2 Create an ACE engagement plan
2.3 Define metrics to measure success
3.1 Optimize the success of your ACE
3.2 Plan change to enhance your Agile initiatives
3.3 Conduct ongoing retrospectives of your ACE
3.1.1 Use Info-Tech’s ACE Satisfaction Survey to help establish your baseline.
3.1.2 Use Info-Tech’s CoE Maturity Diagnostic Tool to measure the maturity level of your ACE.
3.1.3 Prioritize ACE actions by monitoring your metrics.
Establish your collection process to ensure that the CoE has the necessary resources to collect metrics and monitor progress, that there is alignment on what data sources are to be used when collecting data, and that you know which stakeholder is interested in the outcomes of that metric.
Establishing the baseline performance of the ACE allows you to have a reasonable understanding of the impact it is having on meeting business objectives. Use user satisfaction surveys, stakeholder interviews, and any current metrics to establish a concept of how you are performing now. Setting new metrics can be a difficult task so it is important to collect as much current data as possible. After the metrics have been established and monitored for a period of time, you can revisit the targets you have set to ensure they are realistic and usable.
Without a baseline, you cannot effectively:
Info-Tech Insight
Invest the needed time to baseline your activities. These data points are critical to diagnose successes and failures of the CoE moving forward, and you will need them to be able to refine your service offerings as business conditions or user expectations change. While it may seem like something you can breeze past, the investment is critical.
What to do:
Benefits:
Challenges:
What to do:
Benefits:
Challenges:
What to do:
Benefits:
Challenges:
3.1.1 Baseline satisfaction survey
Conduct a user satisfaction survey prior to setting your baseline for your ACE. This will include high-level questions addressing your overall Agile environment and questions addressing teams’ current satisfaction with their processes and technology.
INFO-TECH DELIVERABLE
Download the ACE Satisfaction Survey.
3.1.2 CoE maturity assessment
Assessing your ACEs maturity lets you know where they currently are and what to track to get them to the next step. This will help ensure your ACE is following good practices and has the appropriate mechanisms in place to serve your stakeholders.
Document results in the ACE Communications Deck.
INFO-TECH DELIVERABLE
Download the CoE Maturity Diagnostic Tool.
3.1.3 Variable time commitment
1.1 Determine the vision of your ACE
1.2 Define the service offerings of your ACE
2.1 Define an adoption plan for your Agile teams
2.2 Create an ACE engagement plan
2.3 Define metrics to measure success
3.1 Optimize the success of your ACE
3.2 Plan change to enhance your Agile initiatives
3.3 Conduct ongoing retrospectives of your ACE
3.2.1 Assess the interaction and communication points of your Agile teams.
3.2.2 Determine the root cause of each metric falling short of expectations.
3.2.3 Brainstorm solutions to identified issues
3.2.4 Review your metrics program.
3.2.5 Create a communication plan for change.
As Agile spreads, be cognizant of your cultural tolerance to change and its ability to deliver on such change. Change will happen more frequently and continuously, and there may be conceptual (change tolerance) or capability (delivery tolerance) roadblocks along the way that will need to be addressed.
The Agile adoption model will help to graduate both the tolerance to change and tolerance to deliver over time. As your level of competency to deliver change increases, organizational tolerance to change, especially amongst management, will increase as well. Remember that optimized value delivery comes from this careful balance of aptitude and trust.
Tolerance to change refers to the conceptual capacity of your people to consume and adopt change. Change tolerance may become a barrier to success because teams might be too engrained with current structures and processes and find any changes too disruptive and uncomfortable.
Tolerance to deliver refers to the capability to deliver on expected change. While teams may be tolerant, they may not have the necessary capacity, skills, or resources to deliver the necessary changes successfully. The ACE can help solve this problem with training and coaching, or possibly by obtaining outside help where necessary.
As the ACE absorbs best practices and identifies areas for improvement, a change management process should be established to address the implementation and sustainability of change without introducing significant disruptions and costs.
To manage a continuously changing environment, your ACE will need to align and coordinate with organizational change management processes. This process should be capable of evaluating and incorporating multiple change initiatives continuously.
Desired changes will need to be validated, and localized adaptations will need to be disseminated to the larger organization, and current state policy and procedures will need to be amended as the adoption of Agile spreads and capabilities increase.
The goal here is to have the ACE governance group identify and interface with parties relevant to successfully implementing any specific change.
Strategy and Leadership: Optimize Change Management
Optimize your stakeholder management process to identify, prioritize, and effectively manage key stakeholders.
Changes to the services, structure, or engagement model of your ACE can be triggered from various sources in your organization. You will see that proposed changes may be requested with the best intentions; however, the potential impacts they may have to other areas of the organization can be significant. Consult all sources of ACE change requests to obtain a consensus that your change requests will not deteriorate the ACEs performance and use.
Note: Each source of ACE change requests may require a different change management process to evaluate and implement the change.
3.2.1 1.5 Hours
| Agile Team n | ||
|---|---|---|
| Group | Type of Interaction | Potential challenges |
| Operations |
|
|
| PMO |
|
|
3.2.2 30 Minutes per metric
3.2.3 30 Minutes per metric
| SOLUTION CATEGORY | ||||
|---|---|---|---|---|
| People | Process | Technology | ||
| ISSUES | Poor face-to-face communication | |||
| Lack of best-practice documentation | ||||
Strategically managing change is an essential component to ensure that the ACE achieves its desired function. If the change that comes with adopting Agile best practices is going to impact other functions and change their expected workflows, ensure they are well prepared and the benefits for said changes are clearly communicated to them.
Necessary change may be identified proactively (dependency assessments, system integrity, SME indicates need, etc.) or reactively (through retrospectives, discussions, completing root-cause analyses, etc.), but both types need to be handled the same way – through proper planning and communication with the affected parties.
Understand the points where other groups will be affected by the adoption of Agile practices and recognize the potential challenges they may face. Plan changes to accommodate interactions between these groups without roadblocks or impediments.
Structure a communication plan based on your identified challenges and proposed changes so that groups are well prepared to make the necessary adjustments to accommodate Agile workflows.
Consider the possible limitations that will exist from environmental complexities when measuring your Agile teams. Dependencies and legacy policies and procedures that pose a bottleneck to desired outcomes will need to be changed before teams can be measured justifiably. Take the time to ensure the metrics you crafted earlier are plausible in your current environment and there is not a need for transitional metrics.
Specific
Measureable
Achievable
Realistic
Time-bound
Info-Tech Insight
Use metrics as diagnostics, not as motivation. Teams will find ways to meet metrics they are measured by making sacrifices and taking unneeded risk to do so. To avoid dysfunction in your monitoring, use metrics as analytical tools to inform decision making, not as a yardstick for judgement.
3.2.4 Variable time commitment
Industry Government
Source Navin Vembar, Agile Government Leadership
The GSA is tasked with completed management of the Integrated Award Environment (IAE).
The IAE staff had to find a way to break down the problem of modernization into manageable chunks that would demonstrate progress, but also had to be sure to capture a wide variety of user needs with the ability to respond to those needs throughout development.
Had to work out the logistics of executing Agile change within the GSA, an agency that relies heavily on telework. In the case of modernization, they had a product owner in Florida while the development team was spread across the metro Washington, DC area.
Agile provided the ability to build incremental successes that allowed teams successful releases and built enthusiasm around the potential of adopting Agile practices offered.
Communication is key to avoid surprises and lost productivity created by the implementation of changes.
User groups and the business need to be given sufficient notice of an impending change. Be concise, be comprehensive, and ensure that the message is reaching the right audience so that no one is blindsided and unable to deliver what is needed. This will allow them to make appropriate plans to accept the change, minimizing the impact of the change on productivity.
Communicating change
(Cornelius & Associates, The Qualities of Leadership: Leading Change)
3.2.5 1.5 Hours
Note: It is important to establish a feedback mechanism to ensure that the communication has been effective in communicating the change to the intended audiences. This can be incorporated into your ACE satisfaction surveys.
| Audience | Messenger | Format | Timing | Message |
|---|---|---|---|---|
| Operations | Development team |
|
Build ready for release | |
| Key stakeholders | CIO | Meeting |
|
Updates on outcomes from past two sprint cycles |
1.1 Determine the vision of your ACE
1.2 Define the service offerings of your ACE
2.1 Define an adoption plan for your Agile teams
2.2 Create an ACE engagement plan
2.3 Define metrics to measure success
3.1 Optimize the success of your ACE
3.2 Plan change to enhance your Agile initiatives
3.3 Conduct ongoing retrospectives of your ACE
3.3.1 Use the outputs from your metrics tracking tool to communicate progress.
3.3.2 Summarize adjustments in areas where the ACE fell short.
3.3.3 Re-conduct satisfaction surveys and compare against your baseline.
3.3.4 Use Info-Tech’s CoE Maturity Diagnostic Tool to baseline current practices
3.3.5 Use Info-Tech’s ACE Communications Deck to deliver your outcomes to the key stakeholders.
After functioning for a period of time, it is imperative to review the function of your ACE to ensure its continual alignment and see in what ways it can improve.
At the end of the year, take the time to deliberately review and discuss:
The overlying purpose of your ACE is to effectively align your Agile teams with corporate objectives. This means that there have to be communicable benefits that point to the effort and resources invested being valuable to the organization. Re-visit your prioritized stakeholder list and get ready to show them the impact the ACE has had on business outcomes.
Communication with stakeholders is the primary method of building and developing a lasting relationship. Correct messaging can build bridges and tear down barriers, as well as soften opposition and bolster support.
This section will help you to prepare an effective communication piece that summarizes the metrics stakeholders are interested in, as well as some success stories or benefits that are not communicable through metrics to provide extra context to ongoing successes of the ACE.
Strategy and Leadership: Manage Stakeholder Relations
Optimize your stakeholder management process to identify, prioritize, and effectively manage key stakeholders.
Those who fund the ACE have a large influence on the long-term success of your ACE. If you have not yet involved your stakeholders, you need to re-visit your organizational funding model for the ACE and ensure that your key stakeholders include the key decision makers for your funding. While they may have varying levels of interest and desires for granularity of data reporting, they need to at least be informed on a high level and kept as champions of the ACE so that there are no roadblocks to the long-term viability of this program.
Keep this in mind as the ACE begins to demonstrate success, as it is not uncommon to have additional members added to your funding model as your service scales, especially in the chargeback models.
As new key influencers are included, the ACEs governing group must ensure that collective interests may align and that more priorities don’t lead to derailment.
3.3.1 1 Hour
Use the ACE Benefits Tracking Tool to track the progress of your Agile environment to monitor whether or not the ACE is having a positive impact on the business’ ability to meet its objectives. The outputs will allow you to communicate incremental benefits that have been realized and point towards positive trends that will ensure the long-term buy-in of your key influencers.
For communication purposes, use this tool to:
Part of communicating the effectiveness of your ACE is to demonstrate that it is able to remedy projects and processes when they fall short of expectations and brainstorm solutions that effectively address these challenges. Take the opportunity to summarize where results were not as expected, and the ways in which the ACE used its influence or services to drive a positive outcome from a problem diagnosis. Stakeholders do not want a sugar-coated story – they want to see tangible results based on real scenarios.
Summarizing failures will demonstrate to key influencers that:
3.3.2 15 Minutes per metric
| Name of metric that fell short | |
|---|---|
| Baseline measurement | 65% of users satisfied with ACE services. |
| Goal measurement | 80% of users satisfied with ACE services. |
| Actual measurement | 70% of users satisfied with ACE services. |
| Results of root-cause analysis | Onboarding was not extensive enough; teams were unaware of some of the services offered, rendering them unsatisfied. |
| Proposed solution | Revamp onboarding process to include capability map of service offered. |
| Summary of success | TBD |
3.3.3 Re-conduct satisfaction surveys and compare against your baseline
This satisfaction survey will give you a template to follow to monitor the effectiveness of your ACEs defined service offerings. The goal is to understand what worked, and what did not, so you can add, retract, or modify service offerings where necessary.
INFO-TECH DELIVERABLE
Download the ACE Satisfaction Survey.
3.3.4 ACE Maturity Assessment
Assess your ACEs maturity by using Info-Tech’s CoE Maturity Diagnostic Tool. Assessing your ACEs maturity lets you know where you currently are, and where to look for improvements. Note that your optimal Maturity Level will depend on organizational specifics (e.g. a small organization with a handful of Agile Teams can be less mature than a large organization with hundreds of Agile Teams).
Document results in the ACE Communications Deck.
INFO-TECH DELIVERABLE
Download the CoE Maturity Diagnostic Tool.
3.3.5 Structure communications to each of your key stakeholders
The ACE Communications Deck will give you a template to follow to effectively communicate with your stakeholders and ensure the long-term viability of your Agile Center of Excellence. Fill in the slides as instructed and provide each stakeholder with a targeted view of the successes of the ACE.
INFO-TECH DELIVERABLE
Download the ACE Communications Deck.
Paul has been an Agile practitioner since the manifesto emerged some 20 years ago, applying and refining his views through real life experience at several organizations from startups to large enterprises. He has recently completed the successful build out of the inaugural Agile Delivery Centre of Excellence at TD bank in Toronto.
John Munro is the President of Scrum Masters Inc., a software optimization professional services firm using Agile, Scrum, and Lean to help North American firms “up skill” their software delivery people and processes. Scrum Masters’ unique, highly collaborative “Master Mind” consulting model leverages Agile/Lean experts on a biweekly basis to solve clients’ technical and process challenges.
Doug has been a leader in building great teams, Agile project management, and business process innovation for over 20 years. As Senior Partner and Chief Evangelist at Agile Wave, his mission is to educate and to learn from all those who care about effective government delivery, nationally.
Implement Agile Practices That Work
Agile is a cultural shift. Don't just do Agile, be Agile.
Enable Organization-Wide Collaboration by Scaling Agile
Execute a disciplined approach to rolling out Agile methods in the organization.
Improve Application Development Throughput
Drive down your delivery time by eliminating development inefficiencies and bottlenecks while maintaining high quality.
Implement DevOps Practices That Work
Accelerate software deployment through Dev and Ops collaboration.
Maximize the Benefits from Enterprise Applications with a Center of Excellence
Optimize your organization’s enterprise application capabilities with a refined and scalable methodology.
Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program
Be proactive; it costs exponentially more to fix a problem the longer it goes unnoticed.
Optimize the Change Management Process
Right-size your change management process.
Improve Requirements Gathering
Back to basics: great products are built on great requirements.
Ambler, Scott. “Agile Requirements Change Management.” Agile Modeling. Scott Amber + Associates, 2014. Web. 12 Apr. 2016.
Ambler, Scott. “Center of Excellence (CoEs).” Disciplined Agile 2.0: A Process Decision Framework for Enterprise I.T. Scott Amber + Associates. Web. 01 Apr. 2016.
Ambler, Scott. “Transforming From Traditional to Disciplined Agile Delivery.” Case Study: Disciplined Agile Delivery Adoption. Scott Amber + Associates, 2013. Web.
Beers, Rick. “IT – Business Alignment Why We Stumble and the Path Forward.” Oracle Corporation, July 2013. Web.
Cornelius & Associates. “The Qualities of Leadership: Leading Change.” Cornelius & Associates, n.d. Web.
Craig, William et al. “Generalized Criteria and Evaluation Method for Center of Excellence: A Preliminary Report.” Carnegie Mellon University Research Showcase @ CMU – Software Engineering Institute. Dec. 2009. Web. 20 Apr. 2016.
Forsgren, Dr. Nicole et al (2019), Accelerate: State of DevOps 2019, Google, https://services.google.com/fh/files/misc/state-of-devops-2019.pdf
Gerardi, Bart (2017), Agile Centers of Excellence, PMI Projectmanagement.com, https://www.projectmanagement.com/articles/405819/Agile-Centers-of-Excellence
Gerardi, Bart (2017), Champions of Agile Adoption, PMI Projectmanagement.com, https://www.projectmanagement.com/articles/418151/Champions-of-Agile-Adoption
Gerardi, Bart (2017), The Roles of an Agile COE, PMI Projectmanagement.com, https://www.projectmanagement.com/articles/413346/The-Roles-of-an-Agile-COE
Hohl, P. et al. “Back to the future: origins and directions of the ‘Agile Manifesto’ – views of the originators.” Journal of Software Engineering Research and Development, vol. 6, no. 15, 2018. https://link.springer.com/article/10.1186/s40411-0...
Kaltenecker, Sigi and Hundermark, Peter. “What Are Self-Organising Teams?” InfoQ. 18 July 2014. Web. 14 Apr. 2016.
Kniberg, Henrik and Anderson Ivarsson. “Scaling Agile @ Spotify with Tribes, Squads, Chapters & Guilds.” Oct. 2012. Web. 30 Apr. 2016.
Kumar, Alok et al. “Enterprise Agile Adoption: Challenges and Considerations.” Scrum Alliance. 30 Oct. 2014. Web. 30 May 2016.
Levison, Mark. “Questioning Servant Leadership.” InfoQ, 4 Sept. 2008. Web. https://www.infoq.com/news/2008/09/servant_leadership/
Linders, Ben. “Don't Copy the Spotify Model.” InfoQ.com. 6 Oct. 2016.
Loxton, Matthew (June 1, 2011), CoP vs CoE – What’s the difference, and Why Should You Care?, Wordpress.com
McDowell, Robert, and Bill Simon. In Search of Business Value: Ensuring a Return on Your Technology Investment. SelectBooks, 2010
Novak, Cathy. “Case Study: Agile Government and the State of Maine.” Agile Government Leadership, n.d. Web.
Pal, Nirmal and Daniel Pantaleo. “Services are the Language and Building Blocks of an Agile Enterprise.” The Agile Enterprise: Reinventing your Organization for Success in an On-Demand World. 6 Dec. 2015. Springer Science & Business Media.
Rigby, Darrell K. et al (2018), Agile at Scale, Harvard Business Review, https://hbr.org/2018/05/agile-at-scale
Scaledagileframework.com, Create a Lean-Agile Center of Excellence, Scaled Agile, Inc, https://www.scaledagileframework.com/lace/
Shepley, Joe. “8 reasons COEs fail (Part 2).” Agile Ramblings, 22 Feb. 2010. https://joeshepley.com/2010/02/22/8-reasons-coes-fail-part-2/
Stafford, Jan. “How upper management misconceptions foster Agile failures.” TechTarget. Web. 07 Mar. 2016.
Taulli, Tom (2020), RPA Center Of Excellence (CoE): What You Need To Know For Success, Forbes.com, https://www.forbes.com/sites/tomtaulli/2020/01/25/rpa-center-of-excellence-coe-what-you-need-to-know-for-success/#24364620287a
Telang, Mukta. “The CMMI Agile Adoption Model.” ScrumAlliance. 29 May 2015. Web. 15 Apr. 2016.
VersionOne. “13th Annual State of Agile Report.” VersionOne. 2019. Web.
Vembar, Navin. “Case Study: Agile Government and the General Services Administration (Integrated Award Environment).” Agile Government Leadership, n.d. Web.
Wenger, E., R. A. McDermott, et al. (2002), Cultivating communities of practice: A guide to managing knowledge, Harvard Business Press.
Wenger, E., White, N., Smith, J.D. Digital Habitats; Stewarding Technology for Communities. Cpsquare (2009).
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Evaluate executive stakeholder needs and assess your current capabilities to ensure your implementation strategy sets realistic expectations.
Define an organizationally appropriate scope and mandate for your EPMO to ensure that your processes serve the needs of the whole.
Establish clearly defined and easy-to-follow EPMO processes that minimize project complexity and improve enterprise project results.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Identify breakdowns in the flow of portfolio data across the enterprise to pinpoint where and how an EPMO can best intervene.
Assess areas of strength and opportunity in your PPM capabilities to help structure and drive the EPMO.
Define stakeholder needs and expectations for the EPMO in order to cultivate capabilities and services that help drive informed and engaged project decisions at the executive level.
A current state picture of the triggers that are driving the need for an EPMO at your organization.
A current state understanding of the strengths you bring to the table in constructing an EPMO as well as the areas you need to focus on in building up your capabilities.
A target state set by stakeholder requirements and expectations, which will enable you to build out an implementation strategy that is aligned with the needs of the executive layer.
1.1 Map current enterprise PPM workflows.
1.2 Conduct a SWOT analysis.
1.3 Identify resourcing considerations and other implementation factors.
1.4 Survey stakeholders to establish the right mix of EPMO capabilities.
An overview of the flow of portfolio data and information across the organization
An overview of current strengths, weaknesses, opportunities, and threats
A preliminary assessment of internal and external factors that could impact the success of this implementation
The ability to construct a project plan that is aligned with stakeholder needs and expectations
Define an appropriate scope for the EPMO and the deployment it services.
Devise a plan for engaging and including the appropriate stakeholders during the implementation phase.
A clear purview for the EPMO in relation to the wider enterprise in order to establish appropriate expectations for the EPMO’s services throughout the organization.
Engaged stakeholders who understand that they have a stake in the successful implementation of the EPMO.
2.1 Prepare your EPMO value proposition.
2.2 Define the role and organizational reach of your EPPM capabilities.
2.3 Establish a communication plan to create stakeholder awareness.
A clear statement of purpose and benefit that can be used to help build the case for an EPMO with stakeholders
A functional charter defining the scope of the EPMO and providing a statement of the services the EPMO will provide once established
An engaged executive layer that understands the value of the EPMO and helps drive its success
Establish clearly defined and easy-to-follow EPMO processes that minimize project complexity.
Develop portfolio and project governance structures that feed the EPMO with the data decision makers require without overloading enterprise project teams with processes they can’t support.
Devise a communications strategy that helps achieve organizational buy-in.
The reduction of project chaos and confusion throughout the organization.
Processes and governance requirements that work for both decision makers and project teams.
Organizational understanding of the universal benefit of the EPMO’s processes to stakeholders throughout the enterprise.
3.1 Establish EPMO roles and responsibilities.
3.2 Document standard procedures around enterprise portfolio reporting, PPM administration, and project leadership.
3.3 Review enterprise PPM solutions.
3.4 Develop a stakeholder engagement and resistance plan.
Clear lines of portfolio accountability
A fully actionable EPMO Standard Operating Procedure document that will enable process clarity
An informed understanding of the right PPM solution for your enterprise processes
A communications strategy document to help communicate the organizational benefits of the EPMO
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Each organization is different, so a generic list of security priorities will not be applicable to every organization. Thus, you need to:
During 2022, ransomware campaigns declined from quarter to quarter due to the collapse of experienced groups. Several smaller groups are developing to recapture the lost ransomware market. However, ransomware is still the most worrying cyber threat.
Also in 2022, people returned to normal activities such as traveling and attending sports or music events but not yet to the office. The reasons behind this trend can be many fold, such as employees perceive that work from home (WFH) has positive productivity effects and time flexibility for employees, especially for those with families with younger children. On the other side of the spectrum, some employers perceive that WFH has negative productivity effects and thus are urging employees to return to the office. However, employers also understand the competition to retain skilled workers is harder. Thus, the trend is to have hybrid work where eligible employees can WFH for a certain portion of their work week.
Besides ransomware and the hybrid work model, in 2022, we saw an evolving threat landscape, regulatory changes, and the potential for a recession by the end of 2023, which can impact how we prioritize cybersecurity this year. Furthermore, organizations are still facing the ongoing issues of insufficient cybersecurity resources and organization modernization.
This report will explore important security trends, the security priorities that stem from these trends, and how to customize these priorities for your organization.
In Q2 2022, the median ransom payment was $36,360 (-51% from Q1 2022), a continuation of a downward trend since Q4 2021 when the ransom payment median was $117,116.
Source: Coveware, 2022
From January until October 2022, hybrid work grew in almost all industries in Canada especially finance, insurance, real estate, rental and leasing (+14.7%), public administration and professional services (+11.8%), and scientific and technical services (+10.8%).
Source: Statistics Canada, Labour Force Survey, October 2022; N=3,701
Investment on remote work due to changes in processes and infrastructure
As part of our research process for the 2023 Security Priorities Report, we used the results from our State of Hybrid Work in IT Survey, which collected responses between July 10 and July 29, 2022 (total N=745, with n=518 completed surveys). This survey details what changes in processes and IT infrastructure are likely due to hybrid work.
Survey respondents (n=518) were asked what processes had the highest degree of change in response to supporting hybrid work. Incident management is the #1 result and service request support is #2. This is unsurprising considering that remote work changed how people communicate, how they access company assets, and how they connect to the company network and infrastructure.
For 2023, we believe that hybrid work will remain. The first driver is that employees still prefer to work remotely for certain days of the week. The second driver is the investment from employers on enabling WFH during the pandemic, such as updated network architecture (44%) and the infrastructure and day-to-day operations (41%) as shown on our survey.
In the Info-Tech Research Group 2023 Trends and Priorities Survey of IT professionals, we asked about cybersecurity concerns and the perception about readiness to meet current and future government legislation regarding cybersecurity requirements.
Survey respondents were asked how concerned they are about certain cybersecurity issues from 1 (not concerned at all) to 5 (very concerned). The #1 concern was talent shortages. Other issues with similar concerns included cyber risks not on leadership's radar, supply chain risks, and new regulations (n=507).
When asked about how confident organizations are about being prepared to meet current and future government legislation regarding cybersecurity requirements, from 1 (not confident at all) to 5 (very confident), the #1 response was 3 (n=499).
Unsurprisingly, the ever-changing government legislation environment in a world emerging from a pandemic and ongoing wars may not give us the highest confidence.
As part of our research process for the 2023 Security Priorities Report, we reviewed results of completed Info-Tech Research Group Security Governance and Management Benchmark diagnostics (N=912). This report details what we see in our clients' security governance maturity. Setting aside the perception on readiness – what are their actual security maturity levels?
Overall, assessed organizations are still scoring low (47%) on Security Culture and Policy and Process Governance. This justifies why most security incidents are still due to gaps in foundational security and security awareness, not lack of advanced controls such as event and incident management (58%).
As part of our research process for the 2023 Security Priorities Report, we reviewed the results of the Info-Tech Research Group 2023 Trends and Priorities Survey of IT professionals, which collected responses between August 9 and September 9, 2022 (total N=813 with n=521 completed surveys).
Keeping the same spending is the #1 result and #2 is increasing spending up to 10%. This is a surprising finding considering the survey was conducted after the middle of 2022 and a recession has been predicted since early 2022 (n=489).
|
Source: Statista, 2022, CC BY-ND |
US recession forecastContingency planning for recessions normally includes tight budgeting; however, it can also include opportunities for growth such as hiring talent who have been laid off by competitors and are difficult to acquire in normal conditions. This can support our previous findings on increasing cybersecurity spending. |
If anything can be learned from COVID-19 pandemic, it is that humans are resilient. We swiftly changed to remote workplaces and adjusted people, processes, and technologies accordingly. We had some hiccups along the way, but overall, we demonstrated that our ability to adjust is amazing.
The pandemic changed how people work and how and where they choose to work, and most people still want a hybrid work model. However, the number of days for hybrid work itself varies. For example, from our survey in July 2022 (n=516), 55.8% of employees have the option of 2-3 days per week to work offsite, 21.0% for 1 day per week, and 17.8% for 4 days per week.
Furthermore, the investment (e.g. on infrastructure and networks) to initiate remote work was huge, and the cost doesn't end there, as we need to maintain the secure remote work infrastructure to facilitate the hybrid work model.
Remote work: A 2022 survey by WFH Research (N=16,451) reports that ~14% of full-time employees are fully remote and ~29% are in a hybrid arrangement as of Summer-Fall 2022.
Security workforce shortage: A 2022 survey by Bridewell (N=521) reports that 68% of leaders say it has become harder to recruit the right people, impacting organizational ability to secure and monitor systems.
Confidence in the security practice: A 2022 diagnostic survey by Info-Tech Research Group (N=55) reports that importance may not correspond to confidence; for example, the most important selected cybersecurity area, namely Data Access/Integrity (93.7%), surprisingly has the lowest confidence of the practice (80.5%).
Source: National Bureau of Economic Research, 2021
As part of our research process for the 2023 Security Priorities Report, we analyzed results from the Info-Tech Research Group diagnostics. This report details what we see in our clients' perceived importance of security and their confidence in existing security practices.
Diagnostics respondents (N=55) were asked about how important security is to their organization or department. Importance to the overall organization is 2.1 percentage points (pp) higher, but confidence in the organization's overall security is slightly lower (-0.4 pp).
If we break down to security areas, we can see that the most important area, Data Access/Integrity (93.7%), surprisingly has the lowest confidence of the practice: 80.5%. From this data we can conclude that leaders must build a strong cybersecurity workforce to increase confidence in the security practice.
Use this template to explain the priorities you need your stakeholders to know about.
Provide a brief value statement for the initiative.
List initiative drivers.
List initiative risks and impacts.
List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.
Review your security strategy for hybrid work.
Determine the skill needs of your security strategy.
Identify skills gaps that hinder the successful execution of the hybrid work security strategy.
Use the identified skill gaps to define the technical skill requirements for work roles.
Conduct a skills assessment on your current workforce to identify employee skill gaps.
Decide whether to train, hire, contract, or outsource each skill gap.
Source: Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan, Info-Tech
From computerized milk-handling systems in Wisconsin farms, to automated railway systems in Europe, to Ausgrid's Distribution Network Management System (DNMS) in Australia, to smart cities and beyond; system modernization poses unique challenges to cybersecurity.
The threats can be safety, such as the trains stopped in Denmark during the last weekend of October 2022 for several hours due to an attack on a third-party IT service provider; economics, such as a cream cheese production shutdown that occurred at the peak of cream cheese demand in October 2021 due to hackers compromising a large cheese manufacturer's plants and distribution centers; and reliability, such as the significant loss of communication for the Ukrainian military, which relied on Viasat's services.
Despite all the cybersecurity risks, organizations continue modernization plans due to the long-term overall benefits.
IIoT market size is USD 323.62 billion in 2022 and projected to be around USD 1 trillion in 2028.
Source: Statista,
March 2022
|
Target: Australian sewage plant. Method: Insider attack. Impact: 265,000 gallons of untreated sewage released. |
Target: Middle East energy companies. Method: Shamoon. Impact: Overwritten Windows-based systems files. |
Target: German Steel Mill Method: Spear-phishing Impact: Blast furnace control shutdown failure. |
Target: Middle East Safety Instrumented System (SIS). Method: TRISIS/TRITON. Impact: Modified safety system ladder logic. |
Target: Viasat's KA-SAT Network. Method: AcidRain. Impact: Significant loss of communication for the Ukrainian military, which relied on Viasat's services. |
|
||||
|
Target: Marconi wireless telegraphs presentation. Method: Morse code. Impact: Fake message sent "Rats, rats, rats, rats. There was a young fellow of Italy, Who diddled the public quite prettily." |
Target: Iranian uranium enrichment plant. Method: Stuxnet. Impact: Compromised programmable logic controllers (PLCs). |
Target: ICS supply chain. Method: Havex. Impact: Remote Access Trojan (RAT) collected information and uploaded data to command-and-control (C&C) servers. |
Target: Ukraine power grid. Method: BlackEnergy. Impact: Manipulation of HMI View causing 1-6 hour power outages for 230,000 consumers. |
Target: Colonial Pipeline. Method: DarkSide ransomware. Impact: Compromised billing infrastructure halted the pipeline operation. |
Sources:
Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.
Use this template to explain the priorities you need your stakeholders to know about.
Provide a brief value statement for the initiative.
List initiative drivers.
List initiative risks and impacts.
List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.
Identify the drivers to align with your organization's business objectives.
Build your case by leveraging a cost-benefit analysis, and update your security strategy.
Identify people, process, and technology gaps that hinder the modernization
security strategy.
Use the identified skill gaps to update risks, policies and procedures, IR, DR, and BCP.
Evaluate and enable modernization technology top focus areas and refine
security processes.
Decide whether to train, hire, contract, or outsource to fill the security workforce gap.
Sources:
Industrial Control System (ICS) Modernization: Unlock the Value of Automation in Utilities, Info-Tech
Secure IT-OT Convergence, Info-Tech
Identify a modernization business case for security.
| Benefits |
Metrics |
|---|---|
|
Operational Efficiency and Cost Savings |
|
|
Improve Reliability and Resilience |
|
|
Energy & Capacity Savings |
|
|
Customers & Society Benefits |
|
Cost | Metrics |
|---|---|
Equipment and Infrastructure | Upgrade existing security equipment or instrumentation or deploy new, e.g. IPS on Enterprise DMZ and Operations DMZ. Implement communication network equipment and labor to install and configure. Upgrade or construct server room including cooling/heating, power backup, and server and rack hardware. |
Software and Commission | The SCADA/HMI software and maintenance fee as well as lifecycle upgrade implementation project cost. Labor cost of field commissioning and troubleshooting. Integration with security systems, e.g. log management and continuous monitoring. |
Support and Resources | Cost to hire/outsource security FTEs for ongoing managing and operating security devices, e.g. SOC. Cost to hire/outsource IT/OT FTEs to support and troubleshoot systems and its integrations with security systems, e.g. MSSP. |
An example of a cost-benefit analysis for ICS modernization
Sources:
Industrial Control System (ICS) Modernization: Unlock the Value of Automation in Utilities, Info-Tech
Lawrence Berkeley National Laboratory, 2021
(Control System Defense: Know the Opponent, CISA)
An example of a high-level architecture of an electric utility's control system and its interaction with IT systems.
Source: ISA-99, 2007
Government-enacted regulatory changes are occurring at an ever-increasing rate these days. As one example, on November 10, 2022, the EU Parliament introduced two EU cybersecurity laws: the Network and Information Security (NIS2) Directive (applicable to organizations located within the EU and organizations outside the EU that are essential within an EU country) and the Digital Operational Resilience Act (DORA). There are also industry regulatory changes such as PCI DSS v4.0 for the payment sector and the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) for Bulk Electric Systems (BES).
Organizations should use regulatory changes as a means to improve security practices, instead of treating them as a compliance burden. As said by lead member of EU Parliament Bart Groothuis on NIS2, "This European directive is going to help around 160,000 entities tighten their grip on security […] It will also enable information sharing with the private sector and partners around the world. If we are being attacked on an industrial scale, we need to respond on an industrial scale."
Stricter requirements and reporting: Regulations such as NIS2 include provisions for incident response, supply chain security, and encryption and vulnerability disclosure and set tighter cybersecurity obligations for risk management reporting obligations.
Broader sectors: For example, the original NIS directive covers 19 sectors such as Healthcare, Digital Infrastructure, Transport, and Energy. Meanwhile, the new NIS2 directive increases to 35 sectors by adding other sectors such as providers of public electronic communications networks or services, manufacturing of certain critical products (e.g. pharmaceuticals), food, and digital services.
High sanctions for violations: For example, Digital Services Act (DSA) includes fines of up to 6% of global turnover and a ban on operating in the EU single market in case of repeated serious breaches.
Approximately 100 cross-border data flow regulations exist in 2022.
Source: McKinsey, 2022
|
64 New requirements were added 13 New requirements become effective March 31, 2024 11 New requirements only for service providers |
Defined roles must be assigned for requirements. Focus on periodically assessing and documenting scope. Entities may choose a defined approach or a customized approach to requirements. |
An example of new requirements for PCI DSS v4.0
Source: Prepare for PCI DSS v4.0, Info-Tech
Use this template to explain the priorities you need your stakeholders to know about.
Provide a brief value statement for the initiative.
Description must include what organization will undertake to complete the initiative.
List initiative drivers.
List initiative risks and impacts.
List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.
Related Info-Tech Research:
Identify relevant security and privacy obligations and conformance levels.
Identify gaps for updated obligations, and map obligations into control framework.
Review, update, and implement policies and strategy.
Develop compliance exception process.
Develop test scripts to check your remediations to ensure they are effective.
Track and report status and exceptions.
Sources: Build a Security Compliance Program and Prepare for PCI DSS v4.0, Info-Tech
| # | Security | Jurisdiction |
|---|---|---|
| 1 | Network and Information Security (NIS2) Directive | European Union (EU) and organizations outside the EU that are essential within an EU country |
| 2 | North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) | North American electrical utilities |
| 3 | Executive Order (EO) 14028: Improving the Nation's Cybersecurity, The White House, 2021 | United States |
|
# |
Privacy | Jurisdiction |
|---|---|---|
| 1 | General Data Protection Regulation (GDPR) | EU and EU citizens |
| 2 | Personal Information Protection and Electronic Documents Act (PIPEDA) | Canada |
| 3 | California Consumer Privacy Act (CCPA) | California, USA |
| 4 | Personal Information Protection Law of the People’s Republic of China (PIPL) | China |
An example of security and privacy compliance obligations
The cat and mouse game between threat actors and defenders is continuing. The looming question "can defenders do better?" has been answered with rapid development of technology. This includes the automation of threat analysis (signature-based, specification-based, anomaly-based, flow-based, content-based, sandboxing) not only on IT but also on other relevant environments, e.g. IoT, IIoT, and OT based on AI/ML.
More fundamental approaches such as post-quantum cryptography and zero trust (ZT) are also emerging.
ZT is a principle, a model, and also an architecture focused on resource protection by always verifying transactions using the least privilege principle. Hopefully in 2023, ZT will be more practical and not just a vendor marketing buzzword.
Next-gen cybersecurity technologies alone are not a silver bullet. A combination of skilled talent, useful data, and best practices will give a competitive advantage. The key concepts are explainable, transparent, and trustworthy. Furthermore, regulation often faces challenges to keep up with next-gen cybersecurity technologies, especially with the implications and risks of adoption, which may not always be explicit.
ZT: Performing an accurate assessment of readiness and benefits to adopt ZT can be difficult due to ZT's many components. Thus, an organization needs to develop a ZT roadmap that aligns with organizational goals and focuses on access to data, assets, applications, and services; don't select solutions or vendors too early.
Post-quantum cryptography: Current cryptographic applications, such as RSA for PKI, rely on factorization. However, algorithms such as Shor's show quantum speedup for factorization, which can break current crypto when sufficient quantum computing devices are available. Thus, threat actors can intercept current encrypted information and store it to decrypt in the future.
AI-based threat management: AI helps in analyzing and correlating data extremely fast compared to humans. Millions of telemetries, malware samples, raw events, and vulnerability data feed into the AI system, which humans cannot process manually. Furthermore, AI does not get tired in processing this big data, thus avoiding human error and negligence.
Data breach mitigation cost without AI: USD 6.20 million; and with AI: USD 3.15 million
Source: IBM, 2022
Too many false alarms and too many events to process. Evolving threat landscapes waste your analysts' valuable time on mundane tasks, such as evidence collection. Meanwhile, only limited time is spared for decisions and conclusions, which results in the fear of missing an incident and alert fatigue.
To report progress, clear metrics are needed. However, cybersecurity still lacks in this area as the system itself is complex and some systems work in silos. Furthermore, lessons learned are not yet distilled into insights for improving future accuracy.
System integration is required to create consistent workflows across the organization and to ensure complete visibility of the threat landscape, risks, and assets. Also, the convergence of OT, IoT, and IT enhances this challenge.
Source: IBM Security Intelligence, 2020
Risk scores are generated by machine learning based on variables such as behavioral patterns and geolocation. Zero trust architecture is combined with machine learning. Asset management leverages visibility using machine learning. Comply with regulations by improving discovery, classification, and protection of data using machine learning. Data security and data privacy services use machine learning for data discovery.
AI, advanced machine learning, and static approaches, such as code file analysis, combine to automatically detect and analyze threats and prevent threats from spreading, assisted by threat intelligence.
AI helps in orchestrating security technologies for organizations to reduce the number of security agents installed, which may not talk to each other or, worse, may conflict with each other.
AI continuously tunes based on lessons learned, such as creating security policies for improving future accuracy. AI also does not get fatigue, and it assists humans in a faster recovery.
AI has been around since the 1940s, but why is it only gaining traction now? Because supporting technologies are only now available, including faster GPUs for complex computations and cheaper storage for massive volumes of data.
Use this template to explain the priorities you need your stakeholders to know about.
Use this template to explain the priorities you need your stakeholders to know about.
Description must include what organization will undertake to complete the initiative.
List initiative drivers.
List initiative risks and impacts.
List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.
Identify the stakeholders who will be affected by the next-gen cybersecurity technologies implementation and define responsibilities based on skillsets and the degree of support.
Adopt well-established data governance practices for cross-functional teams.
Conduct a maturity assessment of key processes and highlight interdependencies.
Develop a baseline and periodically review risks, policies and procedures, and business plan.
Develop a roadmap and deploy next-gen cybersecurity architecture and controls step by step, working with trusted technology partners.
Monitor metrics on effectiveness and efficiency.
Source: Leverage AI in Threat Management (keynote presentation), Info-Tech
Software is usually produced as part of a supply chain instead of in silos. A vulnerability in any part of the supply chain can become a threat surface. We have learned this from recent incidents such as Log4j, SolarWinds, and Kaseya where attackers compromised a Virtual System Administrator tool used by managed service providers to attack around 1,500 organizations.
DevSecOps is a culture and philosophy that unifies development, security, and operations to answer this challenge. DevSecOps shifts security left by automating, as much as possible, development and testing. DevSecOps provides many benefits such as rapid development of secure software and assurance that, prior to formal release and delivery, tests are reliably performed and passed.
DevSecOps practices can apply to IT, OT, IoT, and other technology environments, for example, by integrating a Secure Software Development Framework (SSDF).
Secure Software Supply Chain: Logging is a fundamental feature of most software, and recently the use of software components, especially open source, are based on trust. From the Log4j incident we learned that more could be done to improve the supply chain by adopting ZT to identify related components and data flows between systems and to apply the least privilege principle.
DevSecOps: A software error wiped out wireless services for thousands of Rogers customers across Canada in 2021. Emergency services were also impacted, even though outgoing 911 calls were always accessible. Losing such services could have been avoided, if tests were reliably performed and passed prior to release.
OT insecure-by-design: In OT, insecurity-by-design is still a norm, which causes many vulnerabilities such as insecure protocols implementation, weak authentication schemes, or insecure firmware updates. Additional challenges are the lack of CVEs or CVE duplication, the lack of Software Bill of Materials (SBOM), and product supply chains issues such as vulnerable products that are certified because of the scoping limitation and emphasis on functional testing.
Technical causes of cybersecurity incidents in EU critical service providers in 2019-2021 shows: software bug (12%) and faulty software changes/update (9%).
Source: CIRAS Incident reporting, ENISA (N=1,239)
| Best Practices | 30 Years Ago | 15 Years Ago | Present Day |
|---|---|---|---|
| Lifecycle | Years or Months | Months or Weeks | Weeks or Days |
| Development Process | Waterfall | Agile | DevSecOps |
| Architecture | Monolithic | N-Tier | Microservices |
| Deployment & Packaging | Physical | Virtual | Container |
| Hosting Infrastructure | Server | Data Center | Cloud |
| Cybersecurity Posture | Firewall | + SIEM | + Zero Trust |
Best practices in software development are evolving as shown on the diagram to the left. For example, 30 years ago the lifecycle was "Years or Months," while in the present day it is "Weeks or Days."
These changes also impact security such as the software architecture, which is no longer "Monolithic" but "Microservices" normally built within the supply chain.
The software supply chain has known integrity attacks that can happen on each part of it. Starting from bad code submitted by a developer, to compromised source control platform (e.g. PHP git server compromised), to compromised build platform (e.g. malicious behavior injected on SolarWinds build), to a compromised package repository where users are deceived into using the bad package by the similarity between the malicious and the original package name.
Therefore, we must secure each part of the link to avoid attacks on the weakest link.
| Guide for Developers |
Guide for Suppliers |
Guide for Customers |
|---|---|---|
|
Secure product criteria and management, develop secure code, verify third-party components, harden build environment, and deliver code. |
Define criteria for software security checks, protect software, produce well-secured software, and respond to vulnerabilities. |
Secure procurement and acquisition, secure deployment, and secure software operations. |
Source: "Securing the Software Supply Chain" series, Enduring Security Framework (ESF), 2022
"Most software today relies on one or more third-party components, yet organizations often have little or no visibility into and understanding of how these software components are developed, integrated, and deployed, as well as the practices used to ensure the components' security."
Source: NIST – NCCoE, 2022
Use this template to explain the priorities you need your stakeholders to know about.
Provide a brief value statement for the initiative.
Description must include what organization will undertake to complete the initiative.
List initiative drivers.
List initiative risks and impacts.
Only a few developers and suppliers explicitly address software security in detail.
Time pressure to deliver functionality over security.
Lack of security awareness and lack of trained workforce.
List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.
Customers (acquiring organizations) achieve secure acquisition, deployment, and operation of software.
Developers and suppliers provide software security with minimal vulnerabilities in its releases.
Automated processes such as automated testing avoid error-prone and labor-intensive manual test cases.
Define and keep security requirements and risk assessments up to date.
Perform analysis on current market and supplier solutions and acquire security evaluation.
Require visibility into provenance of product, and require suppliers' self-attestation of security hygiene
Verify distribution infrastructure, product and individual components integrity, and SBOM.
Save and store the tests and test environment and review and verify the
self-attestation mechanism.
Use multi-layered defenses, e.g. ZT for integration and control configuration.
Train users on how to detect and report anomalies and when to apply updates to a system.
Ensure updates from authorized and authenticated sources and verify the integrity of the updated SBOM.
Apply supply chain risk management (SCRM) operations.
Source: "Securing the Software Supply Chain" series, Enduring Security Framework (ESF), 2022
Aksoy, Cevat Giray, Jose Maria Barrero, Nicholas Bloom, Steven J. Davis, Mathias Dolls, and Pablo Zarate. "Working from Home Around the World." Brookings Papers on Economic Activity, 2022.
Barrero, Jose Maria, Nicholas Bloom, and Steven J. Davis. "Why working from home will stick." WFH Research, National Bureau of Economic Research, Working Paper 28731, 2021.
Boehm, Jim, Dennis Dias, Charlie Lewis, Kathleen Li, and Daniel Wallance. "Cybersecurity trends: Looking over the horizon." McKinsey & Company, March 2022. Accessed
31 Oct. 2022.
"China: TC260 issues list of national standards supporting implementation of PIPL." OneTrust, 8 Nov. 2022. Accessed 17 Nov. 2022.
Chmielewski, Stéphane. "What is the potential of artificial intelligence to improve cybersecurity posture?" before.ai blog, 7 Aug. 2022. Accessed 15 Aug. 2022.
Conerly, Bill. "The Recession Will Begin Late 2023 Or Early 2024." Forbes, 1 Nov. 2022. Accessed 8 Nov. 2022.
"Control System Defense: Know the Opponent." CISA, 22 Sep. 2022. Accessed 17 Nov. 2022.
"Cost of a Data Breach Report 2022." IBM, 2022.
"Cybersecurity: Parliament adopts new law to strengthen EU-wide resilience." European Parliament News, 10 Nov. 2022. Press Release.
"Cyber Security in Critical National Infrastructure Organisations: 2022." Bridewell, 2022. Accessed 7 Nov. 2022.
Davis, Steven. "The Big Shift to Working from Home." NBER Macro Annual Session On
"The Future of Work," 1 April 2022.
"Digital Services Act: EU's landmark rules for online platforms enter into force."
EU Commission, 16 Nov. 2022. Accessed 16 Nov. 2022.
"DoD Enterprise DevSecOps Fundamentals." DoD CIO, 12 May 2022. Accessed 21 Nov. 2022.
Elkin, Elizabeth, and Deena Shanker. "That Cream Cheese Shortage You Heard About? Cyberattacks Played a Part." Bloomberg, 09 Dec. 2021. Accessed 27 Oct. 2022.
Evan, Pete. "What happened at Rogers? Day-long outage is over, but questions remain." CBC News, 21 April 2022. Accessed 15 Nov. 2022.
"Fewer Ransomware Victims Pay, as Median Ransom Falls in Q2 2022." Coveware,
28 July 2022. Accessed 18 Nov. 2022.
"Fighting cybercrime: new EU cybersecurity laws explained." EU Commission, 10 Nov. 2022. Accessed 16 Nov. 2022.
"Guide to PCI compliance cost." Vanta. Accessed 18 Nov. 2022.
Hammond, Susannah, and Mike Cowan. "Cost of Compliance 2022: Competing priorities." Thomson Reuters, 2022. Accessed 18 Nov. 2022.
Hemsley, Kevin, and Ronald Fisher. "History of Industrial Control System Cyber Incidents." Department of Energy (DOE), 2018. Accessed 29 Aug. 2022.
Hofmann, Sarah. "What Is The NIS2 And How Will It Impact Your Organisation?" CyberPilot,
5 Aug. 2022. Accessed 16 Nov. 2022.
"Incident reporting." CIRAS Incident Reporting, ENISA. Accessed 21 Nov. 2022.
"Introducing SLSA, an End-to-End Framework for Supply Chain Integrity." Google,
16 June 2021. Accessed 25 Nov. 2022.
Kovacs, Eduard. "Trains Vulnerable to Hacker Attacks: Researchers." SecurityWeek, 29 Dec. 2015. Accessed 15 Nov. 2022.
"Labour Force Survey, October 2022." Statistics Canada, 4 Nov. 2022. Accessed 7 Nov. 2022.
Malacco, Victor. "Promises and potential of automated milking systems." Michigan State University Extension, 28 Feb. 2022. Accessed 15 Nov. 2022.
Maxim, Merritt, et al. "Planning Guide 2023: Security & Risk." Forrester, 23 Aug. 2022. Accessed 31 Oct. 2022.
"National Cyber Threat Assessment 2023-2024." Canadian Centre for Cyber Security, 2022. Accessed 18 Nov. 2022.
Nicaise, Vincent. "EU NIS2 Directive: what's changing?" Stormshield, 20 Oct. 2022. Accessed
17 Nov. 2022.
O'Neill, Patrick. "Russia hacked an American satellite company one hour before the Ukraine invasion." MIT Technology Review, 10 May 2022. Accessed 26 Aug. 2022.
"OT ICEFALL: The legacy of 'insecure by design' and its implications for certifications and risk management." Forescout, 2022. Accessed 21 Nov. 2022.
Palmer, Danny. "Your cybersecurity staff are burned out - and many have thought about quitting." ZDNet, 8 Aug. 2022. Accessed 19 Aug. 2022.
Placek, Martin. "Industrial Internet of Things (IIoT) market size worldwide from 2020 to 2028 (in billion U.S. dollars)." Statista, 14 March 2022. Accessed 15 Nov. 2022.
"Revised Proposal Attachment 5.13.N.1 ADMS Business Case PUBLIC." Ausgrid, Jan. 2019. Accessed 15 Nov. 2022.
Richter, Felix. "Cloudy With a Chance of Recession." Statista, 6 April 2022. Web.
"Securing the Software Supply Chain: Recommended Practices Guide for Developers." Enduring Security Framework (ESF), Aug. 2022. Accessed 22 Sep. 2022.
"Securing the Software Supply Chain: Recommended Practices Guide for Suppliers." Enduring Security Framework (ESF), Sep. 2022. Accessed 21 Nov. 2022.
"Securing the Software Supply Chain: Recommended Practices Guide for Customers." Enduring Security Framework (ESF), Oct. 2022. Accessed 21 Nov. 2022.
"Security Guidelines for the Electricity Sector: Control System Electronic Connectivity."
North American Electric Reliability Corporation (NERC), 28 Oct. 2013. Accessed 25 Nov. 2022.
Shepel, Jan. "Schreiber Foods hit with cyberattack; plants closed." Wisconsin State Farmer,
26 Oct. 2022. Accessed 15 Nov. 2022.
"Significant Cyber Incidents." Center for Strategic and International Studies (CSIS). Accessed
1 Sep. 2022.
Souppaya, Murugiah, Michael Ogata, Paul Watrobski, and Karen Scarfone. "Software Supply Chain and DevOps Security Practices: Implementing a Risk-Based Approach to DevSecOps." NIST - National Cybersecurity Center of Excellence (NCCoE), Nov. 2022. Accessed
22 Nov. 2022.
"Ten Things Will Change Cybersecurity in 2023." SOCRadar, 23 Sep. 2022. Accessed
31 Oct. 2022.
"The Nature of Cybersecurity Defense: Pentagon To Reveal Updated Zero-Trust Cybersecurity Strategy & Guidelines." Cybersecurity Insiders. Accessed 21 Nov. 2022.
What Is Threat Management? Common Challenges and Best Practices." IBM Security Intelligence, 2020.
Woolf, Tim, et al. "Benefit-Cost Analysis for Utility-Facing Grid Modernization Investments: Trends, Challenges, and Considerations." Lawrence Berkeley National Laboratory, Feb. 2021. Accessed 15 Nov. 2022.
Violino, Bob. "5 key considerations for your 2023 cybersecurity budget planning." CSO Online,
14 July 2022. Accessed 27 Oct. 2022
Andrew Reese
Cybersecurity Practice Lead
Zones
Ashok Rutthan
Chief Information Security Officer (CISO)
Massmart
Chris Weedall
Chief Information Security Officer (CISO)
Cheshire East Council
Jeff Kramer
EVP Digital Transformation and Cybersecurity
Aprio
Kris Arthur
Chief Information Security Officer (CISO)
SEKO Logistics
Mike Toland
Chief Information Security Officer (CISO)
Mutual Benefit Group
Seventy-four percent of organizations do not have a formal process for capturing and retaining knowledge - which, when lost, results in decreased productivity, increased risk, and money out the door.
Successful completion of the IT knowledge transfer project will result in the following outcomes:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Minimize risk and IT costs resulting from attrition through effective knowledge transfer.
Use this template to document the knowledge transfer stakeholder power map by identifying the stakeholder’s name and role, and identifying their position on the power map.
Use this template to communicate the value and rationale for knowledge transfer to key stakeholders.
Use this tool to identify and assess the knowledge and individual risk of key knowledge holders.
Use this template to track knowledge activities, intended recipients of knowledge, and appropriate transfer tactics for each knowledge source.
Use this template as a starting point for managers to interview knowledge sources to extract information about the type of knowledge the source has.
Use this template as a starting point to build your proposed IT knowledge transfer roadmap presentation to management to obtain formal sign-off and initiate the next steps in the process.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
EXECUTIVE BRIEF
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
|---|---|---|
Seventy-four percent of organizations do not have a formal process for capturing and retaining knowledge1 which, when lost, results in decreased productivity, increased risk, and money out the door. You need to:
|
|
Our client-tested methodology and project steps allow you to tailor your knowledge transfer plan to any size of organization, across industries. Successful completion of the IT knowledge transfer project will result in the following outcomes:
|
Seventy-four percent of organizations do not have a formal process for capturing and retaining knowledge which, when lost, results in decreased productivity, increased risk, and money out the door.1
Today, the value of an organization has less to do with its fixed assets and more to do with its intangible assets. Intangible assets include patents, research and development, business processes and software, employee training, and employee knowledge and capability.
People (and their knowledge and capabilities) are an organization’s competitive advantage and with the baby boomer retirement looming, organizations need to invest in capturing employee knowledge before the employees leave. Losing employees in key roles without adequate preparation for their departure has a direct impact on the bottom line in terms of disrupted productivity, severed relationships, and missed opportunities.
Knowledge Transfer (KT) is the process and tactics by which intangible assets – expertise, knowledge, and capabilities – are transferred from one stakeholder to another. A well-devised knowledge transfer plan will mitigate the risk of knowledge loss, yet as many as 74%2 of organizations have no formal approach to KT – and it’s costing them money, reputation, and time.
84%of all enterprise value on the S&P 500 is intangibles.3
$31.5 billion lost annually by Fortune 500 companies failing to share knowledge. 1
74% of organizations have no formal process for facilitating knowledge transfer. 2
1 Shedding Light on Knowledge Management, 2004, p. 46
| 1 | Inefficiency due to “reinvention of the wheel.” When older workers leave and don’t effectively transfer their knowledge, younger generations duplicate effort to solve problems and find solutions. |
|---|---|
| 2 | Loss of competitive advantage. What and who you know is a tremendous source of competitive edge. Losing knowledge and/or established client relationships hurts your asset base and stifles growth, especially in terms of proprietary or unique knowledge. |
| 3 | Reduced capacity to innovate. Older workers know what works and what doesn’t, as well as what’s new and what’s not. They can identify the status quo faster, to make way for novel thinking. |
| 4 | Increased vulnerability. One thing that comes with knowledge is a deeper understanding of risk. Losing knowledge can impede your organizational ability to identify, understand, and mitigate risks. You’ll have to learn through experience all over again. |
55-60 |
67% |
78% |
$14k / minute |
|---|---|---|---|
the average age of mainframe workers – making close to 50% of workers over 60.2 |
of Fortune 100 companies still use mainframes3 requiring. specialized skills and knowledge |
of CIOs report mainframe applications will remain a key asset in the next decade.1 |
is the cost of mainframe outages for an average enterprise.1 |
A system failure to a mainframe could be disastrous for organizations that haven’t effectively transferred key knowledge. Now think past the mainframe to key processes, customer/vendor relationships, legal requirements, home grown solutions etc. in your organization.
What would knowledge loss cost you in terms of financial and reputational loss?
Source: 1 Big Tech Problem as Mainframes Outlast Workforce
Source: 2 IT's most wanted: Mainframe programmers
Source: 3The State of the Mainframe, 2022
Insurance organization fails to mitigate risk of employee departure and incurs costly consequences – in the millions
INDUSTRY: Insurance
SOURCE: ITRG Member
Challenge |
Solution |
Results |
|---|---|---|
|
|
|
IT knowledge transfer is a process that, at its most basic level, ensures that essential IT knowledge and capabilities don’t leave the organization – and at its most sophisticated level, drives innovation and customer service by leveraging knowledge assets.
Knowledge Transfer Risks: |
Knowledge Transfer Opportunities: |
|---|---|
|
✗ Increased training and development costs when key stakeholders leave the organization. ✗ Decreased efficiency through long development cycles. ✗ Late projects that tie up IT resources longer than planned, and cost overruns that come out of the IT budget. ✗ Lost relationships with key stakeholders within and outside the organization. ✗ Inconsistent project/task execution, leading to inconsistent outcomes. ✗ IT losing its credibility due to system or project failure from lost information. ✗ Customer dissatisfaction from inconsistent service. |
✓ Mitigated risks and costs from talent leaving the organization. ✓ Business continuity through redundancies preventing service interruptions and project delays. ✓ Operational efficiency through increased productivity by never having to start projects from scratch. ✓ Increased engagement from junior staff through development planning. ✓ Innovation by capitalizing on collective knowledge. ✓ Increased ability to adapt to change and save time-to-market. ✓ IT teams that drive process improvement and improved execution. |
How you build your knowledge transfer roadmap will not change drastically based on the size of your organization; however, the scope of your initiative, tactics you employ, and your communication plan for knowledge transfer may change.
How knowledge transfer projects vary by organization size:
Small Organization |
Medium Organization |
Large Organization |
|
|---|---|---|---|
Project Opportunities |
✓ Project scope is much more manageable. ✓ Communication and planning can be more manageable. ✓ Fewer knowledge sources and receivers can clarify prioritization needs. |
✓ Project scope is more manageable. ✓ Moderate budget for knowledge transfer activities. ✓ Communication and enforcement is easier. |
✓ Budget available to knowledge transfer initiatives. ✓ In-house expertise may be available. |
Project Risks |
✗ Limited resources for the project. ✗ In-house expertise is unlikely. ✗ Knowledge transfer may be informal and not documented. ✗ Limited overlap in responsibilities, resulting in fewer redundancies. |
✗ Limited staff with knowledge transfer experience for the project. ✗ Knowledge assets are less likely to be documented. ✗ Knowledge transfer may be a lower priority and difficult to generate buy-in. |
✗ More staff to manage knowledge transfer for, and much larger scope for the project. ✗ Impact of poor knowledge transfer can result in much higher costs. ✗Geographically dispersed business units make collaboration and communication difficult. ✗ Vast amounts of historical knowledge to capture. |
Explicit |
Tacit |
||
|
|
||
Types of explicit knowledge |
Types of tacit knowledge |
||
Information
|
Process
|
Skills
|
Expertise
|
Examples: reading music, building a bike, knowing the alphabet, watching a YouTube video on karate. |
Examples: playing the piano, riding a bike, reading or speaking a language, earning a black belt in karate. |
||
 |
No formal knowledge transfer program exists; knowledge transfer is ad hoc, or may be conducted through an exit interview only. 74% of organizations are at level 0.1 |
At level one, knowledge transfer is focused around ensuring that high risk, explicit knowledge is covered for all high-risk stakeholders. |
|
Organizations have knowledge transfer plans for all high-risk knowledge to ensure redundancies exist and leverage this to drive process improvements, effectiveness, and employee engagement. |
|
Increase end-user satisfaction and create a knowledge value center by leveraging the collective knowledge to solve repeat customer issues and drive new product innovation. |
I’m an IT Leader who…
Stabilize |
…has witnessed that new employees have recently left or are preparing to leave the organization, and worries that we don’t have their knowledge captured anywhere. …previously had to cut down our IT department, and as a result there is a lack of redundancy for tasks. If someone leaves, we don’t have the information we need to continue operating effectively. …is worried that the IT department has no succession planning in place and that we’re opening ourselves up to risk. |
|---|---|
Proactive |
…feels like we are losing productivity because the same problems are being solved differently multiple times. …worries that different employees have unique knowledge which is critical to performance and that they are the only ones who know about it. …has noticed that the processes people are using are different from the ones that are written down. …feels like the IT department is constantly starting projects from scratch, and employees aren’t leveraging each other’s information, which is causing inefficiencies. …feels like new employees take too long to get up to speed. …knows that we have undocumented systems and more are being built each day. |
Knowledge Culture |
…feels like we’re losing out on opportunities to innovate because we’re not sharing information, learning from others’ mistakes, or capitalizing on their successes. …notices that staff don’t have a platform to share information on a regular basis, and believes if we brought that information together, we would be able to improve customer service and drive product innovation. …wants to create a culture where employees are valued for their competencies and motivated to learn. …values knowledge and the contributions of my team. |
This blueprint can help you build a roadmap to resolve each of these pain points. However, not all organizations need to have a knowledge culture. In the next section, we will walk you through the steps of selecting your target maturity model based on your knowledge goals.
INDUSTRY: Electronics Engineering
SOURCE: KM Best Practices
Challenge | Solution | Results |
|---|---|---|
|
|
|
The Info-Tech difference:
Project outcomes |
1. Approval for IT knowledge transfer project obtained |
2. Knowledge and stakeholder risks identified |
3. Tactics for individuals’ knowledge transfer identified |
4. Knowledge transfer roadmap built |
5. Knowledge transfer roadmap approved |
|---|---|---|---|---|---|
Info-Tech tools and templates to help you complete your project deliverables |
Project Stakeholder Register Template |
IT Knowledge Transfer Risk Assessment Tool |
IT Knowledge Identification Interview Guide Template |
Project Planning and Monitoring Tool |
IT Knowledge Transfer Roadmap Presentation Template |
IT Knowledge Transfer Project Charter Template |
IT Knowledge Transfer Plan Template |
||||
Your completed project deliverables |
IT Knowledge Transfer Plans |
IT Knowledge Transfer Roadmap Presentation |
|||
IT Knowledge Transfer Roadmap |
|||||
1. Initiate |
2. Design |
3. Implement |
|
|---|---|---|---|
Phase Steps |
|
|
|
Phase Outcomes |
|
|
|
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
IT Knowledge Transfer Project Charter Establish a clear project scope, decision rights, and executive sponsorship for the project. |
 |
IT Knowledge Transfer Risk Assessment Tool Identify and assess the knowledge and individual risk of key knowledge holders. |
 |
IT Knowledge Identification Interview Guide Extract information about the type of knowledge sources have. |
 |
IT Knowledge Transfer Roadmap Presentation Communicate IT knowledge transfer recommendations to stakeholders to gain buy-in. |
 |
IT Knowledge Transfer Plan
Track knowledge activities, intended recipients, and appropriate transfer tactics for each knowledge source.
IT Benefits |
Business Benefits |
|
|
“ Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
| Phase 1 | Phase 2 | Phase 3 |
|---|---|---|
Call #1: Structure the project. Discuss transfer maturity goal and metrics. |
Call #2: Build knowledge transfer plans. Call #3: Identify priorities & review risk assessment tool. |
Call #4: Build knowledge transfer roadmap. Determine logistics of implementation. Call #5: Determine logistics of implementation. |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is five to six calls.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 |
Day 2 |
Day 3 |
Day 4 |
Day 5 |
|
|---|---|---|---|---|---|
Define the Current and Target State |
Identify Knowledge Priorities |
Build Knowledge Transfer Plans |
Define the Knowledge Transfer Roadmap |
Next Steps and |
|
Activities |
1.1 Have knowledge transfer fireside chat. 1.2 Identify current and target maturity. 1.3 Identify knowledge transfer metrics 1.4 Identify knowledge transfer project stakeholders |
2.1 Identify your knowledge sources. 2.2 Complete a knowledge risk assessment. 2.3 Identify knowledge sources’ level of knowledge risk. |
3.1 Build an interview guide. 3.2 Interview knowledge holders. |
4.1 Prioritize the sequence of initiatives. 4.2 Complete the project roadmap. 4.3 Prepare communication presentation. |
5.1 Complete in-progress deliverables from previous four days. 5.2 Set up review time for workshop deliverables and to discuss next steps. |
Deliverables |
|
|
|
|
Phase 1 |
Phase 2 |
Phase 3 |
|---|---|---|
1.1 Obtain approval for project 1.2 Identify knowledge and stakeholder risks |
2.1 Build knowledge transfer plans 2.2 Build knowledge transfer roadmap |
3.1 Communicate your roadmap |
This phase will walk you through the following activities:
This phase involves the following participants:
Activities
1.1.1 Hold a Working Session With Key Stakeholders
1.1.2 Conduct a Current and Target State Analysis.
1.1.3 Identify Key Metrics
1.1.4 Identify Your Project Team
1.1.5 Populate an RACI
1.1.6 Build the Project Charter and Obtain Approval
Initiate Your IT Knowledge Transfer Project
The primary goal of this section is to gain a thorough understanding of the reasons why your organization should invest in knowledge transfer and to identify the specific challenges to address.
Outcomes of this step
Organizational benefits and current pain points of knowledge transfer
Don’t build your project charter in a vacuum. Involve key stakeholders to determine the desired knowledge transfer goals, target maturity and KPIs, and ultimately build the project charter.
Building the project charter as a group will help you to clarify your key messages and help secure buy-in from critical stakeholders up-front, which is key.
In order to execute on the knowledge transfer project, you will need significant involvement from your IT leadership team. The trouble is that knowledge transfer can be inherently stressful for employees as it can cause concerns around job security. Members of your IT leadership team will also be individuals who need to participate in knowledge transfer, so get them involved upfront. The working session will help stakeholders feel more engaged in the project, which is pivotal for success.
You may feel like a full project charter isn’t necessary, and depending on your organizational size, it might not be. However, the exercise of building the charter is important regardless. No matter your current climate, some level of socializing the value and plans for knowledge transfer will be necessary.
Meeting Agenda
Led by: Project Sponsor
Led by: Project Manager
Led by: Project Manager
Led by: Project Manager
Led by: Project Manager
Identify the pain points you’re experiencing with knowledge transfer and some of the benefits which you’d like to see from a program to determine the key objectives By doing so, you’ll get a holistic view of what you need to achieve.
Collect this information by:
| Input | Output |
|
|
| Materials | Participants |
|
|
|
|
|
How to determine your current and target state of maturity:
| Input | Output |
|
|
| Materials | Participants |
|
|
Depending on the level of maturity you are trying to achieve, a knowledge transfer project could take weeks, months, or even years. Your maturity level depends on the business goal you would like to achieve, and impacts who and what your roadmap targets.
The maturity levels build on one another; if you start with a project, it is possible to move from a level 0 to a level 1, and once the project is complete, you can advance to a level 2 or 3. However, it’s important to set clear boundaries upfront to limit scope creep, and it’s important to set appropriate expectations for what the project will deliver.
Goal |
Description |
Time to implement |
Benefits |
|
|---|---|---|---|---|
Level 0: Accidental |
Not Prioritized |
|
N/A |
|
Level 1: Stabilize |
Risk Mitigation |
At level one, knowledge transfer is focused around ensuring that redundancies exist for explicit knowledge for:
Your high-risk knowledge is any information which is proprietary, unique, or specialized. High risk stakeholders are those individuals who are at a higher likelihood of departing the organization due to retirement or disengagement. |
0 – 6 months |
|
Goal | Description | Time to implement | Benefits | |
|---|---|---|---|---|
Level 2: Proactive | Operational Efficiency | Level 2 extends Level 1. Once stabilized, you can work on KT initiatives that allow you to be more proactive and cover high risk knowledge that may not be held by those see as high risk individuals. Knowledge transfer plans must exist for ALL high risk knowledge. | 3m – 1yr |
|
Level 3: Knowledge Culture | Drive Innovation Through Knowledge | Level 3 extends Level 2.
| 1-2 years |
|
You need to ensure your knowledge transfer initiatives are having the desired effect and adjust course when necessary. Establishing an upfront list of key performance indicators that will be benchmarked and tracked is a crucial step.
Many organizations overlook the creation of KPIs for knowledge transfer because the benefits are often one step removed from the knowledge transfer itself. However, there are several metrics you can use to measure success.
Hint: Metrics will vary based on your knowledge transfer maturity goals.
Creating KPIs for knowledge transfer is a crucial step that many organizations overlook because the benefits are often one step removed from the knowledge transfer itself. However, there are several qualitative and quantitative metrics you can use to measure success depending on your maturity level goals.
Stabilize
Be Proactive
Promote Knowledge Culture
How to determine knowledge transfer metrics:
| Input | Output |
|
|
| Materials | Participants |
|
|
Determine Project Participants |
Pick a Project Sponsor |
|
|
The project sponsor is the main catalyst for the creation of the roadmap. They will be the one who signs off on the project roadmap. The Project Participants are the key stakeholders in your organization whose input will be pivotal to the creation of the roadmap. The project stakeholders are the senior executives who have a vested interest in knowledge transfer. Following completion of this workshop, you will present your roadmap to these individuals for approval. |
|
How to define the knowledge transfer project team:
Project Stakeholder Register Template
| Input | Output |
|
|
| Materials | Participants |
|
|
If your IT leadership team isn’t on board, you’re in serious trouble! IT leaders will not only be highly involved in the knowledge transfer project, but they also may be participants, so it’s essential that you get their buy-in for the project upfront.
Document the results in the Project Stakeholder Register Template; use this as a guide to help structure your communication with stakeholders based on where they fall on the grid.
How to Manage: |
Focus on increasing these stakeholders’ level of support!
|
 |
Capitalize on champions to drive the project/change.
|
How to Manage: |
How to Manage: |
Pick your battles – focus on your noise makers first, and then move on to your blockers.
|
Leverage this group where possible to help socialize the program and to help encourage dissenters to support.
|
How to Manage: |
Role |
Project Role |
|
|---|---|---|
Required |
CIO |
Will often play the role of project sponsor and should be involved in key decision points. |
IT Managers Directors |
Assist in the identification of high-risk stakeholders and knowledge and will be heavily involved in the development of each transfer plan. |
|
Project Manager |
Should be in charge of leading the development and execution of the project. |
|
Business Analysts |
Responsible for knowledge transfer elicitation analysis and validation for the knowledge transfer project. |
|
Situational |
Technical Lead |
Responsible for solution design where required for knowledge transfer tactics. |
HR |
Will aid in the identification of high-risk stakeholders or help with communication and stakeholder management. |
|
Legal |
Organizations that are subject to knowledge confidentiality, Sarbanes-Oxley, federal rules, etc. may need legal to participate in planning. |
Apps MGR |
Dev. MGR |
Infra MGR |
|
|---|---|---|---|
Build the project charter |
R |
R |
I |
Identify IT stakeholders |
R |
R |
I |
Identify high risk stakeholders |
R |
A | R |
Identify high risk knowledge |
I | C | C |
Validate prioritized stakeholders |
I | C | R |
Interview key stakeholders |
R | R | A |
Identify knowledge transfer tactics for individuals |
C | C | A |
Communicate knowledge transfer goals |
C | R | A |
Build the knowledge transfer roadmap |
C | R | A |
Approve knowledge transfer roadmap |
C | R | C |
How to define RACI for the project team:
Responsible: The one responsible for getting the job done.
Accountable: Only one person can be accountable for each task.
Consulted: Involvement through input of knowledge and information.
Informed: Receiving information about process execution and quality.
| Input | Output |
|
|
| Materials | Participants |
|
|
Build the project charter and obtain sign-off from your project sponsor. Use your organization’s project charter if one exists. If not, customize Info-Tech’s IT Knowledge Transfer Project Charter Template to suit your needs.
Activities
1.2.1 Identify Knowledge Sources
1.2.2 Complete a Knowledge Risk Assessment
1.2.3 Review the Prioritized List of Knowledge Sources
The primary goal of this section is to identify who your primary risk targets are for knowledge transfer.
Outcomes of this step
Throughout this section, we will walk through the following 3 activities in the tool to determine where you need to focus attention for your knowledge transfer roadmap based on knowledge value and likelihood of departure.
1. Identify Knowledge Sources
Create a list of knowledge sources for whom you will be conducting the analysis, and identify which sources currently have a transfer plan in place.
2. Value of Knowledge
Consider the type of knowledge held by each identified knowledge source and determine the level of risk based on the knowledge:
3. Likelihood of Departure
Identify the knowledge source’s risk of leaving the organization based on their:
This tool contains sensitive information. Do not share this tool with knowledge sources. The BA and Project Manager, and potentially the project sponsor, should be the only ones who see the completed tool.
Identify Key Roles
Hold a meeting with your IT Leadership team, or meet with members individually, and ask these questions to identify key roles:
Key roles include:
This step is meant to help speed up and simplify the process for large IT organizations. IT organizations with fewer than 30 people, or organizations looking to build a knowledge culture, can opt to skip this step and include all members of the IT team. This way, everyone is considered and you can prioritize accordingly.
| Input | Output |
|
|
| Materials | Participants |
|
|
Legend:
1. Document knowledge source information (name, department, and manager).
2. Select the current state of knowledge transfer plans for each knowledge source.
Once you have identified key roles, conduct a sanity check and ask – “did we miss anybody?” For example:
Municipal government learns the importance of thorough knowledge source identification after losing key stakeholder
INDUSTRY: Government
Challenge |
Solution |
Results |
|
|
|
Risk Parameter | Description | How to Collect this Data: |
Age Cohort |
| For those people on your shortlist, pull some hard demographic data. Compile a report that breaks down employees into age-based demographic groups. Flag those over the age of 50 – they’re in the “retirement zone” and could decide to leave at any time. Check to see which stakeholders identified fall into the “over 50” age demographic. Document this information in the IT Knowledge Transfer Risk Assessment Tool. |
150% of an employee’s base salary and benefits is the estimated cost of turnover according to The Society of Human Resource Professionals.1
1McLean & Company, Make the Case for Employee Engagement
Risk Parameter | Description | How to Collect this Data: |
Engagement | An engaged stakeholder is energized and passionate about their work, leading them to exert discretionary effort to drive organizational performance (lowest risk). An almost engaged stakeholder is generally passionate about their work. At times they exert discretionary effort to help achieve organizational goals. Indifferent employees are satisfied, comfortable, and generally able to meet minimum expectations. They see their work as “just a job,” prioritizing their needs before organizational goals. Disengaged employees have little interest in their job and the organization and often display negative attitudes (highest risk). | Option 1: The optimal approach for determining employee engagement is through an engagement survey. See McLean & Company for more details. Option 2: Ask the identified stakeholder’s manager to provide an assessment of their engagement either independently or via a meeting. |
Engaged employees are five times more likely than disengaged employees to agree that they are committed to their organization.1
1Source: McLean & Company, N = 13683
Risk Parameter | Description | How to Collect this Data: |
Criticality | Roles that are critical to the continuation of business and cannot be left vacant without risking business operations. Would the role, if vacant, create system, function, or process failure for the organization? | Option 1: (preferred) Meet with IT managers/directors over the phone or directly and review each of the identified reports to determine the risk. Option 2: Send the IT mangers/directors the list of their direct reports, and ask them to evaluate their knowledge type risk independently and return the information to you. Option 3: (if necessary) Review individual job descriptions independently, and use your judgment to come up with a rating for each. Send the assessment to the stakeholders’ managers for validation. |
Availability | Refers to level of redundancy both within and outside of the organization. Information which is highly available is considered lower risk. Key questions to consider include: does this individual have specialized, unique, or proprietary expertise? Are there internal redundancies? |
Complete a Tab 3 assessment for each of your identified Knowledge Sources. The Knowledge Source tab will pre-populate with information from Tab 2 of the tool. For each knowledge source, you will determine their likelihood of departure and degree of knowledge risk.
Likelihood of departure:
Degree of knowledge risk is based on:
| Input | Output |
|
|
| Materials | Participants |
|
|
Knowledge sources have been separated into the three maturity levels (Stabilize, Proactive, and Knowledge Culture) and prioritized within each level.
Focus first on your stabilize groups, and based on your target maturity goal, move on to your proactive and knowledge culture groups respectively.
Sequential Prioritization Orange line Level 1: Stabilize Blue Line Level 2: Proactive Green Line Level 3: Knowledge Culture |
Each pie chart indicates which of the stakeholders in that risk column currently has knowledge transfer plans. |
Each individual also has their own status ball on whether they currently have a knowledge transfer plan. |
Identify knowledge sources to focus on for the knowledge transfer roadmap. Review the IT Knowledge Transfer Map on Tab 5 to determine where to focus your knowledge transfer efforts
| Input | Output |
|
|
| Materials | Participants |
|
|
Phase 1 |
Phase 2 |
Phase 3 |
|---|---|---|
1.1 Obtain approval for project 1.2 Identify knowledge and stakeholder risks |
2.1 Build knowledge transfer plans 2.2 Build knowledge transfer roadmap |
3.1 Communicate your roadmap |
This phase will walk you through the following activities:
This phase involves the following participants:
Define what knowledge needs to be transferred |
Each knowledge source has unique information which needs to be transferred. Chances are you don’t know what you don’t know. The first step is therefore to interview knowledge sources to find out. |
Identify the knowledge receiver |
Depending on who the information is going to, the knowledge transfer tactic you employ will differ. Before deciding on the knowledge receiver and tactic, consider three key factors:
|
Identify which knowledge transfer tactics you will use for each knowledge asset |
Not all tactics are good in every situation. Always keep the “knowledge type” (information, process, skills, and expertise), knowledge sources’ engagement level, and the knowledge receiver in mind as you select tactics. |
This tool is built to accommodate up to 30 knowledge items; Info-Tech recommends focusing on the top 10-15 items.
These steps should be completed by the BA or IT Manager. The BA is helpful to have around because they can learn about the tactics and answer any questions about the tactics that the managers might have when completing the template.
Activities
2.1.1 Interview Knowledge Sources to Uncover Key Knowledge Items
2.1.2 Identify When to use Knowledge Transfer Tactics
2.1.3 Build Individual Knowledge Transfer Plans
The primary goal of this section is to build an interview guide and interview knowledge sources to identify key knowledge assets.
Outcomes of this step
The first step is for managers to interview knowledge sources in order to extract information about the type of knowledge the source has.
Meet with the knowledge sources and work with them to identify essential knowledge. Use the following questions as guidance:
| Input | Output |
|
|
| Materials | Participants |
|
|
| Input | Output |
|
|
| Materials | Participants |
|
|
Interviews provide an opportunity to meet one-on-one with key stakeholders to document key knowledge assets. Interviews can be used for explicit and tacit information, and in particular, capture processes, rules, coding information, best practices, etc.
Knowledge Types Information Process Skills Expertise | Dependencies Training: Minimal Technology Support: N/A Process Development: Minimal Duration: Annual | Participants Business analysts Knowledge source | Materials Interview guide Notepad Pen |
Business process mapping refers to building a flow chart diagram of the sequence of actions which defines what a business does. The flow chart defines exactly what a process does and the specific succession of steps including all inputs, outputs, flows, and linkages. Process maps are a powerful tool to frame requirements in the context of the complete solution.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training: Minimal Technology Support: N/A Process Development: Minimal Duration: Annual | Participants Business analysts Knowledge source | Materials Whiteboard / flip-chart paper Marker |
Use case diagrams are a common transfer tactic where the BA maps out step-by-step how an employee completes a project or uses a system. Use cases show what a system or project does rather than how it does it. Use cases are frequently used by product managers and developers.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training: Minimal Technology Support: N/A Process Development: Minimal Duration: Annual | Participants Business analysts Knowledge source | Materials Whiteboard / flip-chart paper Marker |
Job shadowing is a working arrangement where the “knowledge receiver” learns how to do a job by observing an experienced employee complete key tasks throughout their normal workday.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training: Required Technology Support: N/A Process Development:Required Duration:Ongoing | Participants BA IT manager Knowledge source and receiver | Materials N/A |
Meeting or workshop where peers from different teams share their experiences and knowledge with individuals or teams that require help with a specific challenge or problem.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training: Minimal Technology Support: N/A Process Development:Required Duration:Ongoing | Participants Knowledge sources Knowledge receiver BA to build a skill repository | Materials Intranet |
A half- to full-day exercise where an outgoing leader facilitates a knowledge transfer of key insights they have learned along the way and any high-profile knowledge they may have.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training: Required Technology Support: Some Process Development: Some Duration:Ongoing | Participants IT leader Incoming IT team Key stakeholders | Materials Meeting space Video conferencing (as needed) |
Action Review is a team-based discussion at the end of a project or step to review how the activity went and what can be done differently next time. It is ideal for transferring expertise and skills.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training:Minimal Technology Support: Minimal Process Development: Some Duration:Ongoing | Participants IT unit/group Any related IT stakeholder impacted by or involved in a project. | Materials Meeting space Video conferencing (as needed) |
Mentoring can be a formal program where management sets schedules and expectations. It can also be informal through an environment for open dialogue where staff is encouraged to seek advice and guidance, and to share their knowledge with more novice members of the organization.
Benefits:
How to get started:
Creating a mentorship program is a full project in itself. For full details on how to set up a mentorship program, see McLean & Company’s Build a Mentoring Program.
Knowledge Types Information Process Skills Expertise | Dependencies Training: Required Technology Support: N/a Process Development:Required Duration:Ongoing | Participants IT unit/group | Materials Meeting space Video conferencing (as needed) Documentation |
Knowledge sources use anecdotal examples to highlight a specific point and pass on information, experience, and ideas through narrative.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training: Required Technology Support: Some Process Development:Required Duration:Ongoing | Participants Knowledge source Knowledge receiver Videographer (where applicable) | Materials Meeting space Video conferencing (as needed) Documentation |
Job share exists when at least two people share the knowledge and responsibilities of two job roles.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training: Some Technology Support: Minimal Process Development:Required Duration:Ongoing | Participants IT manager HR Employees | Materials Job descriptions |
Communities of practice are working groups of individuals who engage in a process of regularly sharing information with each other across different parts of the organization by focusing on common purpose and working practices. These groups meet on a regular basis to work together on problem solving, to gain information, ask for help and assets, and share opinions and best practices.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training:Required Technology Support: Required Process Development:Required Duration:Ongoing | Participants Employees BA (to assist in establishing) IT managers (rewards and recognition) | Materials TBD |
This table shows the relative strengths and weaknesses of each knowledge transfer tactic compared to four different knowledge types.
Not all techniques are effective for types of knowledge; it is important to use a healthy mixture of techniques to optimize effectiveness.
Very strong = Very effective
Strong = Effective
Medium = Somewhat effective
Weak = Minimally effective
Very weak = Not effective
Knowledge Type | ||||
Tactic | Explicit | Tacit | ||
Information | Process | Skills | Expertise | |
Interviews | Very strong | Strong | Strong | Strong |
Process mapping | Medium | Very strong | Very weak | Very weak |
Use cases | Medium | Very strong | Very weak | Very weak |
Job shadow | Very weak | Medium | Very strong | Very strong |
Peer assist | Strong | Medium | Very strong | Very strong |
Action review | Medium | Medium | Strong | Weak |
Mentoring | Weak | Weak | Strong | Very strong |
Transition workshop | Strong | Strong | Strong | Strong |
Story telling | Weak | Weak | Strong | Very strong |
Job share | Weak | Weak | Very strong | Very strong |
Communities of practice | Strong | Weak | Very strong | Very strong |
Level of Engagement | ||
Tactic | Disengaged/ Indifferent | Almost Engaged - Engaged |
Interviews | Yes | Yes |
Process mapping | Yes | Yes |
Use cases | Yes | Yes |
Job shadow | No | Yes |
Peer assist | Yes | Yes |
Action review | Yes | Yes |
Mentoring | No | Yes |
Transition workshop | Yes | Yes |
Story telling | No | Yes |
Job share | Maybe | Yes |
Communities of practice | Maybe | Yes |
When considering which tactics to employ, it’s important to consider the knowledge holder’s level of engagement. Employees whom you would identify as being disengaged may not make good candidates for job shadowing, mentoring, or other tactics where they are required to do additional work or are asked to influence others.
Knowledge transfer can be controversial for all employees as it can cause feelings of job insecurity. It’s essential that motivations for knowledge transfer are communicated effectively.
Pay particular attention to your communication style with disengaged and indifferent employees, communicate frequently, and tie communication back to what’s in it for them.
Putting disengaged employees in a position where they are mentoring others can be a risk. Their negativity could influence others not to participate as well or negate the work you’re doing to create a positive knowledge sharing culture.
There is a wide variety of different collaboration tools available to enable interpersonal and team connections for work-related purposes. Familiarize yourself with all types of collaboration tools to understand what is available to help facilitate knowledge transfer.
Collaboration Tools |
|||
Content Management |
Real Time Communication |
Community Collaboration |
Social Collaboration |
Tools for collaborating around documents. They store content and allow for easy sharing and editing, e.g. content repositories and version control. Can be used for:
|
Tools that enable real-time employee interactions. They permit “on-demand” workplace communication, e.g. IM, video and web conferencing. Can be used for:
|
Tools that allow teams and communities to come together and share ideas or collaborate on projects, e.g. team portals, discussion boards, and ideation tools. Can be used for:
|
Social tools borrow concepts from consumer social media and apply them to the employee-centric context, e.g. employee profiles, activity streams, and microblogging. Can be used for:
|
For more information on Collaboration Tools and how to use them, see Info-Tech’s Establish a Communication and Collaboration System Strategy.
Wherever possible, ask employees about their personal learning styles. It’s likely that a collaborative compromise will have to be struck for knowledge transfer to work well.
We will use the IT Knowledge Transfer Plans as the foundation for building your knowledge transfer roadmap.
The Strength Level column will indicate how well matched the tactic is to the type of knowledge.
| Input | Output |
|
|
| Materials | Participants |
|
|
Activities
2.2.1 Merge Your Knowledge Transfer Plans
2.2.2 Define Knowledge Transfer Initiatives’ Timeframes
The goal of this step is to build the logistics of the knowledge transfer roadmap to prepare to communicate it to key stakeholders.
Outcomes of this step
Depending on the desired state of maturity, the number of initiatives your organization has will vary and there could be a lengthy number of tasks and subtasks required to reach your organization knowledge transfer target state. The best way to plan, organize, and manage all of them is with a project roadmap.
Populate the task column of the Project Planning and Monitoring Tool. See the following slides for more details on how to do this.
Effort by Stakeholder | |||||
Tactic | Business Analyst | IT Manager | Knowledge Holder | Knowledge Receiver | |
| Interviews | Medium | N/A | Low | Low | These tactics require the least amount of effort, especially for organizations that are already using these tactics for a traditional requirements gathering process. |
Process Mapping | Medium | N/A | Low | Low | |
Use Cases | Medium | N/A | Low | Low | |
Job Shadow | Medium | Medium | Medium | Medium | These tactics generally require more involvement from IT management and the BA in tandem for preparation. They will also require ongoing effort for all stakeholders. Stakeholder buy-in is key for success. |
Peer Assist | Medium | Medium | Medium | Medium | |
Action Review | Low | Medium | Medium | Low | |
Mentoring | Medium | High | High | Medium | |
Transition Workshop | Medium | Low | Medium | Low | |
Story Telling | Medium | Medium | Low | Low | |
Job Share | Medium | High | Medium | Medium | |
Communities of Practice | High | Medium | Medium | Medium | |
Implementation Dependencies | |||||
Tactic | Training | Technology Support | Process Development | Duration | |
| Interviews | Minimal | N/A | Minimal | Annual | Start your knowledge transfer project here to get quick wins for explicit knowledge. |
Process Mapping | Minimal | N/A | Minimal | Annual | |
Use Cases | Minimal | N/A | Minimal | Annual | |
Job Shadow | Required | N/A | Required | Ongoing | Don’t change too much too quickly or try to introduce all of the tactics at once. Focus on 1-2 key tactics and spend a significant amount of time upfront building an effective process and rolling it out. Leverage the effectiveness of the initial tactics to push these initiatives forward. |
| Peer Assist | Minimal | N/A | Required | Ongoing | |
| Action Review | Minimal | Minimal | Some | Ongoing | |
| Mentoring | Required | N/A | Required | Ongoing | |
| Transition Workshop | Required | Some | Some | Ongoing | |
| Story Telling | Some | Required | Required | Ongoing | |
| Job Share | Some | Minimal | Required | Ongoing | |
| Communities of Practice | Required | Required | Required | Ongoing | |
| Input | Output |
| |
| Materials | Participants |
|
|
| Input | Output |
|
|
| Materials | Participants |
|
|
Phase 1 | Phase 2 | Phase 3 |
|---|---|---|
1.1 Obtain approval for project 1.2 Identify knowledge and stakeholder risks | 2.1 Build knowledge transfer plans 2.2 Build knowledge transfer roadmap | 3.1 Communicate your roadmap |
This phase will walk you through the following activities:
This phase involves the following participants:
Activities
3.1.1 Prepare IT Knowledge Transfer Roadmap Presentation
The goal of this step is to be ready to communicate the roadmap with the project team, project sponsor, and other key stakeholders.
Outcomes of this step
Obtain approval for the IT Knowledge Transfer Roadmap by customizing Info-Tech’s IT Knowledge Transfer Roadmap Presentation Template designed to effectively convey your key messages. Tailor the template to suit your needs.
It includes:
The support of IT leadership is critical to the success of your roadmap roll-out. Remind them of the project benefits and impact them hard with the risks/pain points.
Know your audience:
| Input | Output |
|
|
| Materials | Participants |
|
|
Babcock, Pamela. “Shedding Light on Knowledge Management.” HR Magazine, 1 May 2004.
King, Rachael. "Big Tech Problem as Mainframes Outlast Workforce." Bloomberg, 3 Aug. 2010. Web.
Krill, Paul. “IT’s Most Wanted: Mainframe Programmers.” IDG Communications, Inc. 1 December 2011.
McLean & Company. “Mitigate the Risk of Baby Boomer Retirement with Scalable Succession Planning.” 7 March 2016.
McLean & Company. “Make the Case For Employee Engagement.” McLean and Company. 27 March 2014.
PwC. “15th Annual Global CEO Survey: Delivering Results Growth and Value in a Volatile World.” PwC, 2012.
Rocket Software, Inc. “Rocket Software 2022 Survey Report: The State of the Mainframe.” Rocket Software, Inc. January 2022. Accessed 30 April 2022.
Ross, Jenna. “Intangible Assets: A Hidden but Crucial Driver of Company Value.” Visual Capitalist, 11 February 2020. Accessed 2 May 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
The current global situation, marked by significant trade tensions and retaliatory measures between major economic powers, has elevated the importance of more detailed, robust, and executable exit plans for businesses in nearly all industries. The current geopolitical headwinds create an unpredictable environment that can severely impact supply chains, technology partnerships, and overall business operations. What was once a prudent measure is now a critical necessity – a “burning platform” – for ensuring business continuity and resilience.
Here I will delve deeper into the essential components of an effective exit plan, outline the practical steps for its implementation, and explain the crucial role of testing in validating its readiness.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Collect and review the required information for your security budget.
Take your requirements and build a risk-based security budget.
Gain approval from business stakeholders by presenting the budget.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand your organization’s security requirements.
Collect and review the requirements.
Requirements are gathered and understood, and they will provide priorities for the security budget.
1.1 Define the scope and boundaries of the security budget.
1.2 Review the security strategy.
1.3 Review other requirements as needed, such as the mitigation effectiveness assessment or risk tolerance level.
Defined scope and boundaries of the security budget
Map business capabilities to security controls.
Create a budget that represents how risk can affect the organization.
Finalized security budget that presents three different options to account for risk and mitigations.
2.1 Identify major business capabilities.
2.2 Map capabilities to IT systems and security controls.
2.3 Categorize security controls by bare minimum, standard practice, and ideal.
2.4 Input all security controls.
2.5 Input all other expenses related to security.
2.6 Review the different budget options.
2.7 Optimize the budget through defense-in-depth options.
2.8 Finalize the budget.
Identified major business capabilities, mapped to the IT systems and controls
Completed security budget providing three different options based on risk associated
Optimized security budget
Prepare a presentation to speak with stakeholders early and build support prior to budget approvals.
Present a pilot presentation and incorporate any feedback.
Prepare for the final budget presentation.
Final presentations in which to present the completed budget and gain stakeholder feedback.
3.1 Begin developing a communication strategy.
3.2 Build the preshopping report.
3.3 Practice the presentation.
3.4 Conduct preshopping discussions with stakeholders.
3.5 Collect initial feedback and incorporate into the budget.
3.6 Prepare for the final budget presentation.
Preshopping Report
Final Budget Presentation
Don’t just wonder what others are doing – use this report to see how companies are faring in their current state, where they want to target in their future state, and the ways they’re planning to raise their security posture.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Read our concise Executive Brief to find out what this report contains.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Assess the opportunities of web APIs.
Design and develop web APIs that support business processes and enable reusability.
Accommodate web API testing best practices in application test plans.
Monitor the usage and value of web APIs and plan for future optimizations and maintenance.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Gauge the importance of web APIs for achieving your organizational needs.
Understand how web APIs can be used to achieve below-the-line and above-the-line benefits.
Be aware of web API development pitfalls.
Understanding the revenue generation and process optimization opportunities web APIs can bring to your organization.
Knowledge of the current web API landscape.
1.1 Examine the opportunities web APIs can enable.
Establish a web API design and development process.
Design scalable web APIs around defined business process flows and rules.
Define the web service objects that the web APIs will expose.
Reusable web API designs.
Identification of data sets that will be available through web services.
Implement web API development best practices.
2.1 Define high-level design details based on web API requirements.
2.2 Define your process workflows and business rules.
2.3 Map the relationships among data tables through ERDs.
2.4 Define your data model by mapping the relationships among data tables through data flow diagrams.
2.5 Define your web service objects by effectively referencing your data model.
High-level web API design.
Business process flow.
Entity relationship diagrams.
Data flow diagrams.
Identification of web service objects.
Incorporate APIs into your existing testing practices.
Emphasize security testing with web APIs.
Learn of the web API testing and monitoring tool landscape.
Creation of a web API test plan.
3.1 Create a test plan for your web API.
Web API Test Plan.
Plan for iterative development and maintenance of web APIs.
Manage web APIs for versioning and reuse.
Establish a governance structure to manage changes to web APIs.
Implement web API monitoring and maintenance best practices.
Establishment of a process to manage future development and maintenance of web APIs.
4.1 Identify roles for your API development projects.
4.2 Develop governance for web API development.
RACI table that accommodates API development.
Web API operations governance structure.
While this text is about DORA requirements, it is really about resilient availability of your service. Even if you are not bound to this regulation, maybe you are not a financial services provider, the requirements and tips on how to get there are invaluable to your client satisfaction.
In order to address and manage ICT risk, financial entities shall use and maintain updated ICT systems, protocols and tools that are:
(a) appropriate to the magnitude of operations supporting the conduct of their activities, in accordance with the
proportionality principle as referred to in Article 4;
(b) reliable;
(c) equipped with sufficient capacity to accurately process the data necessary for the performance of activities and the timely provision of services, and to deal with peak orders, message or transaction volumes, as needed, including where new technology is introduced;
(d) technologically resilient in order to adequately deal with additional information processing needs as required under
stressed market conditions or other adverse situations.
Many of these solutions will depend on the the solutions and responses to other DORA requirements.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Building and maintaining your Active Directory does not have to be difficult. Standardized organization and monitoring with the proper metrics help you keep your data accurate and up to date.
Build a comprehensive Active Directory workflow library for service desk technicians to follow.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use our three-step approach of Organize, Design, and Execute an IT Category Plan to get the most out of your IT budget while proactively planning your vendor negotiations.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Begin your proactive Oracle licensing journey by understanding which information to gather and assessing the current state and gaps.
Review current licensing models and determine which licensing models will most appropriately fit your environment.
Review Oracle’s contract types and assess which best fit the organization’s licensing needs.
Conduct negotiations, purchase licensing, and finalize a licensing management strategy.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Assess current state and align goals; review business feedback
Interview key stakeholders to define business objectives and drivers
Have a baseline for requirements
Assess the current state
Determine licensing position
Examine cloud options
1.1 Gather software licensing data
1.2 Conduct a software inventory
1.3 Perform manual checks
1.4 Reconcile licenses
1.5 Create your Oracle licensing team
1.6 Meet with stakeholders to discuss the licensing position, cloud offerings, and budget allocation
Copy of your Oracle License Statement
Software inventory report from software asset management (SAM) tool
Oracle Database Inventory Tool
RASCI Chart
Oracle Licensing Effective License Position (ELP) Template
Oracle Licensing Purchase Reference Guide
Review licensing options
Review licensing rules
Understand how licensing works
Determine if you need software assurance
Discuss licensing rules, application to current environment.
Examine cloud licensing
Understand the importance of documenting changes
Meet with desktop product owners to determine product strategies
2.1 Review full, limited, restricted, and AST use licenses
2.2 Calculate license costs
2.3 Determine which database platform to use
2.4 Evaluate moving to the cloud
2.5 Examine disaster recovery strategies
2.6 Understand purchasing support
2.7 Meet with stakeholders to discuss the licensing position, cloud offerings, and budget allocation
Oracle TCO Calculator
Oracle Licensing Purchase Reference Guide
Review contract option types
Review vendors
Understand why a type of contract is best for you
Determine if ULA or term agreement is best
The benefits of other types and when you should change
3.1 Prepare to sign or renew your ULA
3.2 Decide on an agreement type that nets the maximum benefit
Type of contract to be used
Oracle TCO Calculator
Oracle Licensing Purchase Reference Guide
Finalize the contract
Prepare negotiation points
Discuss license management
Evaluate and develop a roadmap for future licensing
Negotiation strategies
Licensing management
Introduction of SAM
Leverage the work done on Oracle licensing to get started on SAM
4.1 Control the flow of communication terms and conditions
4.2 Use Info-Tech’s readiness assessment in preparation for the audit
4.3 Assign the right people to manage the environment
4.4 Meet with stakeholders to discuss the licensing position, cloud offerings, and budget allocation
Controlled Vendor Communications Letter
Vendor Communication Management Plan
Oracle Terms & Conditions Evaluation Tool
RASCI Chart
Oracle Licensing Purchase Reference Guide
Most business leaders think that the best way to beat the competition is to push their development teams harder and demand faster delivery. I've seen the opposite happen many times.
When you prioritize "shipping fast" and "getting to market first," you often end up taking the longest time to succeed, because your team must spend months, sometimes years, addressing the problems caused by your haste. On the surface, things appear to be improving, but internally, they can feel overwhelming. You will notice this impact on your staff.
This is the harsh truth about rushing IT development:
Here's what really happens in the codebase when you tell your team to "just get it done fast": you don't do proper input validation and sanitization because you say, "We'll add that later." And then you have to deal with SQL injection attacks and data breaches for months. This wasted time could have been avoided by using simple parameterized queries and validation frameworks.
In 2024, the average cost of a data breach was $4.88 million. 73% of these breaches require more than 200 days to resolve. You only code for the happy flow, but real users submit incorrect data, experience network timeouts, and encounter failures with third-party APIs.
Your app crashes more than it should because you didn't set up proper error handling, or circuit breakers, or graceful degradation patterns. I know these take time to implement, but what would you rather have? Customers abandoning it?
Businesses lose an average of $5,600 per minute when their systems go down, and e-commerce sites can lose up to $300,000 per hour during busy times. Instead of fixing the root causes of problems, you just patch them up with quick fixes. Instead of proper garbage collection, that memory leak gets a band-aid restart script. Instead of being optimized, the slow database query is cached.
Soon, you will find yourself struggling to keep your building intact.
To keep up with technical debt, companies usually have to spend 23–42% of their total IT budget each year.
You don't do full testing because "writing unit tests takes longer than manual testing." This approach does not include load testing, test-driven development, or integration testing. Your first real test is when you have paying customers in production. Companies that don't test their software properly have 60% more bugs in their products and spend 40% more time fixing them than companies that do.
You start without being able to properly monitor and see what's going on. There are no logging frameworks, no application performance monitoring, and no health checks in place. When things go wrong—and they will—it's difficult to figure out what's amiss. Without proper monitoring, it takes an average of 4.5 hours to find and fix IT problems. With full observability tools, it only takes 45 minutes.
It's easy to see that every shortcut you take today will cause two new problems tomorrow. Each of those problems makes two more. You're going to be in a lot of trouble with technical debt, security holes, and unstable systems soon. All because you were in a hurry to meet some random deadline.
The true cost of rushing in those "move fast and break things" success stories is often overlooked. You don't guarantee a quick time to market when you rush code to market. You're just making sure that failure to market happens quickly. Remember that most Silicon Valley break-movers lose millions, but you never read about those; you only read about the 1 in 350 VC-backed companies that make it. That is a staggering 0.29%. I would not bet on that strategy just yet.
Because code that is rushed doesn't just break once. It breaks all the time. In production. This issue arises when dealing with real customers. At the worst times. Your developers are putting out fires instead of adding new features. Instead of adding the features that the customer asked for, they're fixing race conditions at 2 AM. They're patching vulnerabilities in dependencies rather than creating the next version.
According to research, developers in environments with a lot of technical debt spend 42% of their time on maintenance and bug fixes, while those in well-architected systems spend only 23% of their time on these tasks. Bad code drives up your infrastructure costs by requiring more servers to handle the same load. Your database runs slower because no one took the time to make the right indexes or make the queries run faster. Unoptimized applications typically require 3 to 5 times more infrastructure resources, directly impacting your cloud computing and operational costs.
The costs of getting new customers go up because products that are rushed have higher churn rates. People stop using apps that crash a lot or don't work well. For example, 53% of mobile users will stop using an app if it takes longer than 3 seconds to load. It costs 5 to 25 times more to get a new customer than to keep an old one.
In the meantime, what about your competitor who took an extra month to set up proper error handling, security controls, and performance optimization? They're growing smoothly while you're still working on the base.
Let me tell you a myth that is costing you millions: The race isn't about speed unless you're in a real winner-take-all market with huge network effects. It's about lasting.
There is usually room for more than one winner in most markets. Your real job isn't to be the first to market; it's to still be there when the "fast movers" fail because they owe too much money. The businesses that are the biggest in their markets aren't usually the first ones there. They are the ones who took the time to use excellent software engineering practices from the start. They used well-known security frameworks like the OWASP guidelines to make their systems safe, set up the right authentication and authorization patterns, and made sure their APIs were designed with security and resilience in mind from the start.
Companies that have good security practices have 76% fewer security incidents and save an average of $1.76 million for every breach they avoid. They wrote code for failure scenarios using patterns like retry logic with exponential backoff, circuit breakers to stop failures from spreading, and bulkhead isolation to keep problems from spreading.
They set up full logging and monitoring so they could find problems before customers did. Systems that are built well and have the right resilience patterns are up 99.9% of the time, while systems that are built quickly are up 95% to 98% of the time. While you may believe that 95% to 98% uptime is an acceptable figure to agree to, take a moment to consider what that actually translates to in terms of downtime for your availability metrics. Remember that you should only calculate the times you really want to be available. This is due to the fact that any unavailability during your downtime is not taken into account. But failures do not take your opening hours into consideration.
Successful companies used domain-driven design to get the business requirements right, made complete API documentation, and built automated testing suites that found regressions before deployment. Companies that do a lot of testing deliver features 2.5 times faster and with 50% fewer bugs after deployment.
They made sure that their environments were always the same by using infrastructure as code, setting up the right CI/CD pipelines with automated security scanning and regression testing, and planning for horizontal scaling from the start.
Companies that have mature DevOps practices deploy 208 times more often and have lead times that are 106 times faster, all while being more reliable.
The truth is that your development schedule isn't about meeting deadlines. The purpose is to create systems that function effectively when real people use them in real-life situations with actual data and at a large scale. If your code crashes under load because you didn't use the right caching strategies or database connection pooling, it doesn't matter how fast it is to market.
If you neglect to conduct security code reviews and utilize static analysis tools, the likelihood of hacking increases significantly.
Think about the return on investment: putting in an extra 20–30% up front for the right architecture, security, and testing usually cuts the total cost of ownership by 60–80% over the life of the application.
The first "delay" of 2 to 4 weeks for proper engineering practices saves 6 to 12 months of fixing technical debt later on.
You have a simple choice: either take the time to follow excellent software engineering practices now, or spend the next two years telling customers why your system is down again while your competitors take your market share. The companies that last and eventually take over choose quality engineering over random speed. I leave it up to your imagination as to what multi-trillion-dollar company immediately comes to mind.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Protect your team and organization from losses associated with departure of people from key roles. This blueprint will help you build an IT succession plan to ensure critical knowledge doesn’t walk out the door and continuity of business when people in key roles leave.
The purpose of this tool is to help facilitate a conversation around critical roles.
This tool will help IT leaders work through key steps in succession development for each employee in the team, and present summaries of the findings for easy reference and defensibility.
This template is a guide and the categories can be customized to your organization.
This profile provides the basis for evidence-based comparison of talent in talent calibration sessions.
As one person exits a role and a successor takes over, a clear checklist-based plan will help ensure a smooth transition.
| Your Challenge
Most organizations are unprepared for the loss of employees who hold key roles.
Planning and executing on key role transition can take years. CIOs should prepare now to mitigate the risk of loss later. |
Common Obstacles
|
Info-Tech’s Approach
|
Losing employees in key roles without adequate preparation hinders productivity, knowledge retention, relationships, and opportunities. Implement scalable succession planning to mitigate the risks.
Not only do they not have the right processes in place, but they are also ill-equipped to deal with the sheer volume of retirees in the future.
| Over 58% of organizations are unprepared for Baby Boomer retirement. Only 8% said they were very prepared.
A survey done by SHRM and AARP found similar results: 41% of HR professionals said their organizations have done nothing and don’t plan to do anything to prepare for a possible worker shortage as Boomers retire. (Source: Poll: Organizations Can Do More to Prepare for Talent Shortage as Boomers Retire) |
This means that three out of five organizations don’t know what skills they need for the future, or what their key roles truly are. They also have not identified at-risk key roles or successors for those roles.
(Source: McLean & Company, 2013, N=120) To make matters worse, 74% of organizations have no formal process for facilitating knowledge transfer between individuals, so knowledge will be lost.
|
| “In many cases, executives have no idea what knowledge they are losing.” (TLNT: Lost Knowledge – What Are You and Your Organization Doing About It?”) |
|
Talent Review |
Succession Planning |
Knowledge Transfer |
| Key tools and templates to help you complete your project deliverables | ||
| Key Roles Succession Planning Tool
Critical Role Identifier Role Profile Template Individual Talent Profile Template |
Key Roles Succession Planning Tool
Role Profile Template Individual Talent Profile Template |
Role Transition Plan Template
Key Roles Succession Planning Tool Role Profile Template Individual Talent Profile Template |
| Your completed project deliverables | ||
Critical Role Identifier Key Roles Succession Plan Key Role Profiles Individual Talent Profiles Key Role Transition Plans |
||
| Inefficiency
Inefficiency due to “reinvention of the wheel.” When workers leave and don’t effectively transfer their knowledge, duplication of effort to solve problems and find solutions occurs. |
Innovation
Reduced capacity to innovate. Older workers know what works and what doesn’t, what’s new and what’s not. They can identify the status quo faster to make way for novel thinking. |
Competitive Advantage
Loss of competitive advantage. Losing knowledge and/or established client relationships hurts your asset base and stifles growth. |
Vulnerability
Increased vulnerability. Losing knowledge can impede your organizational ability to identify, understand, and mitigate risks. You’ll have to learn through experience all over again. |
| Business Continuity
Succession planning limits disruption to daily operations and minimizes recruitment costs:
|
Engagement & Retention
Effective succession planning is a tool for engaging, developing, and retaining employees:
|
Innovation & Growth
Knowledge is a strategic asset, and succession planning can help retain, grow, and capitalize on it:
|
| Talent Review
Conduct a talent review to identify key roles  |
Succession Planning
Succession planning helps you assess which key roles are most at risk  |
Knowledge Transfer
Utilize methods that make it easy to apply the knowledge in day-to-day practice. |
|||||
| Identify Critical Roles | Assess Talent | Identify Successors | Develop Successors | Select Successors | Identify Critical Knowledge | Select Transfer Methods | Document Role Transition Plans |
| Future-Proofed IT Team | |
|
|
| 1. Talent Review | 2. Succession Planning | 3. Knowledge Transfer | |
| Phase Steps |
|
|
|
| Phase Outcomes |
|
|
|
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
| "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Diagnostics and consistent frameworks used throughout all four options |
|||
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is six to ten calls over the course of four to eight months.
What does a typical GI on this topic look like?
Phase 1 |
Phase 2 |
Phase 3 |
||
| Call #1: Scope requirements, objectives, and your specific challenges. | Call #2:Review business priorities and clarify criteria weighting.
Call #3: Review key role criteria. Explain information collection process. |
Call #4: Review risk and readiness assessments.
Call #5: Analyze gaps between key roles and successors for key considerations. |
Call #6: Feedback and recommendations on critical knowledge risks.
Call #7: Review selected transfer methods. |
Call #8: Analyze role transition plans for flags. |
| Phase 1
1.1 Identify Critical Roles 1.2 Assess Talent |
Phase 2
2.1 Identify Successors 2.2 Develop Successors 2.3 Select Successors |
Phase 3
3.1 Identify Critical Knowledge 3.2 Select Transfer Methods 3.3 Document Role Transition Plan |
| Organizations should prepare now to mitigate the risk of loss later. Key roles are:
Info-Tech InsightLosing employees in key roles without adequate preparation for their departure has a direct impact on the bottom line in terms of disrupted productivity, lost knowledge, severed relationships, and missed opportunities. |  Identifying key roles is the first step in a range of workforce management activities because it helps establish organizational needs and priorities, as well as focusing planning effort. |
A talent review allows you to identify the knowledge and skills you need today and for the long term.Knowing what you need is the first step in determining what you have and what you need to keep.
CautionA talent review is a high-level planning process which does not take individual employees into consideration. Succession planning looks at individuals and will be discussed in Phase 2. |
A talent review gets you to think in terms of:
Note: Planning against a time frame longer than five years is difficult because uncertainty in the external business environment will have unforeseen effects. Revisit your plan annually and update it, considering changes. |
The primary goal of this step is to ensure we have effectively identified key roles based on business priorities, goals, and challenges, and to capture the key elements of critical roles.
| Step 1.1 | Step 1.2 |
Note: Most organizations will be a blend of all three, with one predominating |
“I’ve been in the position where the business assumes everyone knows what is required. It’s not until you get people into a room that it becomes clear there is misalignment. It all seems very intuitive but in a lot of cases they haven’t made the critical distinctions regarding what exactly the competencies are. They haven’t spent the time figuring out what they know.” (Anne Roberts, Principal, Leadership Within Inc.) |
Input: Business strategic plan
Output: Completed workforce planning worksheet (Tab 2) of the Key Roles Succession Planning Tool
Materials: Key Roles Succession Planning Tool
Participants: IT leadership
Start by identifying your business priorities based on your strategic plan. The goal of this exercise is to blast away assumptions and make sure leadership has a common understanding of your target.
With the questions on the previous slide in mind document your business priorities, business goals, and business challenges in Tab 2 of the Key Roles Succession Planning Tool worksheet.
Get clear answers to these questions:
A key role is crucial to achieving organizational objectives, drives business performance, and includes specialized and rare competencies. Key roles are high in strategic value and rarity – for example, the developer role for a tech company.
|
Info-tech insightTraditionally, succession planning has only addressed top management roles. However, until you look at the evidence, you won’t know if these are indeed high-value roles, and you may be missing other critical roles further down the hierarchy. Use the Critical Role Identifier to facilitate the identification of critical roles with your leaders. |
Input: Business strategic plan
Output: Weighted criteria to help identify critical roles
Materials: Critical Role Identifier
Participants: IT leadership
Input: List of IT roles
Output: Full list of roles and a populated Critical Role Selection sheet (Tab 4)
Materials: Critical Role Identifier
Participants: IT leadership
| Focus on key IT roles instead of all roles to save time and concentrate effort on your highest risk areas.
Key Roles include:
|
Ask these questions to identify key roles:
|
Input: Tab 3 of the Critical Role Identifier
Output: List of roles from highest to lowest criticality score, List of key roles entered in Tab 2 of the Key Roles Succession Planning Tool
Materials: Critical Role Identifier, Key Roles Succession Planning Tool
Participants: IT leadership
Input: Job descriptions, Success profiles, Competency profiles
Output: List of required skills and knowledge for key roles, Role profiles documented for key roles
Materials: Key Roles Succession Planning Tool, Role Profile Template
Participants: IT leadership
Case StudyConduct a “sanity check” by walking through a checklist of all roles to ensure you haven’t missed anything. |
INDUSTRY |
SOURCE |
Challenge
|
Solution
|
Results
|
The primary goal of this step is to assess departmental talent and identify gaps between potential successors and key roles. This analysis is intended to support departmental access to suitable talent ensuring future business success.
Talent Review
| Step 1.1 | Step 1.2 |
Find out key role incumbents’ career plansHave career discussions with key role incumbents
|
Do the following:
|
|
 |
Input: Key roles list, Employee information
Output: List of key roles with individual incumbent information
Materials: Key Roles Succession Planning Tool – Succession Plan Worksheet (Tab 3)
Participants: IT leadership/management team, HR, Current incumbents if necessary
Using Tab 3 of the Key Roles Succession Planning Tool identify the incumbent (the person currently in the role) for all key roles.
Distribute the worksheet to department managers and team leaders to complete the information below for each key role.
For that incumbent, also document:
Upon completion, managers and team leaders should review the results with the department leader.
Work collaboratively with the management team and HR business partners for names of potential successors. The management team includes:
Use management roundtable discussions to identify and analyze each potential successor.
|
Don’t confuse successors with high potentials!
|
| Description | Advice | |
| Management-nominated employees |
|
|
| High-potential employees (HiPos) |
|
|
| Self-nominated employees |
|
|
| All employees |
|
|
| When identifying employees, keep the following advice in mind: | |
Widen the netDon’t limit yourself to the next level down or the same functional group. |
Match transparencyWith less transparency, there are fewer options, and you risk missing out on potential successors. |
Select the appropriate talent assessment methodsIdentify all talent assessment types used in your organization and examine their ability to inform decision-making for critical role assignments. Select multiple sources to ensure a robust talent assessment approach: A sound talent assessment methodology will involve both quantitative and qualitative components. Multiple data inputs and perspectives will help ensure relevant information is prioritized and suitable candidates aren’t overlooked. However, beware that too many inputs may slow down the process and frustrate managers. Beware of biases in talent assessments. A common tendency is for people to recommend successors who are exactly like them or who they like personally, not necessarily the best person for the job. HR must (diplomatically) challenge leaders to use evidence-based assessments. |
Good Successor Information Sources
|
| Ensure the role profile and individual talent profile are synchronized to enable comparing employee qualifications and readiness to critical role requirements. | 
Role ProfileA role profile contains information on the skills, competencies, and other minimum requirements for the critical role. It details the type of incumbent that would fit a critical role. |
Use both in conjunction during:
|
Individual Talent ProfileA talent profile provides information about a person. In addition to responding to role profile criteria, it provides information on an employee’s past experiences and performance, career aspirations, and future potential. |
Input: Key roles list, Employee information, Completed role profiles and/or Tab 2 role information.
Output: List of potential successors for key roles that are selected for talent assessment
Materials: Key Roles Succession Planning Tool – Succession Plan Worksheet (Tab 3)
Participants: IT leadership, IT team leads, Employees
Have managers and team leads complete column I on Tab 3 of the Key Roles Succession Planning Tool and review with the department leader.
There may be more than one potential successor for key roles; this is okay.
Once the list is compiled, complete an individual talent profile for each potential successor. Record an employee’s:
Once the profiles are completed, they can be compared to the role profile to identify development needs.
| Phase 1 1.1 Identify Critical Roles 1.2 Assess Talent | Phase 2 2.1 Identify Successors 2.2 Develop Successors 2.3 Select Successors | Phase 3 3.1 Identify Critical Knowledge 3.2 Select Transfer Methods 3.3 Document Role Transition Plan |
| Drilling down to the incumbent and successor level introduces “real life,” individual-focused factors that have a major impact on role-related risk.
Succession planning is an organizational process for identifying and developing talent internally to fill key business roles. It allows organizations to:
Caution:Where the talent review was about high-level strategic planning for talent requirements, succession planning looks at individual employees and plans for which employees will fulfill which key roles next. |
“I ask the questions, What are the risks we have with these particular roles? Is there a way to disperse this knowledge to other members of the group? If yes, then how do we do that?” (Director of HR, Service Industry) |
Succession planning ultimately must drill down to individual people – namely, the incumbent and potential successors. This is because individual human beings possess a unique knowledge and skill set, along with their own personal aspirations and life circumstances. The risks associated with a key role are theoretical. When people are introduced into the equation, the “real life” risk of loss for that key role can change dramatically. | Succession Planning |
This step highlights the relative positioning of all employees assessed for departure risk compared to the potential successors’ readiness, identifying gaps that create risk for the organization, and need mitigation strategies.
Succession Planning
| Step 2.1 | Step 2.2 | Step 2.3 |
Not all employees may want to be considered as part of the succession planning program. It might not fit their short- or long-term plans. Avoid misalignment and outline steps to ascertain employee interest.
Transparency
Timing
Manager accountability and resources
|
Obtaining employee interest ensures process efficiency because:
Level-set expectations with employees:
|
Conduct a risk assessmentIdentify key role incumbents who may leave before you’re ready.Pay particular attention to those employees nearing retirement and flag them as high risk.
|
Pull some hard demographic data.
Compile a report that breaks down employees into age-based demographic groups. Flag those over the age of 50 – they’re in the “retirement zone” and could decide to leave at any time. Check to see which key role incumbents fall into the “over 50” age demographic. You’ll want to shortlist these people for an individual risk assessment. Update this report twice a year to keep it current. For those people on your shortlist, gather the information that supervisors gained from the career discussions that took place. Specifically, draw out information that indicates their retirement plans. |
Input: Completed Succession Plan worksheet
Output: Risk assessment of key role incumbents, understanding of which key role departures to manage, mitigate, and accept
Materials: Key Roles Succession Planning Tool – Individual Risk Assessment (Tab 4), Key Roles Succession Planning Tool – Risk Assessment Results (Tab 5)
Participants: IT leadership/management team
For those in key roles and those over 50, complete the Individual Risk Assessment (Tab 4) of the Key Roles Succession Planning Tool:
| Example: | Performance |
Potential |
| Ready Now | Definition: Ability to deliver in current role Requirement: Meets or exceeds expectations | Definition: Ability to take on greater responsibility Requirement: Demonstrates learning agility |
| The 9-box is an effective way to map performance and potential requirements and can guide management decision making in talent review and calibration sessions. See McLean & Company’s 9-Box Job Aid for more information. |  |
| “Time means nothing. If you say someone will be ready in a year, and you’ve done nothing in that year to develop them, they won’t be ready. We look at it as moves or experiences: ready now, ready in one move, ready in two moves.” (Amanda Mathieson, Senior Manager, Talent Management, Tangerine) | |
Input: Individual talent profiles, List of potential successors (Tab 3)
Output: Readiness ranking for each potential successor
Materials: Key Roles Succession Planning Tool
Participants: IT leadership/management team
Using Tab 6 of the Key Roles Succession Planning Tool, evaluate the readiness of each potential successor that you previously identified.
|
|
Case StudyFailing to have a career aspiration discussion with a potential successor leaves a sales director in a bind. | INDUSTRY | SOURCE |
Challenge
|
Solution
|
Results
|
The primary goal of this step is to identify the steps that need to be taken to develop potential successors. Focus on training employees for their future role, not just their current one.
Succession Planning
| Step 2.1 | Step 2.2 | Step 2.3 |
Input: Role profiles, Talent profiles, Talent assessments
Output: Identified gaps between key role exits and successor readiness
Materials: Key Roles Succession Planning Tool – Successor Identification (Tab 7)
Participants: IT leadership/management team
Use role and talent profiles and any talent assessment results to identify gaps for development.
Succession planning without integrated efforts for successor development is simply replacement planning. Get successors ready for promotion by ensuring a continuously monitored and customized development plan is in place.
1 |
Brainstorm ideas to encourage knowledge-sharing and transfer from incumbent to successor. | 2 |
Integrate knowledge-transfer methods into the successor development process. |
Identify key knowledge areas to include:
|
Use multiple methods for effective knowledge transfer.
Explicit knowledge is easily explained and codified, such as facts and procedures. Knowledge transfer methods tend to be more formal and one-way. For example:
Tacit knowledge accumulates over years of experience and is hard to articulate. Knowledge transfer methods are often informal and interactive. For example:
|
||
| Knowledge transfer can occur via a wide range of methods that need to be selected and integrated into daily work to suit the needs of the knowledge to be transferred and of the people involved. See Phase 3 for more details on knowledge transfer. | |||
The goal of this step is to determine how critical roles will be filled when vacancies arise.
Succession Planning
| Step 2.1 | Step 2.2 | Step 2.3 |
Choose one of two approaches to successor selection:
|
Work together with Talent Acquisition (TA) to outline special treatment of critical role vacancies. Ensure TA is aware of succession plan(s). Explicitly determine the level of preference for internal successors versus external hires to your TA team to ensure alignment. This will create an environment where promotion from within is customary. |
| Phase 1 1.1 Identify Critical Roles 1.2 Assess Talent | Phase 2 2.1 Identify Successors 2.2 Develop Successors 2.3 Select Successors | Phase 3 3.1 Identify Critical Knowledge 3.2 Select Transfer Methods 3.3 Document Role Transition Plan |
Effective knowledge transfer allows organizations to:
|
Knowledge transfer between those in key roles and potential successors yields the highest dividends for:
|
|
Knowledge transfer is the capture, organization, and distribution of knowledge held by individuals to ensure that it is accessible and usable by others.
| Knowledge transfer is not stopping, learning, and returning to work. Nor is it simply implementing a document management system. |  |
Knowledge transfer is a wide range of methods that must be carefully selected and integrated into daily work in order to meet the needs of the knowledge to be transferred and the people involved. |
Knowledge transfer works best when the following techniques are applied
|
Personalization is the key.
Dwyer & Dwyer say that providing “insights to a particular person (or people) needing knowledge at the time of the requirement” is the difference between knowledge transfer that sticks and knowledge that is forgotten. |
| “Designing a system in which the employee must interrupt his or her work to learn or obtain new knowledge is not productive. Focus on ‘teachable moments.” (Karl Kapp, “Tools and Techniques for Transferring Know-How from Boomers to Gamers”) | |
The goal of this step is to understand what knowledge and skills much be transferred, keeping in mind the various types of knowledge.
Knowledge Transfer
| Step 3.1 | Step 3.2 | Step 3.3 |
There are two basic types of knowledge:
|
|
This step helps you identify the knowledge transfer methods that will be the most effective, considering the knowledge or skill that needs to be transferred and the individuals involved.
Knowledge Transfer
| Step 3.1 | Step 3.2 | Step 3.3 |
| The most common knowledge transfer method is simply to have a collaborative culture
|
A basic willingness for a role incumbent to share with a successor is the most powerful item in your tacit knowledge transfer toolkit. Formal documentation is critical for explicit knowledge sharing, yet only 40% of organizations use it. Rewarding and recognizing employees for doing knowledge transfer well is underutilized yet has emerged as an important reinforcing component of any effective knowledge transfer program.
|
Input: Role profiles, Talent profiles
Output: Methods for integrating knowledge transfer into day-to-day practice
Materials: Role Transition Plan Template
Participants: IT leadership/management team, HR, Knowledge source, Knowledge recipient
Select your method according to the following criteria:
The more integrated knowledge transfer is in day-to-day activities, the more likely it is to be successful and the lower the time cost. This is because real learning is happening at the same time real work is being accomplished.
Document the knowledge transfer methods in the Role Transition Plan Template.
| If a key role incumbent isn’t around to complete knowledge transfer, it’s all for naught.
Alternative work arrangements are critical tools that employers can use to achieve a mutually beneficial solution that mitigates the risk of loss associated with key roles. Alternative work arrangements not only support employees who want to keep working, but they allow the business to retain employees that are needed in key roles. In a survey from The Conference Board, one out of four older workers indicated that they continue to work because their company provided them with needed flexibility. And, nearly half said that more flexibility would make them less likely to retire. (Source: Ivey Business Journal) |
Flexible work options are the most used form of alternative work arrangement
|
Alternative Work Arrangement |
Description |
Ideal Use |
Caveats |
| Flexible work options | Employees work the same number of hours but have flexibility in when and where they work (e.g. from home, evenings). | Employees who work fairly independently, with no or few direct reports. | Employee may become isolated or disconnected, impeding knowledge transfer methods that require interaction or one-on-one time. |
| Contract-based work | Working for a defined period of time on a specific project on a non-salaried or non-wage basis. | Project-oriented work that requires specialized knowledge or skills. | Available work may be sporadic or specific projects more intensive than the employee wants. Knowledge transfer must be built into the contractual arrangement. |
| Part-time roles | Half-days or a certain number of days per week; indefinite with no end date in mind. | Employees whose roles can be readily narrowed and upon whom people and critical processes are not dependent. | It may be difficult to break a traditionally full-time job down into a part-time role given the size and nature of associated tasks. |
| Graduated retirement | Retiring employee has a set retirement date, gradually reducing hours worked per week over time. | Roles where a successor has been identified and is available to work alongside the incumbent in an overlapping capacity while he or she learns. | The role may only require a single FTE, and the organization may not be able to afford the amount of redundancy inherent in this arrangement. |
Alternative Work Arrangement | Description | Ideal Use | Caveats |
| Part-year jobs or job sharing | Working part of the year and having the rest of the year off, unpaid. | Project-oriented work where ongoing external relationships do not need to be maintained. | The employee is unavailable for knowledge transfer activities for a large portion of the year. Another risk is that the employee may opt not to return at the end of the extended time off, with little notice. |
| Increased paid time off | Additional vacation days upon reaching a certain age. | Best used as recognition or reward for long-term service. This may be a particularly useful retention incentive in organizations that do not offer pension plans. | The company may not be able to financially afford to pay for such extensive time off. If the role incumbent is the only one in the role, this may mean crucial work is not being done. |
| Altered roles | Concentration of a job description on fewer tasks that allows the employee to focus on his or her specific expertise. | Roles where a successor has been identified and is available to work alongside the incumbent, with the incumbent’s new role highly focused on mentoring. | The role may only require a single FTE, and the organization may not be able to afford the amount of redundancy inherent in this arrangement. |
| Any changes made to an employee’s work arrangement has an impact on people, processes, and policies.
If the knowledge and skills of older employees aren’t valued, then:
|
Alternate work arrangements can’t be implemented on a whim.
Make sure alternative work arrangements can be done right and are supported – they’re often solutions that come with additional work. Determine the effects and make appropriate adjustments.
|
The primary goal of this step is to build clear checklist-based plans for each key role to help ensure a smooth transition as a successor takes over.
Knowledge Transfer
| Step 3.1 | Step 3.2 | Step 3.3 |
Input: Role profiles, Talent profiles, Talent assessments, Workforce plans
Output: A clear checklist-based plan to help ensure a smooth transition.
Materials: Role Transition Plan Template
Participants: IT leadership/management team, Incumbent, Successor(s), HR
You should already have a good idea of what knowledge and skills are valued from the worksheets completed earlier. Focus on identifying the knowledge, skills, and relationships essential to the specific incumbent in a key role and what it is they do to perform that key role well.
Using the Role Transition Plan Template develop a plan to transfer what needs to be transferred from the incumbent to the successor.
DairyNZ leverages alternative work arrangementsEnsures successful knowledge transfer |
INDUSTRY |
SOURCE |
Challenge
|
Solution
|
Results
|
| Anne Roberts
Principal, Leadership Within Inc. al,
|
Amanda Mathieson
Senior Manager, Talent Management, Tangerine
|
 |
Mitigate Key IT Employee Knowledge Loss
|
 |
Implement an IT Employee Development Plan
|
“Accommodating Older Workers’ Needs for Flexible Work Options.” Ivey Business Journal, July/August 2005. Accessed Jan 7, 2013.
Christensen, Kathleen and Marcie Pitt-Catsouphes. “Approaching 65: A Survey of Baby Boomers Turning 65 Years Old”. AARP, Dec. 2010.
Coyne, Kevin P. and Shawn T. Coyne. “The Baby Boomer Retirement Fallacy and What It Means to You. “ HBR Blog Network. Harvard Business Review, May 16, 2008. Accessed 8 Jan. 2013.
Dwyer, Kevin and Ngoc Luong Dwyer. “Managing the Baby Boomer Brain Drain: The Impact of Generational Change on Human Resource Management.” ChangeFactory, April 2010. Accessed Jan 9, 2013.
Gurchiek, Kathy. “Poll: Organizations Can Do More to Prepare for Talent Shortage as Boomers Retire.” SHRM, Nov 17, 2010. Accessed Jan 3, 2013.
Howden, Daniel. “What Is Time to Fill? KPIs for Recruiters.” Workable, 24 March 2016. Web.
Kapp, Karl M. “Tools and Techniques for Transferring Know-How from Boomers to Gamers.” Global Business and Organizational Excellence, July/August 2007. Web.
Piktialis, Diane and Kent A. Greenes. Bridging the Gaps: How to Transfer Knowledge in Today’s Multigenerational Workplace. The Conference Board, 2008.
Pisano, Gary P. “You need an Innovation Strategy.” Harvard Business Review, June 2015.
Vilet, Jacque. “Lost Knowledge – What Are You and Your Organization Doing About It?” TLNT, 25 April 2012. Accessed 5 Jan. 2013.
The challenge
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Our concise executive brief shows you why you should develop a sound business continuity practice in your company. We'll show you our methodology and the ways we can help you in completing this.
Choose a medium-sized department and build a team. Identify that department's processes, dependencies, and alternatives.
Define an objective impact scoring scale for your company. Have the business estimate the impact of downtime and set your recovery targets.
The need for clarity is critical. In times when you need the plans, people will be under much higher stress. Build the workflow for the steps necessary to rebuild. Identify gaps and brainstorm on how to close them. Prioritize solutions that mitigate the remaining risks.
Present the results of the pilot and propose the next steps. Assign BCM teams or people within each department. Update and maintain the overall BCMS documentation.
These can help with the creation of your BCP.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Identify the purpose of your committee, determine the capabilities of the committee, and define roles and responsibilities.
Determine how information will flow and the process behind that.
Define your meeting agendas and the procedures to support those meetings. Hold your kick-off meeting. Identify metrics to measure the committee’s success.
"Having your security organization’s steering committee subsumed under the IT steering committee is an anachronistic framework for today’s security challenges. Conflicts in perspective and interest prevent holistic solutions from being reached while the two permanently share a center stage.
At the end of the day, security is about existential risks to the business, not just information technology risk. This focus requires its own set of business considerations, information requirements, and delegated authorities. Without an objective and independent security governance body, organizations are doomed to miss the enterprise-wide nature of their security problems."
– Daniel Black, Research Manager, Security Practice, Info-Tech Research GroupEven though security is a vital consideration of any IT governance program, information security has increasingly become an important component of the business, moving beyond the boundaries of just the IT department.
This requires security to have its own form of steering, beyond the existing IT Steering Committee, that ensures continual alignment of the organization’s security strategy with both IT and business strategy.
Ensuring proper governance over your security program is a complex task that requires ongoing care and feeding from executive management to succeed.
Your ISSC should aim to provide the following core governance functions for your security program:
Creation of an ISSC is deemed the most important governance and oversight practice that a CISO can implement, based on polling of IT security leaders analyzing the evolving role of the CISO.
Relatedly, other key governance practices reported – status updates, upstream communications, and executive-level sponsorship – are within the scope of what organizations traditionally formalize when establishing their ISSC.
83% of organizations have not established formal steering committees to evaluate the business impact and risks associated with security decisions. (Source: 2017 State of Cybersecurity Metrics Report)
70% of organizations have delegated cybersecurity oversight to other existing committees, providing security limited agenda time. (Source: PwC 2017 Annual Corporate Director Survey)
"This is a group of risk managers an institution would bring together to deal with a response anyway. Having them in place to do preventive discussions and formulate policy to mitigate the liability sets and understand compliance obligations is just powerful." (Kirk Bailey, CISO, University of Washington)
Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.
This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.
This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
| "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
1. Define Committee Purpose and Responsibilities |
2. Determine Information Flows, Membership & Accountabilities |
3. Operate the Information Security Steering Committee |
|
Best-Practice Toolkit |
1.1 Tailor Info-Tech’s Information Security Steering Committee Charter Template to define terms of reference for the ISSC 1.2 Conduct a SWOT analysis of your information security governance capabilities 1.3 Identify the responsibilities and duties of the ISSC 1.4 Draft the committee purpose statement of your ISSC |
2.1 Define your SIPOC model for each of the ISSC responsibilities 2.2 Identify committee participants and responsibility cadence 2.3 Define ISSC participant RACI for each of the responsibilities |
3.1 Define the ISSC meeting agendas and procedures 3.2 Define which metrics you will report to the ISSC 3.3 Hold a kick-off meeting with your ISSC members to explain the process, responsibilities, and goals 3.4 Tailor the Information Security Steering Committee Stakeholder Presentation template 3.5 Present the information to the security leadership team 3.6 Schedule your first meeting of the ISSC |
Guided Implementations |
|
|
|
Onsite Workshop |
This blueprint can be combined with other content for onsite engagements, but is not a standalone workshop. | ||
Phase 1 Outcome:
|
Phase 2 Outcome:
|
Phase 3 Outcome:
|
Balance vision with direction. Purpose and responsibilities should be defined so that they encompass your mission and objectives to the enterprise in clear terms, but provide enough detail that you can translate the charter into operational plans for the security team.
1.1
A charter is the organizational mandate that outlines the purpose, scope, and authority of the ISSC. Without a charter, the steering committee’s value, scope, and success criteria are unclear to participants, resulting in unrealistic stakeholder expectations and poor organizational acceptance.
Download the Information Security Steering Committee Charter to customize your organization’s charter
1.2
INPUT: Survey outcomes, Governance overview handouts
OUTPUT: SWOT analysis, Top identified challenges and opportunities
1.3
INPUT: SWOT analysis, Survey reports
OUTPUT: Defined ISSC responsibilities
Add or modify responsibilities in Info-Tech’s Information Security Steering Committee Charter.
Use the following list of responsibilities to customize the list of responsibilities your ISSC may take on. These should link directly to the Responsibilities and Duties section of your ISSC charter.
Use the following list of responsibilities to customize the list of responsibilities your ISSC may take on. These should link directly to the Responsibilities and Duties section of your ISSC charter.
The ISSC should consistently evolve to reflect the strategic purpose of the security program. If you completed Info-Tech’s Security Strategy methodology, review the results to inform the scope of your committee. If you have not completed Info-Tech’s methodology, determining these details should be achieved through iterative stakeholder consultations.
Strategy Components |
ISSC Considerations |
Security Pressure Analysis |
Review the ten security domains and your organization’s pressure levels to review the requisite maturity level of your security program. Consider how this may impact the focus of your ISSC. |
Security Drivers/Obligations |
Review how your security program supports the attainment of the organization’s business objectives. By what means should the ISSC support these objectives? This should inform the rationale, benefits, and overall function of the committee. |
Security Strategy Scope and Boundaries |
Consider the scope and boundaries of your security program to reflect on what the program is responsible for securing. Is this reflected adequately in the language of the committee’s purpose? Should components be added or redacted? |
1.4
INPUT: SWOT Analysis, Security Strategy
OUTPUT: ISSC Committee Purpose
Alter the Committee Purpose section in the Information Security Steering Committee Charter.
Organizations wishing to mature their IT financial management (ITFM) maturity often face the following obstacles:
No matter where you currently stand in your ITFM practice, there is always room for improvement. Hence, a maturity assessment should be viewed as a self-improvement tool that is only valuable if you are willing to act on it.
A mature ITFM practice leads to many benefits.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This research seeks to support IT leaders and ITFM practitioners in evaluating and improving their current maturity. It will help document both current and target states as well as prioritize focus areas for improvement.
This Excel workbook guides IT finance practitioners to effectively assess their IT financial management practice. Incorporate the visual outputs into your final executive presentation document. Key activities include context setting, completing the assessment, and prioritizing focus areas based on results.
Use this template to document your final ITFM maturity outputs, including the current and target states and your identified priorities.
Technology has been evolving throughout the years, increasing complexity and investments, while putting more stress on operations and people involved. As an IT leader, you are now entrusted to run your outfit as a business, sit at the executive table as a true partner, and be involved in making decisions that best suit your organization. Therefore, you have an obligation to fulfill the needs of your end customers and live up to their expectations, which is not an easy task.
IT financial management (ITFM) helps you generate value to your organization’s clientele by bringing necessary trade-offs to light, while driving effective dialogues with your business partners and leadership team.
This research will focus on Info-Tech’s approach to ITFM maturity, aiming for a state of continuous improvement, where an organization can learn and grow as it adapts to change. As the ITFM practice matures, IT and business leaders will be able to better understand one another and together make better business decisions, driven by data.
This client advisory presentation and accompanying tool seek to support IT leaders and ITFM practitioners in evaluating and improving their current maturity. It will help document both current and target states as well as prioritize focus areas for improvement.
|
Bilal Alberto Saab
Research Director, IT Financial Management Info-Tech Research Group |
ITFM is often discarded and not given enough importance and relevance due to the operational nature of IT, and the specialized skillset of its people, leading to several problems and challenges, such as:
Business-driven conversations around financials (spending, cost, revenue) are a rarity in IT due to several factors, including:
Mature your ITFM practice by activating the means to make informed business decisions.
Info-Tech’s methodology helps you move the dial by focusing on three maturity focus areas:
Influence your organization’s strategic direction by maturing your ITFM practice.
“ITFM embeds technology in financial management practices. Through cost, demand, and value, ITFM brings technology and business together, forging the necessary relationships and starting the right conversations to enable the best decisions for the organization.”
– Monica Braun, Research Director, Info-Tech Research Group
“Value is not the numbers you visualize on a chart, it’s the dialogue this data generates with your business partners and leadership team.”
– Dave Kish, Practice Lead, Info-Tech Research Group
In a technology-driven world, advances come at a price. With greater spending required, more complex and difficult conversations arise.
79% of respondents believe that decisions taking too long to make is either a significant or somewhat of a challenge (Flexera 2022 Tech Spend Pulse; N=501).
81% of respondents believe that ensuring spend efficiency (avoiding waste) is either a challenge or somewhat of a challenge (Flexera 2022 Tech Spend Pulse; N=501).
In today’s world, where organizations are driving customer experience through technology investments, having a seat at the table means IT leaders must be well versed in business language and practice, including solid financial management skills.
However, IT staff across all industries aren’t very confident in how well IT is doing in managing its finances. This becomes evident after looking at three core processes:
Recent data from 4,137 respondents to Info-Tech’s IT Management & Governance Diagnostic shows that while most IT staff feel that these three financial management processes are important, notably fewer feel that IT management is effective at executing on them.
IT leadership’s capabilities around fundamental cost data capture appear to be lagging, not to mention the essential value-added capabilities around optimizing costs and demonstrating IT’s contribution to business value.
Source: Info-Tech Research Group, IT Management & Governance Diagnostic, 2023.
Note: See Appendix A for maturity level definitions and descriptions.
Info-Tech identified three maturity focus areas, each containing three levers.
Identify where you stand across the nine maturity levers, detect the gaps, and determine your priorities as a first step to develop an improvement plan.
Note: See Appendix B for maturity level definitions and descriptions per lever.
Each step of this activity is accompanied by supporting deliverables to help you accomplish your goals.
Build your improvement plan and implement your initiatives to move the dial and climb the maturity ladder.
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
| "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Diagnostics and consistent frameworks used throughout all four options |
|||
3 hours
Input: Understanding your context, objectives, and methodology
Output: ITFM maturity assessment stakeholders and their objectives, ITFM maturity assessment methodology, ITFM maturity assessment takers
Materials: 1a. Prepare for Assessment tab in the ITFM Maturity Assessment Tool
Participants: CIO/IT director, CFO/finance director, IT finance lead, IT audit lead, Other IT management
Download the IT Financial Management Maturity Assessment Tool
Refer to the example and guidelines below on how to document stakeholders, objectives, and methodology (table range: columns B to G and rows 8 to 15).
| Column ID | Input Type | Guidelines |
| B | Formula | Automatic calculation, no entry required. |
| C | Text | Enter the full name of each stakeholder on a separate row. |
| D | Text | Enter the job title related to each stakeholder. |
| E | Text | Enter the objective(s) related to each stakeholder. |
| F | Text | Enter the agreed upon methodology. |
| G | Text | Enter any notes or comments per stakeholder (optional). |
Download the IT Financial Management Maturity Assessment Tool
Refer to the example and guidelines below on how to document assessment takers (table range: columns B to E and rows 18 to 25).
| Column ID | Input Type | Guidelines |
| B | Formula | Automatic calculation, no entry required. |
| C | Text | Enter the full name of each assessment taker on a separate row. |
| D | Text | Enter the job title related to each stakeholder to identify which party is being represented per assessment taker. |
| E | Text | Enter any notes or comments per stakeholder (optional). |
Download the IT Financial Management Maturity Assessment Tool
3 hours
Input: Understanding of your ITFM current state and 12-month target state, ITFM maturity assessment results
Output: ITFM current- and target-state maturity levels, average scores, and variance, ITFM current- and target-state average scores, variance, and priority by maturity focus area and maturity lever
Materials: 1b. Glossary, 2a. Assess ITFM Foundation, 2b. Assess Mngt. & Monitoring, 2c. Assess Language, and 3. Assessment Summary tabs in the ITFM Maturity Assessment Tool
Participants: CIO/IT director, CFO/finance director, IT finance lead, IT audit lead, Other IT management
Download the IT Financial Management Maturity Assessment Tool
Refer to the example and guidelines below on how to complete the survey.
| Column ID | Input Type | Guidelines |
| B | Formula | Automatic calculation, no entry required. |
| C | Formula | Automatic calculation, no entry required: ITFM maturity statement to assess. |
| D, E | Dropdown | Select the maturity levels of your current and target states. One of five maturity levels for each statement, from “1. Nonexistent” (lowest maturity) to “5. Advanced” (highest maturity). |
| F, G, H | Formula | Automatic calculation, no entry required: scores associated with your current and target state selection, along with related variance (column G – column F). |
| I | Text | Enter any notes or comments per ITFM maturity statement (optional). |
Download the IT Financial Management Maturity Assessment Tool
Refer to the example and guidelines below on how to review your results.
| Column ID | Input Type | Guidelines |
| K | Formula | Automatic calculation, no entry required. |
| L | Formula | Automatic calculation, no entry required: Current State, Target State, and Variance entries. Please ignore the current state benchmark, it’s a placeholder for future reference. |
| M | Formula | Automatic calculation, no entry required: average overall maturity score for your Current State and Target State entries, along with related Variance. |
| N, O | Formula | Automatic calculation, no entry required: maturity level and related name based on the overall average score (column M), where level 1 corresponds to an average score less than or equal to 1.49, level 2 corresponds to an average score between 1.5 and 2.49 (inclusive), level 3 corresponds to an average score between 2.5 and 3.49 (inclusive), level 4 corresponds to an average score between 3.5 and 4.49 (inclusive), and level 5 corresponds to an average score between 4.5 and 5 (inclusive). |
| P, Q | Formula | Automatic calculation, no entry required: maturity definition and related description based on the maturity level (column N). |
Download the IT Financial Management Maturity Assessment Tool
Refer to the example and guidelines below on how to review your results per maturity focus area and maturity lever, then prioritize accordingly.
| Column ID | Input Type | Guidelines |
| B | Formula | Automatic calculation, no entry required. |
| C | Formula | Automatic calculation, no entry required: ITFM maturity focus area or lever, depending on the table. |
| D | Placeholder | Ignore this column because it’s a placeholder for future reference. |
| E, F, G | Formula | Automatic calculation, no entry required: average score related to the current state and target state, along with the corresponding variance per maturity focus area or lever (depending on the table). |
| H | Formula | Automatic calculation, no entry required: preliminary priority based on the average variance (column G), where Low corresponds to an average variance between 0 and 0.5 (inclusive), Medium corresponds to an average variance between 0.51 and 0.99 (inclusive), and High corresponds to an average variance greater than or equal to 1. |
| J | Dropdown | Select your final priority (Low, Medium, or High) per ITFM maturity focus area or lever, depending on the table. |
| K | Whole Number | Enter the appropriate rank based on your priorities; do not use the same number more than once. A whole number between 1 and 3 to rank ITFM maturity focus areas, and between 1 and 9 to rank ITFM maturity levers, depending on the table. |
Download the IT Financial Management Maturity Assessment Tool
3 hours
Input: ITFM maturity assessment results
Output: Customized ITFM maturity assessment report
Materials: 3. Assessment Summary tab in the ITFM Maturity Assessment Tool, ITFM Maturity Assessment Report Template
Participants: CIO/IT director, CFO/finance director, IT finance lead, IT audit lead, Other IT management
Download the IT Financial Management Maturity Assessment Tool
Refer to the example below on charts depicting different views of the maturity assessment results across the three focus areas and nine levers.
Download the IT Financial Management Maturity Assessment Tool
Refer to the example below on slides depicting different views of the maturity assessment results across the three maturity focus areas and nine maturity levers.
Slide 6: Edit levels based on your assessment results. Copy and paste the appropriate maturity level definition and description from slide 4.
Slide 7: Copy related charts from the assessment summary tab in the Excel workbook and remove the chart title. You can use the “Outer Offset: Bottom” shadow under shape effects on the chart.
Slide 8: Copy related charts from the assessment summary tab in the Excel workbook and remove the chart title and legend. You can use the “Outer Offset: Center” shadow under shape effects on the chart.
Download the IT Financial Management Maturity Assessment Report Template
Communicate your maturity results with stakeholders and develop an actionable ITFM improvement plan.
And remember, having informed discussions with your business partners and stakeholders, where technology helps propel your organization forward, is priceless!
|
Dave Kish
Practice Lead, ITFM Practice Info-Tech Research Group |
|
Jennifer Perrier
Principal Research Director, ITFM Practice Info-Tech Research Group |
|
Angie Reynolds
Principal Research Director, ITFM Practice Info-Tech Research Group |
|
Monica Braun
Research Director, ITFM Practice Info-Tech Research Group |
|
Rex Ding
Research Specialist, ITFM Practice Info-Tech Research Group |
|
Aman Kumari
Research Specialist, ITFM Practice Info-Tech Research Group |
|
Amy Byalick
Vice President, IT Finance Info-Tech Research Group |
Amy Byalick is an IT Finance practitioner with 15 years of experience supporting CIOs and IT leaders elevating the IT financial storytelling and unlocking insights. Amy is currently working at Johnson Controls as the VP, IT Finance, previously working at PepsiCo, AmerisourceBergen, and Jacobs. |
|
Carol Carr
Technical Counselor, Executive Services Info-Tech Research Group |
|
|
Scott Fairholm
Executive Counselor, Executive Services Info-Tech Research Group |
|
|
Gokul Rajan
Executive Counselor, Executive Services Info-Tech Research Group |
|
|
Allison Kinnaird
Practice Lead, Infrastructure & Operations Info-Tech Research Group |
|
|
Isabelle Hertanto
Practice Lead, Security & Privacy Info-Tech Research Group |
|
Achieve IT Spending Transparency
Mature your ITFM practice by activating the means to make informed business decisions. |
|
Build Your IT Cost Optimization Roadmap
Develop an IT cost optimization strategy based on your specific circumstances and timeline. |
Eby, Kate. “The Complete Guide to Organizational Maturity: Models, Levels, and Assessments.” Smartsheet, 8 June 2022. Web.
“Financial Management Maturity Model.” National Audit Office, n.d. Accessed 28 Apr. 2023.
“ITFM/TBM Program Maturity Guide.” Nicus Software, n.d. Accessed 28 Apr. 2023.
Jouravlev, Roman. "Service Financial Management: ITIL 4 Practice Guide." Axelos, 2020.
McCarthy, Seamus. “Financial Management Maturity Model: A Good Practice Guide.” Office of the Comptroller & Auditor General, 26 June 2018. Web.
“Principles for Effective Risk Data Aggregation and Risk Reporting.“ Bank for International Settlements, Jan. 2013. Web.
“Role & Influence of the Technology Decision-Maker 2022.” Foundry, 2022. Web.
Stackpole, Beth. “State of the CIO, 2022: Focus turns to IT fundamentals.” CIO, 21 March 2022. Web.
“Tech Spend Pulse.” Flexera, 2022. Web.
Maturity Level |
Definition |
Description |
| Nascent Level 1 |
Inability to consistently deliver financial planning services | ITFM practices are almost inexistent. Only the most basic financial tasks and activities are being performed on an ad hoc basis to fulfill the Finance department’s requests. |
| Cost Operator Level 2 |
Rudimentary financial planning capabilities. | ITFM activities revolve around minimizing the IT budget as much as possible. ITFM practices are not well defined, and IT’s financial view is limited to day-to-day technical operations.
IT is only involved in low complexity decision making, where financial conversations center on general ledger items and IT spending. |
| Trusted Coordinator Level 3 |
Enablement of business through cost-effective supply of technology. | ITFM activities revolve around becoming a proficient and cost-effective technology supplier to business partners.
ITFM practices are in place, with moderate coordination and adherence to execution. Various IT business units coordinate to produce a consolidated financial view focused on business services. IT is involved in moderate complexity decision making, as a technology subject matter expert, where financial conversations center on IT spending in relation to technology services or solutions provided to business partners. |
| Value Optimizer Level 4 |
Effective impact on business performance. | ITFM activities revolve around optimizing existing technology investments to improve both IT and business performance.
ITFM practices are well managed, established, documented, repeatable, and integrated as necessary across the organization. IT’s financial view tie technology investments to lines of business, business products, and business capabilities. Business partners are well informed on the technology mix and drive related discussion. IT is trusted to contribute to complex decision making around existing investments to cost-effectively plan initiatives, as well as enhance business performance. |
| Strategic Partner Level 5 |
Influence on the organization’s strategic direction. | ITFM activities revolve around predicting the outcome of new or potential technology investments to continuously optimize business performance.
ITFM practices are fully optimized, reviewed, and improved in a continuous and sustainable manner, and related execution is tracked by gathering qualitative and quantitative feedback. IT’s financial view is holistic and fully integrated with the business, with an outlook on innovation, growth, and strategic transformation. Business and IT leaders know the financial ramifications of every business and technology investment decision. IT is trusted to contribute to strategic decision making around potential and future investments to grow and transform the business. |
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability to provide any type of financial insight. | ITFM tasks, activities, and functions are not being met in any way, shape, or form. |
| Cost Operator Level 2 | Ability to provide basic financial insights. | There is no dedicated ITFM team.
|
| Trusted Coordinator Level 3 | Ability to provide basic business insights. | A dedicated team is fulfilling essential ITFM tasks, activities, and functions.
|
| Value Optimizer Level 4 | Ability to provide valuable business driven insights. | A dedicated ITFM team with well-defined roles and responsibilities can provide effective advice to IT leaders, in a timely fashion, and positively influence IT decisions. |
| Strategic Partner Level 5 | Ability to influence both technology and business decisions. | A dedicated and highly specialized ITFM team is trusted and valued by both IT and Business leaders.
|
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability to ensure any adherence to rules and regulations. | ITFM frameworks, guidelines, policies, and procedures are not developed nor documented. |
| Cost Operator Level 2 | Ability to ensure basic adherence to rules and regulations. | Basic ITFM frameworks, guidelines, policies, and procedures are in place, developed on an ad hoc basis, with no apparent coherence or complete documentation. |
| Trusted Coordinator Level 3 | Ability to ensure compliance to rules and regulations, as well as accountability across ITFM processes. | Essential ITFM frameworks, guidelines, policies, and procedures are in place, coherent, and documented, aiming to (a) comply with rules and regulations, and (b) provide clear accountability. |
| Value Optimizer Level 4 | Ability to ensure compliance to rules and regulations, as well as structure, transparency, and business alignment across ITFM processes. | ITFM frameworks, guidelines, policies, and procedures are well defined, coherent, documented, and regularly reviewed, aiming to (a) comply with rules and regulations, (b) provide clear accountability, and (c) maintain business alignment. |
| Strategic Partner Level 5 | Ability to:
| ITFM frameworks, guidelines, policies, and procedures are complete, well defined, coherent, documented, continuously reviewed, and improved, aiming to (a) comply with rules and regulations, (b) provide clear accountability, (c) maintain business alignment, and (d) facilitate the decision-making process.
|
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability to deliver IT financial planning and performance output. | ITFM processes and tools are not developed nor documented. |
| Cost Operator Level 2 | Ability to deliver basic IT financial planning output. | Basic ITFM processes and tools are in place, developed on an ad hoc basis, with no apparent coherence or complete documentation. |
| Trusted Coordinator Level 3 | Ability to deliver accurate IT financial output and basic IT performance output in a consistent cadence. | Essential ITFM processes and tools are in place, coherent, and documented, aiming to (a) maintain integrity across activities, tasks, methodologies, data, and reports; (b) deliver IT financial planning and performance output needed by stakeholders; and (c) provide clear accountability. ITFM tools and processes are adopted by the ITFM team and some IT business units but are not fully integrated. |
| Value Optimizer Level 4 | Ability to deliver accurate IT financial planning and performance output at the needed level of detail to stakeholders in a consistent cadence. | ITFM processes and tools are complete, well defined, coherent, documented, continuously reviewed, and improved, aiming to (a) maintain integrity across activities, tasks, methodologies, data, and reports; (b) deliver IT financial planning and performance output needed by stakeholders; (c) provide clear accountability; and (d) facilitate decision-making. ITFM tools and processes are adopted by IT and business partners but are not fully integrated. |
| Strategic Partner Level 5 | Ability to:
| ITFM processes and tools are complete, well defined, coherent, documented, continuously reviewed, and improved, aiming to (a) maintain integrity across activities, tasks, methodologies, data, and reports; (b) deliver IT financial planning and performance output needed by stakeholders; (c) provide clear accountability; and (d) facilitate decision making.
|
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability to provide transparency across technology spending. | ITFM taxonomy and data model are not developed nor documented. |
| Cost Operator Level 2 | Ability to provide transparency and support IT financial planning data, analysis, and reporting needs of finance stakeholders. | ITFM taxonomy and data model are in place, developed on an ad hoc basis, with no apparent coherence or complete documentation, to comply with, and meet the needs of finance stakeholders. |
| Trusted Coordinator Level 3 | Ability to provide transparency and support IT financial planning and performance data, analysis, and reporting needs of IT and finance stakeholders. | ITFM taxonomy and data model are in place, coherent, and documented to meet the needs of IT and finance stakeholders. |
| Value Optimizer Level 4 | Ability to provide transparency and support IT financial planning and performance data, analysis, and reporting needs of IT, finance, business, and executive stakeholders. | ITFM taxonomy and data model are complete, well defined, coherent, documented, continuously reviewed, and improved, aiming to provide (a) a holistic view of IT spending and IT performance, (b) visibility and transparency, (c) flexibility, and (d) valuable insights to facilitate data driven decision making.
|
| Strategic Partner Level 5 | Ability to:
| ITFM taxonomy and data model are complete, well defined, coherent, documented, continuously reviewed, and improved, aiming to provide (a) a holistic view of IT spending and IT performance, (b) visibility and transparency, (c) flexibility, and (d) valuable insights to facilitate data driven decision making.
|
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability to provide accurate and complete across technology spending. | ITFM data needs and requirements are not understood. |
| Cost Operator Level 2 | Ability to provide accurate, but incomplete IT financial planning data to meet the needs of finance stakeholders. | Technology spending data is extracted, transformed, and loaded on an ad hoc basis to meet the needs of finance stakeholders. |
| Trusted Coordinator Level 3 | Ability to provide accurate and complete IT financial planning data to meet the needs of IT and finance stakeholders, but IT performance data remain incomplete. | IT financial planning data is extracted, transformed, and loaded in a regular cadence to meet the needs of IT and finance stakeholders.
|
| Value Optimizer Level 4 | Ability to provide accurate and complete IT financial planning and performance data to meet the needs of IT, finance, business, and executive stakeholders. | ITFM data needs and requirements are understood.
|
| Strategic Partner Level 5 | Ability to provide accurate and complete IT financial planning and performance data real time and when needed by IT, finance, business, and executive stakeholders. | ITFM data needs and requirements are understood.
|
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability to provide any type of financial insight. | ITFM analysis and reports are not developed nor documented. |
| Cost Operator Level 2 | Ability to provide basic financial insights. | IT financial planning analysis is conducted on an ad hoc basis to meet the needs of finance stakeholders. |
| Trusted Coordinator Level 3 | Ability to provide basic financial planning and performance insights to meet the needs of IT and finance stakeholders. | IT financial planning and performance analysis are methodical and rigorous, as defined in related control documents (guideline, policies, procedures, etc.).
|
| Value Optimizer Level 4 | Ability to provide practical insights and useful recommendations as needed by IT, finance, business, and executive stakeholders to facilitate business decision making around technology investments. | ITFM analysis and reports support business decision making around technology investments.
|
| Strategic Partner Level 5 | Ability to provide practical insights and useful recommendations as needed by IT, finance, business, and executive stakeholders to facilitate strategic decision making. | ITFM analysis and reports support strategic decision making.
|
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability of organization stakeholders to communicate and understand each other. | The organization stakeholders including IT, finance, business, and executives do not understand one another, and cannot speak the same language. |
| Cost Operator Level 2 | Ability to understand business and finance requirements. | IT understands and meets business and financial planning requirements but does not communicate in a similar language.
|
| Trusted Coordinator Level 3 | Ability to understand the needs of different stakeholders including IT, finance, business, and executives and take part in decision making around technology spending. | The organization stakeholders including IT, finance, business, and executives understand each other’s needs, but do not communicate in a common language.
|
| Value Optimizer Level 4 | Ability to communicate in a common vocabulary across the organization and take part in business decision making around technology investments. | The organization stakeholders including IT, finance, business, and executives communicate in a common vocabulary and understand one another.
|
| Strategic Partner Level 5 | Ability to communicate in a common vocabulary across the organization and take part in strategic decision making. | The organization stakeholders including IT, finance, business, and executives communicate in a common vocabulary and understand one another.
|
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability of organization stakeholders to acquire knowledge. | Educational resources are inexistent. |
| Cost Operator Level 2 | Ability to acquire financial knowledge and understand financial concepts. | IT leaders have access to educational resources to gain the financial knowledge necessary to perform their duties. |
| Trusted Coordinator Level 3 | Ability to acquire financial and business knowledge and understand related concepts. | IT leaders and their respective teams have access to educational resources to gain the financial and business knowledge necessary to perform their duties.
|
| Value Optimizer Level 4 | Ability to acquire knowledge, across technology, business, and finance as needed by different organization stakeholders, and the leadership understand concepts across these various domains. | Stakeholders including IT, finance, business, and executives have access to various educational resources to gain knowledge in different domains as needed.
|
| Strategic Partner Level 5 | Ability to acquire knowledge, and understand concepts across technology, business, and finance as needed by different organization stakeholders. | The organization promotes continuous learning through well designed programs including training, mentorship, and academic courses. Thus, stakeholders including IT, finance, business, and executives have access to various educational resources to gain knowledge in different domains as needed.
|
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability to provide and foster an environment of collaboration and continuous improvement. | Stakeholders including IT, finance, business, and executives operate in silos, and collaboration between different teams is inexistent. |
| Cost Operator Level 2 | Ability to provide an environment of cooperation to meet the needs of IT, finance, and business leaders. | IT, finance, and business leaders cooperate to meet financial planning requirements as necessary to perform their duties. |
| Trusted Coordinator Level 3 | Ability to provide and foster an environment of collaboration across the organization. | IT, finance, and business collaborate on various initiatives. ITFM employees are trusted and supported by their stakeholders (IT, finance, and business). |
| Value Optimizer Level 4 | Ability to provide and foster an environment of collaboration and continuous improvement, where employees across the organization feel trusted, supported, empowered, and valued. | Stakeholders including IT, finance, business, and executives support and promote continuous improvement, transparency practices, and collaboration across the organization.
|
| Strategic Partner Level 5 | Ability to provide and foster an environment of collaboration and continuous improvement, where leaders are willing to change, and employees across the organization feel trusted, supported, empowered, and valued. | Stakeholders including IT, finance, business, and executives support and promote continuous improvement, transparency practices, and collaboration across the organization.
|
CIOs today face increasing pressures, disruptive emerging technologies, talent shortages, and a slew of other challenges. What are their top concerns, priorities, and technology bets that will define the future direction of IT?
CIO responses to our Future of IT 2024 survey reveal key insights on spending projects, the potential disruptions causing the most concern, plans for adopting emerging technology, and how firms are responding to generative AI.
Map your organization’s response to the external environment compared to CIOs across geographies and industries. Learn:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Take the pulse of the IT industry and see how CIOs are planning to approach 2024.
| Countries / Regions | Response % |
| United States | 47.18% |
| Canada | 11.86% |
| Australia | 9.60% |
| Africa | 6.50% |
| China | 0.28% |
| Germany | 1.13% |
| United Kingdom | 5.37% |
| India | 1.41% |
| Brazil | 1.98% |
| Mexico | 0.56% |
| Middle East | 4.80% |
| Asia | 0.28% |
| Other country in Europe | 4.52% |
n=354
Half of CIOs hold a C-level position, 10% are VP-level, and 20% are director level
38% of respondents are from an organization with above 1,000 employees
40% of CIOs report an annual budget of more than $10 million
A range of industries are represented, with 29% of respondents in the public sector or financial services
How likely is it that the following factors will disrupt your business in the next 12 months?
Looking ahead to 2024, how will your organization's IT spending change compared to spending in 2023?
Top five technologies for new spending planned in 2024:
Top five technologies for new spending planned after 2024:
n=301
Info-Tech Insight
Three in four CIOs say they have no plans to invest in quantum computing, more than any other technology with no spending plans.
Rate your business interest in adopting the following generative AI applications:
There is interest across all types of generative AI applications. CIOs are least interested in visual media generators, rating it just 2.4 out of 5 on average.
n=251
Info-Tech Insight
Examples of generative AI solutions specific to the legal industry include Litigate, CoCounsel, and Harvey.
Most popular use cases for AI by end of 2024:
Fastest growing uses cases for AI in 2024:
n=218
Info-Tech Insight
The least popular use case for AI is to help define business strategy, with 45% saying they have no plans for it.
Info-Tech Insight
Almost half of CIOs say ChatGPT has been a catalyst for their business to adopt new AI initiatives.
Which of the following best describes your organization's approach to third-party generative AI tools (such as ChatGPT or Midjourney)?
Info-Tech Insight
Business concerns over intellectual property and sensitive data exposure led OpenAI to announce ChatGPT won't use data submitted via its API for model training unless customers opt in to do so. ChatGPT users can also disable chat history to avoid having their data used for model training (OpenAI).
Among organizations that plan to invest in AI in 2024, 30% still say there are no steps in place for AI governance. The most popular steps to take are to publish clear explanations about how AI is used, and to conduct impact assessments (n=170).
Among all CIOs, including those that do not plan to invest in AI next year, 37% say no steps are being taken toward AI governance today (n=243).
If you haven't already contributed to our Future of IT online survey, we are keeping the survey open to continue to collect insights and inform our research reports and agenda planning process. You can take the survey today. Those that complete the survey will be sent a complimentary Tech Trends 2024 report.
If you are receiving this for completing the Future of IT online survey, thank you for your contribution. If you are interested in further participation and would like to provide a complementary interview, please get in touch at brian.Jackson@infotech.com. All interview subjects must also complete the online survey.
If you've already completed an interview, thank you very much, and you can look forward to seeing more impacts of your contribution in the near future.
A CIO focus for the Future of IT
Data in this report represents respondents to the Future of IT online survey conducted by Info-Tech Research Group between May 11 and July 7, 2023.
Only CIO respondents were selected for this report, defined as those who indicated they are the most senior member of their organization's IT department.
This data segment reflects 355 total responses with 239 completing every question on the survey.
Further data from the Future of IT online survey and the accompanying interview process will be featured in Info-Tech's Tech Trends 2024 report this fall and in forthcoming Priorities reports including Applications, Data & EA, CIO, Infrastructure, and Security.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand the stakeholder priorities driving changes in your application maintenance practice.
Identify the appropriate level of governance and enforcement to ensure accountability and quality standards are upheld across maintenance practices.
Build a maintenance triage and prioritization scheme that accommodates business and IT risks and urgencies.
Define and enforce quality standards in maintenance activities and build a high degree of transparency to readily address delivery challenges.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand the business and IT stakeholder priorities driving the success of your application maintenance practice.
Understand any current issues that are affecting your maintenance practice.
Awareness of business and IT priorities.
An understanding of the maturity of your maintenance practices and identification of issues to alleviate.
1.1 Define priorities for enhanced maintenance practices.
1.2 Conduct a current state assessment of your application maintenance practices.
List of business and technical priorities
List of the root-cause issues, constraints, and opportunities of current maintenance practice
Define the processes, roles, and points of communication across all maintenance activities.
An in-depth understanding of all maintenance activities and what they require to function effectively.
2.1 Modify your maintenance process.
2.2 Define your maintenance roles and responsibilities.
Application maintenance process flow
List of metrics to gauge success
Maintenance roles and responsibilities
Maintenance communication flow
Understand in greater detail the process and people involved in receiving and triaging a request.
Define your criteria for value, impact, and urgency, and understand how these fit into a prioritization scheme.
Understand backlog management and release planning tactics to accommodate maintenance.
An understanding of the stakeholders needed to assess and approve requests.
The criteria used to build a tailored prioritization scheme.
Tactics for efficient use of resources and ideal timing of the delivery of changes.
A process that ensures maintenance teams are always working on tasks that are valuable to the business.
3.1 Review your maintenance intake process.
3.2 Define a request prioritization scheme.
3.3 Create a set of practices to manage your backlog and release plans.
Understanding of the maintenance request intake process
Approach to assess the impact, urgency, and severity of requests for prioritization
List of backlog management grooming and release planning practices
Understand how to apply development best practices and quality standards to application maintenance.
Learn the methods for monitoring and visualizing maintenance work.
An understanding of quality standards and the scenarios for where they apply.
The tactics to monitor and visualize maintenance work.
Streamlined maintenance delivery process with best practices.
4.1 Define approach to monitor maintenance work.
4.2 Define application quality attributes.
4.3 Discuss best practices to enhance maintenance development and deployment.
Taskboard structure and rules
Definition of application quality attributes with user scenarios
List of best practices to streamline maintenance development and deployment
Create a target state built from appropriate metrics and attainable goals.
Consider the required items and steps for the implementation of your optimization initiatives.
A realistic target state for your optimized application maintenance practice.
A well-defined and structured roadmap for the implementation of your optimization initiatives.
5.1 Refine your target state maintenance practices.
5.2 Develop a roadmap to achieve your target state.
Finalized application maintenance process document
Roadmap of initiatives to achieve your target state
By signing an agreement with Gert Taeymans bvba, Client declares that he agrees with the Terms and Conditions referred to hereafter. Terms and conditions on Client's order form or any other similar document shall not be binding upon Gert Taeymans bvba.
The prices, quantities and delivery time stated in any quotation are not binding upon Gert Taeymans bvba. They are commercial estimates only which Gert Taeymans bvba will make reasonable efforts to achieve. Prices quoted in final offers will be valid only for 30 days. All prices are VAT excluded and do not cover expenses, unless otherwise agreed in writing. Gert Taeymans bvba reserves the right to increase a quoted fee in the event that Client requests a variation to the work agreed.
The delivery times stated in any quotation are of an indicative nature and not binding upon Gert Taeymans bvba, unless otherwise agreed in writing. Delivery times will be formulated in working days. In no event shall any delay in delivery be neither cause for cancellation of an order nor entitle Client to any damages.
Amendments or variations of the initial agreement between Client and Gert Taeymans bvba will only be valid when accepted by both parties in writing.
Any complaints concerning the performance of services must be addressed to Gert Taeymans bvba in writing and by registered mail within 7 working days of the date of the performance of the services.
In no event shall any complaint be just cause for non-payment or deferred payment of invoices. Any invoice and the services described therein will be deemed irrevocably accepted by Client if no official protest of non-payment has been sent by Client within 7 working days from the date of the mailing of the invoice.
Client shall pay all invoices of Gert Taeymans bvba within thirty (30) calendar days of the date of invoice unless otherwise agreed in writing by Gert Taeymans bvba. In the event of late payment, Gert Taeymans bvba may charge a monthly interest on the amount outstanding at the rate of two (2) percent with no prior notice of default being required, in which case each commenced month will count as a full month. Any late payment will entitle Gert Taeymans bvba to charge Client a fixed handling fee of 300 EUR. All costs related to the legal enforcement of the payment obligation, including lawyer fees, will be charged to Client.
In no event will Gert Taeymans bvba be liable for damages of any kind, including without limitation, direct, incidental or consequential damages (including, but not limited to, damages for lost profits, business interruption and loss of programs or information) arising out of the use of Gert Taeymans bvba services.
Gert Taeymans bvba collects personal data from Client for the performance of its services and the execution of its contracts. Such personal data can also be used for direct marketing, allowing Gert Taeymans bvba to inform Client of its activities on a regular basis. If Client objects to the employment of its personal data for direct marketing, Client must inform Gert Taeymans bvba on the following address: gert@gerttaeymans.consulting.
Client can consult, correct or amend its personal data by addressing such request to Gert Taeymans bvba by registered mail. Personal data shall in no event be sold, rented or made available to other firms or third parties where not needed for the execution of the contract. Gert Taeymans bvba reserves the right to update and amend its privacy policy from time to time to remain consistent with applicable privacy legislation.
The logo of the Client will be displayed on the Gert Taeymans bvba website, together with a short description of the project/services.
Any changes to Client’s contact information such as addresses, phone numbers or e-mail addresses must be communicated to Gert Taeymans bvba as soon as possible during the project.
Both parties shall maintain strict confidence and shall not disclose to any third party any information or material relating to the other or the other's business, which comes into that party's possession and shall not use such information and material. This provision shall not, however, apply to information or material, which is or becomes public knowledge other than by breach by a party of this clause.
Gert Taeymans bvba has the right at any time to change or modify these terms and conditions at any time without notice.
The agreement shall be exclusively governed by and construed in accordance with the laws of Belgium. The competent courts of Antwerp, Belgium will finally settle any dispute about the validity, the interpretation or the execution of this agreement.
These Terms and Conditions are the only terms and conditions applicable to both parties.
If any provision or provisions of these Terms and Conditions shall be held to be invalid, illegal or unenforceable, such provision shall be enforced to the fullest extent permitted by applicable law, and the validity, legality and enforceability of the remaining provisions shall not in any way be affected or impaired thereby.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Set the expectations of your first RPA bot. Define the guiding principles, ethics, and delivery capabilities that will govern RPA delivery and support.
Validate the fit of your candidate business processes for RPA and ensure the support of your operational system. Shortlist the features of your desired RPA vendor. Modernize your delivery process to accommodate RPA.
Build a roadmap of initiatives to implement your first bot and build the foundations of your RPA practice.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
State the success criteria of your RPA adoption through defined objectives and metrics.
Define your RPA guiding principles and ethics.
Build the RPA capabilities that will support the delivery and management of your bots.
Grounded stakeholder expectations
RPA guiding principles
RPA capabilities and the key roles to support RPA delivery and management
1.1 State Your RPA Objectives.
1.2 Define Your RPA Principles
1.3 Develop Your RPA Capabilities
RPA objectives and metrics
RPA guiding principles and ethics
RPA and product ownership, RPA capabilities, RPA role definitions
Evaluate the fit of your candidate business processes for automation.
Define the operational platform to support your RPA solution.
Shortlist the desired RPA vendor features.
Optimize your product delivery process to support RPA.
Verifies the decision to implement RPA for the candidate business process
The system changes and modifications needed to support RPA
Prioritized list of RPA vendor features
Target state RPA delivery process
2.1 Prepare Your RPA Platform
2.2 Select Your RPA Vendor
2.3 Deliver and Manage Your Bots
Assessment of candidate business processes and supporting operational platform
List of desired RPA vendor features
Optimized delivery process
Build your roadmap to implement your first RPA bot and build the foundations of your RPA practice.
Implementation initiatives
RPA adoption roadmap
3.1 Roadmap Your RPA Adoption
RPA adoption roadmap
Today, we're talking about a concept that’s both incredibly simple and dangerously overlooked: the single point of failure, or SPOF for short.
Imagine you’ve built an impenetrable fortress. It has high walls, a deep moat, and strong gates. But the entire fortress can only be accessed through a single wooden bridge. That bridge is your single point of failure. If it collapses or is destroyed, your magnificent fortress is completely cut off. It doesn't matter how strong the rest of it is; that one weak link renders the entire system useless.
In your work, your team, and your processes and technology, these single bridges are everywhere. A SPOF is any part of a system that, if it stops working, will cause the entire system to shut down. It’s the one critical component, the one indispensable person, or the one vital process that everything else depends on.
When you identify and fix these weak points you aren't being pessimistic; you're fixing the very foundation of something that can withstand shocks and surprises. It’s about creating truly resilient systems and teams, not just seemingly strong ones. So, let’s explore where these risks hide and what you can do about them.
For those of you who know me, saying something like this feels at odds with who I am. And yet, it's one of the most common and riskiest areas in any organization. Human single points of failure don't happen because of malicious intent. They typically grow out of good intentions, hard work, and necessity. But the result is the same: a fragile system completely dependent on an individual.
We all know a colleague like this. The “hero” is the one person who has all the answers. When a critical system goes down at 3 AM, they're the only one who can fix it. They understand the labyrinthine codebase nobody else dares to touch. They have the historical context for every major decision made in the last decade. On the surface, this person is invaluable. Management loves them because they solve problems. The team relies on them because they’re a walking encyclopedia.
But here’s the inconvenient truth: your hero is your biggest liability.
This isn’t their fault. They likely became the hero by stepping up when no one else would or could. The hero may actually feel like they are the only ones qualified to handle the issue because “management” does not take the necessary actions to train other people. Or “management” places other priorities. Be aware, this is a perception thing. The manager is very likely to be very concerned about the well-being of their employee. (I'm taking "black companies", akin to black sites, out of the equation for a moment and concentrating on generally healthy workplaces.) The hero will likely feel a strong bond to their environment. Also, every hero is different. There is a single point of failure, but not a single type of person. Every person has a different driver.
I watched a YouTube video by a famous entrepreneur the other day. And she said something that triggered a response in me, because it sows the seeds of the hero. She said, Would you rather have an employee who just fixes it, handles it, and deals with it? Or an employee that talks about it? Obviously, the large majority will take the person behind door number 1. I would too. But then you need to step up as a manager, as an owner, as an executive, and enforce knowledge sharing.
If you channel all critical knowledge and capabilities through one person, if you let this person become your go-to specialist for everything, you've created a massive SPOF. What happens when your hero gets sick, takes a well deserved two week vacation to a place with no internet, or leaves the company for a new opportunity? The system grinds to a halt. A minor issue becomes a major crisis because the only person who can fix it is unavailable.
This overreliance doesn't just create a risk; it stifles growth. Other team members don't get the opportunity to learn and develop new skills because the hero is always there to swoop in and save the day. The answer? I guess that depends on your situation and what your ability is to keep this person happy without alienating the rest of the team. The answer may lie in the options discussed later in the article around KPIs.
A step beyond the individual hero is the team that acts as a collective SPOF. This is the team that “protects” its know how. They might use complex, undocumented tools, speak in a language of acronyms only they understand, or resist any attempts to standardize their processes. They've built a silo around their work, making themselves indispensable as a unit.
Unlike the hero, this often comes from a place of perceived self preservation. If they are the only ones who understand how something works, their jobs are secure, right? But this behavior is incredibly damaging to the organization's resilience. Not to mention that it is just plain wrong. The team becomes inundated with requests for new features, but also for help in solving incidents. The result in numerous instances is that the team succeeds in neither. Next the manager is called to the senior management because the business is complaining that things don't progress as expected.
This team thus has become a bottleneck. Any other team that needs to interact with their system is completely at their mercy. Progress slows to a crawl, dependent on their availability and willingness to cooperate. Preservation has turned into survival.
The real root cause at the heart of both the hero and the knowledge hoarding team is a failure of knowledge management. When information isn't shared, documented, and made accessible, you are actively choosing to create single points of failure. We'll dive deeper into building a robust knowledge sharing culture in a future article, but for now, recognize that knowledge kept in one person's or team's head is a disaster waiting to happen.
People aren't the only source of fragility. The way you build and manage your technology stacks can easily create critical SPOFs that leave you vulnerable. These are often less obvious at first, but they can cause dangerous failures when they finally break.
Let's start with the most straightforward technical SPOF: the single node setup. Imagine you have a critical application like maybe your company's main website or an internal database. If you run that entire application on one single server (a single “node”), you've created a classic SPOF.
It’s like a restaurant with only one chef. If that chef goes home, the kitchen closes. It doesn't matter how many waiters or tables you have. If that single server experiences a hardware failure, a software crash, or even just needs to be rebooted for an update, your entire service goes offline. There is no failover. The service is simply down until that one machine is fixed, patched or rebooted.
You need to set up your systems so that when one node goes down, the other takes over. This is not just something for large enterprises. SMEs must do the same. I've had numerous calls from business owners who did something to their web server or system and now “it doesn't work!” Not only are they down, now they have to call me and I then must arrange for subject matter experts to fix it immediately. Typically at a cost much larger than if they had set up their system with active, warm or even cold standbys.
Another major risk comes from an overreliance on closed, proprietary technologies. This happens when you build a core part of your business on a piece of software or hardware that you don't control and can't inspect. It’s a “black box.” You know what it’s supposed to do, but you have no idea how it does it, and you can’t fix it if it breaks. When something goes wrong, you are completely at the mercy of the company that created it. You have to submit a support ticket and wait.
This is actually relatable to the next chapter, please follow along and take the advice there.
Closely related to closed technology is the concept of vendor lock-in. This is a subtle but powerful SPOF. It happens when you become so deeply integrated with a single vendor's ecosystem that the cost and effort of switching to a competitor are impossibly high. Your vendor effectively becomes a strategic single point of failure. Your ability to innovate, control costs, and pivot your strategy is now tied to the decisions of another company.
This may even run afoul of legal standards. In Europe, we have the DORA and NIS2 regulations. DORA specifically mandates that companies have exit plans for their systems, starting with their critical and important functions. Functions refers to business services, to be clear.
But we get there so easily. The native functions of AWS, Azure and Google Cloud, just to name a few, are very enticing to use. They offer convenience, low code, and performance on tap. It's just that, once you integrate deeply with them, you are taken, hook, line, and sinker. And then you have people like me, or worse, your regulator, who demands “What is your exit plan?”
Identifying your single points of failure is the first step. The real work is in systematically eliminating them. This isn't about a single, massive project; it's about building new habits and principles into your daily work. Here's a playbook I think you can start using today.
The cure for depending on one person is to create a culture where knowledge is fluid and shared by default. Your goal is to move from individual heroics to collective resilience.
Mandate real vacations. This might sound strange, but one of the best ways to reveal and fix a “hero” problem is to make sure your hero takes a real, disconnected vacation. This isn't a punishment; it's a benefit to them and a necessary stress test for the team. It forces others to step up and document their processes in preparation. The first time will be painful, but it gets easier each time as the team builds its own knowledge.
Adopt the “teach, don't just do” rule. Coach your senior experts to see their role as multipliers. When someone asks them a question, their first instinct should be to show, not just to do. This can be a five minute screen sharing session, grabbing a colleague to pair program on a fix, or taking ten minutes to write down the answer in a shared knowledge base so it never has to be asked again.
Many companies have knowledge sharing solutions in place. Take a moment to actually use them. Prepare for when new people come into the company. Have a place where they can get into the groove and learn the heart beat of the company. There is a reason why the Madonna song is so captivating to so many people. Getting into the groove elevates you. And the same thing happens in your company.
Rotate responsibilities and run "game days". Actively move people around. Let a developer handle support tickets for a week to understand common customer issues. Have your infrastructure expert sit with the product team. Also, create “game days” where you simulate a crisis. For example: "Okay team, our lead developer is 'on vacation' today. Let's practice a full deployment without them.” This makes learning safe and proactive.
Celebrate team success, not individual firefighting. Shift your praise and recognition. Instead of publicly thanking a single person for working all night to resolve a problem, celebrate the team that built a system so resilient it didn't break in the first place. Reward the team that wrote excellent documentation that allowed a junior member to solve a complex issue. Culture follows what you celebrate. At the same time, if the team does not pony up, definitely praise the person and follow up with the team to fix this.
Host internal demos and tech talks. Create a regular, informal forum where people can share what they're working on. This could be a “brown bag lunch” session or a Friday afternoon demo. It demystifies what other teams are doing, breaks down silos, and encourages people to ask questions in a low pressure environment.
Remunerate sharing. Make sharing knowledge a bonus-eligible key performance indicator. The more sharing an expert does, with their peers acknowledging this, the more the expert earns. You can easily incorporate this into your peer feedback system.
Run DRP exercises without your top engineers: This is taking a leap of faith, and I would never recommend this until all of the above are in place and proven.
The core principle here is to assume failure will happen and to design for it. A resilient system isn't one where parts never fail, but one where the system as a whole keeps working even when they do.
Embrace the rule of three. This is a simple but powerful guideline. For critical data, aim to have three copies on two different types of media, with one copy stored off-site (or in a different cloud region). For critical services, aim for at least three instances running in different availability zones. This simple rule protects you from a wide range of common failures.
Automate everything you can. Every manual process is a potential SPOF. It relies on a person remembering a series of steps perfectly, often under pressure. Automate your testing, your deployments, your server setup, and your backup procedures. Scripts are consistent and repeatable; tired humans at 3 AM are not.
Use health checks and smart monitoring. It's not enough to have a backup server; you need to know that it's healthy and ready to take over. Implement automated health checks that constantly monitor your primary and redundant systems. Your monitoring should alert you the moment a backup component fails, not just when the primary one does.
Practice chaos engineering. Don't wait for a real failure to test your resilience. Intentionally introduce failures in a controlled environment. This is known as chaos engineering. Start small. What happens if you turn off a non-critical service during work hours? Does the system handle it gracefully? Does the team know how to respond? This turns a potential crisis into a planned, educational drill.
Your resilience also depends on the choices you make about the technology and partners you rely on. The goal is to maintain control over your destiny.
Build abstraction layers. Instead of having your application code talk directly to a specific vendor's service, create an intermediary layer that you control. This “abstraction layer” acts as a buffer. If you ever need to switch vendors, you only have to update your abstraction layer, not your entire application. It’s more work up front but gives you immense flexibility later.
Make “ease of exit” a key requirement. When you evaluate a new technology or vendor, make portability a primary concern. Ask tough questions: How do we get our data out? What is the process for migrating to a competitor? Is the technology based on open standards? Run a small proof of concept to test how hard it would be to leave before you commit fully.
Consider a multi-vendor strategy. For your most critical dependencies, like cloud hosting, avoid going all in on a single provider if you can. Using services from two or more vendors is an advanced strategy, but it provides the ultimate protection against a massive, platform wide outage or unfavorable changes in pricing or terms.
You will never be “ready.” Building resilience by eliminating single points of failure isn't a one time project you can check off a list. It’s a continuous process. New SPOFs will emerge as your systems evolve, people change roles, and your business grows.
The key is to make this thinking a part of your culture. Make “What's the bus factor for this project?” a regular question in your planning meetings. Make redundancy and documentation a non negotiable requirement for new systems. By constantly looking for the one thing that can bring everything down, you can build teams and technology that don't just survive shocks—they eat them for breakfast.
Exploring the enterprise collaboration marketspace is difficult. The difficulty in finding a suitable collaboration tool is that there are many ways to collaborate, with just as many tools to match.
Map your organizational goals to the administration features available in the Office 365 console. Your governance should reflect your requirements.
The result is a defined plan for controlling Office 365 by leveraging hard controls to align Microsoft’s toolset with your needs and creating acceptable use policies and communication plans to highlight the impact of the transition to Office 365 on the end-user population.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Develop a list of organizational goals that will enable you to leverage the Office 365 toolset to its fullest extent while also implementing sensible governance.
Use Info-Tech's toolset to build out controls for OneDrive, SharePoint, and Teams that align with your organizational goals as they relate to governance.
Communicate the results of your Office 365 governance program using Info-Tech's toolset.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Develop a plan to assess the capabilities of the Office 365 solution and select licensing for the product.
Office 365 capability assessment (right-size licensing)
Acceptable Use Policies
Mapped Office 365 controls
1.1 Review organizational goals.
1.2 Evaluate Office 365 capabilities.
1.3 Conduct the Office 365 capability assessment.
1.4 Define user groups.
1.5 Finalize licensing.
List of organizational goals
Targeted licensing decision
Leverage the Office 365 governance framework to develop and refined governance priorities.
Build a SharePoint acceptable use policy and define SharePoint controls.
Refined governance priorities
List of SharePoint controls
SharePoint acceptable use policy
2.1 Explore the Office 365 Framework.
2.2 Conduct governance priorities refinement exercise.
2.3 Populate the Office 365 control map (SharePoint).
2.4 Build acceptable use policy (SharePoint).
Refined governance priorities
SharePoint control map
Sharepoint acceptable use policy
Implement governance priorities for OneDrive and Teams.
Clearly defined acceptable use policies for OneDrive and Teams
List of OneDrive and Teams controls
3.1 Populate the Office 365 Control Map (OneDrive).
3.2 Build acceptable use policy (OneDrive).
3.3 Populate the Office 365 Control Map (Teams).
3.4 Build acceptable use policy (Teams).
OneDrive controls
OneDrive acceptable use policy
Teams controls
Teams acceptable use policy
Build a plan to communicate coming changes to the productivity environment.
Communication plan covering SharePoint, Teams, and OneDrive
4.1 Build SharePoint one pager.
4.2 Build OneDrive one pager.
4.3 Build Teams one pager.
4.4 Finalize communication plan.
SharePoint one pager
OneDrive one pager
Teams one pager
Overall finalized communication plan
Finalize deliverables and plan post-workshop communications.
Completed Office 365 governance plan
Finalized deliverables
5.1 Completed in-progress deliverables from previous four days.
5.2 Set up review time for workshop deliverables and to discuss next steps.
5.3 Validate governance with stakeholders.
Completed acceptable use policies
Completed control map
Completed communication plan
Completed licensing decision
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Build the foundations for the program to succeed.
Define processes for requesting, procuring, receiving, and deploying hardware.
Define processes and policies for managing, securing, and maintaining assets then disposing or redeploying them.
Plan the hardware budget, then build a communication plan and roadmap to implement the project.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Build the foundations for the program to succeed.
Evaluation of current challenges and maturity level
Defined scope for HAM program
Defined roles and responsibilities
Identified metrics and reporting requirements
1.1 Outline hardware asset management challenges.
1.2 Conduct HAM maturity assessment.
1.3 Classify hardware assets to define scope of the program.
1.4 Define responsibilities.
1.5 Use a RACI chart to determine roles.
1.6 Identify HAM metrics and reporting requirements.
HAM Maturity Assessment
Classified hardware assets
Job description templates
RACI Chart
Define processes for requesting, procuring, receiving, and deploying hardware.
Defined standard and non-standard requests for hardware
Documented procurement, receiving, and deployment processes
Standardized asset tagging method
2.1 Identify IT asset procurement challenges.
2.2 Define standard hardware requests.
2.3 Document standard hardware request procedure.
2.4 Build a non-standard hardware request form.
2.5 Make lease vs. buy decisions for hardware assets.
2.6 Document procurement workflow.
2.7 Select appropriate asset tagging method.
2.8 Design workflow for receiving and inventorying equipment.
2.9 Document the deployment workflow(s).
Non-standard hardware request form
Procurement workflow
Receiving and tagging workflow
Deployment workflow
Define processes and policies for managing, securing, and maintaining assets then disposing or redeploying them.
Policies and processes for hardware maintenance and asset security
Documented workflows for hardware disposal and recovery/redeployment
3.1 Build a MAC policy, request form, and workflow.
3.2 Design process and policies for hardware maintenance, warranty, and support documentation handling.
3.3 Revise or create an asset security policy.
3.4 Identify challenges with IT asset recovery and disposal and design hardware asset recovery and disposal workflows.
User move workflow
Asset security policy
Asset disposition policy, recovery and disposal workflows
Select tools, plan the hardware budget, then build a communication plan and roadmap to implement the project.
Shortlist of ITAM tools
Hardware asset budget plan
Communication plan and HAM implementation roadmap
4.1 Generate a shortlist of ITAM tools that will meet requirements.
4.2 Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget.
4.3 Build HAM policies.
4.4 Develop a communication plan.
4.5 Develop a HAM implementation roadmap.
HAM budget
Additional HAM policies
HAM communication plan
HAM roadmap tool
"Asset management is like exercise: everyone is aware of the benefits, but many struggle to get started because the process seems daunting. Others fail to recognize the integrative potential that asset management offers once an effective program has been implemented.
A proper hardware asset management (HAM) program will allow your organization to cut spending, eliminate wasteful hardware, and improve your organizational security. More data will lead to better business decision-making across the organization.
As your program matures and your data gathering and utility improves, other areas of your organization will experience similar improvements. The true value of asset management comes from improved IT services built upon the foundation of a proactive asset management program." - Sandi Conrad, Practice Lead, Infrastructure & Operations Info-Tech Research Group
Info-Tech Insight
Hardware asset management (HAM) provides a framework for managing equipment throughout its entire lifecycle. HAM is more than just keeping an inventory; it focuses on knowing where the product is, what costs are associated with it, and how to ensure auditable disposition according to best options and local environmental laws.
Implementing a HAM practice enables integration of data and enhancement of many other IT services such as financial reporting, service management, green IT, and data and asset security.
Cost savings and efficiency gains will vary based on the organization’s starting state and what measures are implemented, but most organizations who implement HAM benefit from it. As organizations increase in size, they will find the greatest gains operationally by becoming more efficient at handling assets and identifying costs associated with them.
A 2015 survey by HDI of 342 technical support professionals found that 92% say that HAM has helped their teams provide better support to customers on hardware-related issues. Seventy-seven percent have improved customer satisfaction through managing hardware assets. (HDI, 2015)
HAM cost savings aren’t necessarily realized through the procurement process or reduced purchase price of assets, but rather through the cost of managing the assets.
HAM delivers cost savings in several ways:
| Benefit | Calculation | Sample Annual Savings |
|---|---|---|
|
Reduced help desk support
|
# of hardware-related support tickets per year * cost per ticket * % reduction in average call length | 2,000 * $40 * 20% = $16,000 |
|
Greater inventory efficiency
|
Hours required to complete inventory * staff required * hourly pay rate for staff * number of times a year inventory required | 8 hours * 5 staff * $33 per hour * 2 times a year = $2,640 |
|
Improved employee productivity
|
# of employees * percentage of employees who encounter productivity loss through unauthorized software * number of hours per year spent using unauthorized software * average hourly pay rate | 500 employees * 10% * 156 hours * $18 = $140,400 |
|
Improved security
|
# of devices lost or stolen last year * average replacement value of device + # of devices stolen * value of data lost from device | (50 * $1,000) + (50 * $5,000) = $300,000 |
| Total Savings: | $459,040 | |
Organizations that struggle to implement ITAM successfully usually fall victim to these barriers:
Senior-level sponsorship, engagement, and communication is necessary to achieve the desired outcomes of ITAM; without it, ITAM implementations stall and fail or lack the necessary resources to deliver the value.
ITAM often becomes an added responsibility for resources who already have other full-time responsibilities, which can quickly cause the program to lose focus. Increase the chance of success through dedicated resources.
Many organizations buy a tool thinking it will do most of the work for them, but without supporting processes to define ITAM, the data within the tool can become unreliable.
Some organizations are able to track assets through manual discovery, but as their network and user base grows, this quickly becomes impossible. Choose a tool and build processes that will support the organization as it grows.
Often, organizations implement ITAM only to the extent necessary to achieve compliance for audits, but without investigating the underlying causes of non-compliance and thus not solving the real problems.
IT Asset Procurement:
IT Asset Intake and Deployment:
IT Asset Security and Maintenance:
IT Asset Disposal or Recovery:
| Phase 1: Assess & Plan | Phase 2: Procure & Receive | Phase 3: Maintain & Dispose | Phase 4: Plan Budget & Build Roadmap |
| 1.1 Assess current state & plan scope | 2.1 Request & procure | 3.1 Manage & maintain | 4.1 Plan budget |
| 1.2 Build team & define metrics | 2.2 Receive & deploy | 3.2 Redeploy or dispose | 4.2 Communicate & build roadmap |
| HAM Maturity Assessment | Procurement workflow | User move workflow | HAM Budgeting Tool |
| Classified hardware assets | Non-standard hardware request form | Asset security policy | HAM Communication Plan |
| RACI Chart | Receiving & tagging workflow | Asset disposition policy | HAM Roadmap Tool |
| Job Descriptions | Deployment workflow | Asset recovery & disposal workflows | Additional HAM policies |
Industry IT
Source Cisco Systems, Inc.
Cisco Systems, Inc.
Cisco Systems, Inc. is the largest networking company in the world. Headquartered in San Jose, California, the company employees over 70,000 people.
Asset Management
As is typical with technology companies, Cisco boasted a proactive work environment that encouraged individualism amongst employees. Unfortunately, this high degree of freedom combined with the rapid mobilization of PCs and other devices created numerous headaches for asset tracking. At its peak, spending on hardware alone exceeded $100 million per year.
Results
Through a comprehensive ITAM implementation, the new asset management program at Cisco has been a resounding success. While employees did have to adjust to new rules, the process as a whole has been streamlined and user-satisfaction levels have risen. Centralized purchasing and a smaller number of hardware platforms have allowed Cisco to cut its hardware spend in half, according to Mark Edmondson, manager of IT services expenses for Cisco Finance.
This case study continues in phase 1
HAM Standard Operating Procedures (SOP)
HAM Maturity Assessment
Non-Standard Hardware Request Form
HAM Visio Process Workflows
HAM Policy Templates
HAM Budgeting Tool
HAM Communication Plan
HAM Implementation Roadmap Tool
| GI | Measured Value |
|---|---|
| Phase 1: Lay Foundations |
|
| Phase 2: Procure & Receive |
|
| Phase 3: Maintain & Dispose |
|
| Phase 4: Plan Implementation |
|
| Total savings | $25,845 |
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
| 1. Lay Foundations | 2. Procure & Receive | 3. Maintain & Dispose | 4. Budget & Implementation | |
|---|---|---|---|---|
| Best-Practice Toolkit |
1.1 Assess current state & plan scope 1.2 Build team & define metrics |
2.1 Request & procure 2.2 Receive & deploy |
3.1 Manage & maintain 3.2 Redeploy or dispose |
4.1 Plan budget 4.2 Communicate & build roadmap |
| Guided Implementation |
|
|
|
|
| Results & Outcomes |
|
|
|
|
Contact your account representative or email Workshops@InfoTech.comfor more information.
| Phases: | Teams, Scope & Hardware Procurement | Hardware Procurement and Receiving | Hardware Maintenance & Disposal | Budgets, Roadmap & Communications |
|---|---|---|---|---|
| Duration* | 1 day | 1 day | 1 day | 1 day |
| * Activities across phases may overlap to ensure a timely completion of the engagement | ||||
| Projected Activities |
|
|
|
|
| Projected Deliverables |
|
|
||
Industry IT
Source Cisco Systems, Inc.
Cisco Systems’ hardware spend was out of control. Peaking at $100 million per year, the technology giant needed to standardize procurement processes in its highly individualized work environment.
Users had a variety of demands related to hardware and network availability. As a result, data was spread out amongst multiple databases and was managed by different teams.
The IT team at Cisco set out to solve their hardware-spend problem using a phased project approach.
The first major step was to identify and use the data available within various departments and databases. The heavily siloed nature of these databases was a major roadblock for the asset management program.
This information had to be centralized, then consolidated and correlated into a meaningful format.
The centralized tracking system allowed a single point of contact (POC) for the entire lifecycle of a PC. This also created a centralized source of information about all the PC assets at the company.
This reduced the number of PCs that were unaccounted for, reducing the chance that Cisco IT would overspend based on its hardware needs.
There were still a few limitations to address following the first step in the project, which will be described in more detail further on in this blueprint.
This case study continues in phase 2
1.1 Assess current state & plan scope
1.2 Build team & define metrics
1.1.1 Complete MGD (optional)
1.1.2 Outline hardware asset management challenges
1.1.3 Conduct HAM maturity assessment
1.1.4 Classify hardware assets to define scope of the program
1.1.1 Optional Diagnostic
The MGD allows you to understand the landscape of all IT processes, including asset management. Evaluate all team members’ perceptions of each process’ importance and effectiveness.
Use the results to understand the urgency to change asset management and its relevant impact on the organization.
Establish process owners and hold team members accountable for process improvement initiatives to ensure successful implementation and realize the benefits from more effective processes.
To book a diagnostic, or get a copy of our questions to inform your own survey, visit Info-Tech’s Benchmarking Tools, contact your account manager, or call toll-free 1-888-670-8889 (US) or 1-844-618-3192 (CAN).
Processes and Policies:
Tracking:
Security and Risk:
Procurement:
Receiving:
Disposal:
Contracts:
1.1.1 Brainstorm HAM challenges
A. As a group, outline the hardware asset management challenges facing the organization.
Use the previous slide to help you get started. You can use the following headings as a guide or think of your own:
B. If you get stuck, use the Hardware Asset Management Maturity Assessment Tool to get a quick view of your challenges and maturity targets and kick-start the conversation.
| Drivers of effective HAM | Results of effective HAM | |
|---|---|---|
| Contracts and vendor licensing programs are complex and challenging to administer without data related to assets and their environment. | → | Improved access to accurate data on contracts, licensing, warranties, installed hardware and software for new contracts, renewals, and audit requests. |
| Increased need to meet compliance requires a formal approach to tracking and managing assets, regardless of device type. | → | Encryption, hardware tracking and discovery, software application controls, and change notifications all contribute to better asset controls and data security. |
| Cost cutting is on the agenda, and management is looking to reduce overall IT spend in the organization in any possible way. | → | Reduction of hardware spend by as much as 5% of the total budget through data for better forecasting and planning. |
| Assets with sensitive data are not properly secured, go missing, or are not safely disposed of when retired. | → | Document and enforce security policies for end users and IT staff to ensure sensitive data is properly secured, preventing costs much larger than the cost of only the device. |
| Maturity | People & Policies | Processes | Technology |
|---|---|---|---|
| Chaos |
|
|
|
| Reactive |
|
|
|
| Controlled |
|
|
|
| Proactive |
|
|
|
| Optimized |
|
|
|
1.1.3 Complete HAM Maturity Assessment Tool
Complete the Hardware Asset Management Maturity Assessment Tool to understand your organization’s overall maturity level in HAM, as well as the starting maturity level aligned with each step of the blueprint, in order to identify areas of strength and weakness to plan the project. Use this to track progress on the project.
The hardware present in your organization can be classified into four categories of ascending strategic complexity: commodity, inventory, asset, and configuration.
Commodity items are devices that are low-cost, low-risk items, where tracking is difficult and of low value.
Inventory is tracked primarily to identify location and original expense, which may be depreciated by Finance. Typically there will not be data on these devices and they’ll be replaced as they lose functionality.
Assets will need the full lifecycle managed. They are identified by cost and risk. Often there is data on these devices and they are typically replaced proactively before they become unstable.
Configuration items will generally be tracked in a configuration management database (CMDB) for the purpose of enabling the support teams to make decisions involving dependencies, configurations, and impact analysis. Some data will be duplicated between systems, but should be synchronized to improve accuracy between systems.
See Harness Configuration Management Superpowers to learn more about building a CMDB.
ASSET - Items of high importance and may contain data, such as PCs, mobile devices, and servers.
INVENTORY - Items that require significant financial investment but no tracking beyond its existence, such as a projector.
COMMODITY - Items that are often in use but are of relatively low cost, such as keyboards or mice.
1.1.4 Define the assets to be tracked within your organization
Document in the Standard Operating Procedures, Section 1 – Overview & Scope
Industry Public Administration
Source Client Case Study
A state government designed a process to track hardware worth more than $1,000. Initially, most assets consisted of end-user computing devices.
The manual tracking process, which relied on a series of Excel documents, worked well enough to track the lifecycle of desktop and laptop assets.
However, two changes upended the organization’s program: the cost of end-user computing devices dropped dramatically and the demand for network services led to the proliferation of expensive equipment all over the state.
The existing program was no longer robust enough to meet business requirements. Networking equipment was not only more expensive than end-user computing devices, but also more critical to IT services.
What was needed was a streamlined process for procuring high-cost, high-utility equipment, tracking their location, and managing their lifecycle costs without compromising services.
The organization decided to formalize, document, and automate hardware asset management processes to meet the new challenges and focus efforts on high-cost, high-utility end-user computing devices only.
Phase 1: Assess & Plan
1.1 Assess current state & plan scope
1.2 Build team and define metrics
1.2.1 Define responsibilities for Asset Manager and Asset Administrator
1.2.2 Use a RACI chart to determine roles within HAM team
1.2.3 Further clarify HAM responsibilities for each role
1.2.4 Identify HAM reporting requirements
Asset management is an organizational change. To gain buy-in for the new processes and workflows that will be put in place, a dedicated, passionate team needs to jump-start the project.
Delegate the following roles to team members and grow your team accordingly.
|
Asset Manager |
|
|---|---|
|
Asset Administrator |
|
| Service Desk, IT Operations, Applications |
|
Info-Tech Insight
Ensure that there is diversity within the ITAM team. Assets for many organizations are diverse and the composition of your team should reflect that. Have multiple departments and experience levels represented to ensure a balanced view of the current situation.
1.2.1 Use Info-Tech’s job description templates to define roles
The role of the IT Asset Manager is to oversee the daily and long-term strategic management of software and technology- related hardware within the organization. This includes:
The role of the IT Asset Administrator is to actively manage hardware and software assets within the organization. This includes:
Use Info-Tech’s job description templates to assist in defining the responsibilities for these roles.
Typically the asset manager will answer to either the CFO or CIO. Occasionally they answer to a vendor manager executive. The hierarchy may vary based on experience and how strategic a role the asset manager will play.
1.2.2 Complete a RACI
A RACI chart will identify who should be responsible, accountable, consulted, and informed for each key activity during the consolidation.
Document in the Standard Operating Procedure.
A sample RACI chart is provided on the next slide
1.2.2 Complete a RACI chart for your organization
| HAM Tasks | CIO | CFO | HAM Manager | HAM Administrator | Service Desk (T1,T2, T3) | IT Operations | Security | Procurement | HR | Business Unit Leaders | Compliance /Legal | Project Manager |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Policies and governance | A | I | R | I | I | C | I | C | C | I | I | |
| Strategy | A | R | R | R | R | |||||||
| Data entry and quality management | C | I | A | I | C | C | I | I | C | C | ||
| Risk management and asset security | A | R | C | C | R | C | C | |||||
| Process compliance auditing | A | R | I | I | I | I | I | |||||
| Awareness, education, and training | I | A | I | I | C | |||||||
| Printer contracts | C | A | C | C | C | R | C | C | ||||
| Hardware contract management | A | I | R | R | I | I | R | R | I | I | ||
| Workflow review and revisions | I | A | C | C | C | C | ||||||
| Budgeting | A | R | C | I | C | |||||||
| Asset acquisition | A | R | C | C | C | C | I | C | C | |||
| Asset receiving (inspection/acceptance) | I | A | R | R | I | |||||||
| Asset deployment | A | R | R | I | I | |||||||
| Asset recovery/harvesting | A | R | R | I | I | |||||||
| Asset disposal | C | A | R | R | I | I | ||||||
| Asset inventory (input/validate/maintain) | I | I | A/R | R | R | R | I | I | I |
1.2.3 Define roles and responsibilities for the HAM team
| Role | Responsibility |
|---|---|
| IT Manager |
|
| Asset Managers |
|
| Service Desk | |
| Desktop team | |
| Security | |
| Infrastructure teams |
Follow a process for establishing metrics:
| CSF | KPI | Metrics |
|---|---|---|
| Improve accuracy of IT budget and forecasting |
|
|
| Identify discrepancies in IT environment |
|
|
| Avoid over purchasing equipment |
|
|
| Make more-effective purchasing decisions |
|
|
| Improve accuracy of data |
|
|
| Improved service delivery |
|
|
1.2.4 Identify asset reporting requirements
Document in the Standard Operating Procedures, Section 13: Reporting
| CSF | KPI | Metrics | Stakeholder/frequency |
|---|---|---|---|
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion: 4 weeks
Start with an analyst kick-off call:
Then complete these activities…
With these tools & templates:
HAM Maturity Assessment
Standard Operating Procedures
Review findings with analyst:
Then complete these activities…
With these tools & templates:
RACI Chart
Asset Manager and Asset Administrator Job Descriptions
Standard Operating Procedures
Phase 1 Results & Insights:
For asset management to succeed, it needs to support the business. Engage business leaders to determine needs and build your HAM program around these goals.
1.1.4 Classify hardware assets to define scope of the program
Determine value/risk threshold at which assets should be tracked, then divide a whiteboard into four quadrants representing four categories of assets. Participants write assets down on sticky notes and place them in the appropriate quadrant to classify assets.
1.2.2 Build a RACI chart to determine responsibilities
Identify all roles within the organization that will play a part in hardware asset management, then document all core HAM processes and tasks. For each task, assign each role to be responsible, accountable, consulted, or informed.
2.1 Request & Procure
2.2 Receive & Deploy
2.1.1 Identify IT asset procurement challenges
2.1.2 Define standard hardware requests
2.1.3 Document standard hardware request procedure
2.1.4 Build a non-standard hardware request form
2.1.5 Make lease vs. buy decisions for hardware assets
2.1.6 Document procurement workflow
2.1.7 Build a purchasing policy
Industry Government
Source Itassetmanagement.net
Signed July 27, 2004, Executive order S-20-04, the “Green Building Initiative,” placed strict regulations on energy consumption, greenhouse gas emissions, and raw material usage and waste.
In compliance with S-20-04, the State of California needed to adopt a new procurement strategy. Its IT department was one of the worst offenders given the intensive energy usage by the variety of assets managed under the IT umbrella.
A green IT initiative was enacted, which involved an extensive hardware refresh based on a combination of agent-less discovery data and market data (device age, expiry dates, power consumption, etc.).
A hardware refresh of almost a quarter-million PCs, 9,500 servers, and 100 email systems was rolled out as a result.
Other changes, including improved software license compliance and data center consolidation, were also enacted.
Because of the scale of this hardware refresh, the small changes meant big savings.
A reduction in power consumption equated to savings of over $40 million per year in electricity costs. Additionally, annual carbon emissions were trimmed by 200,000 tons.
Standardize processes: Using standard products throughout the enterprise lowers support costs by reducing the variety of parts that must be stocked for onsite repairs or for provisioning and supporting equipment.
Align procurement processes: Procurement processes must be aligned with customers’ business requirements, which can have unique needs.
Define SLAs: Providing accurate and timely performance metrics for all service activities allows infrastructure management based on fact rather than supposition.
Reduce TCO: Management recognizes service infrastructure activities as actual cost drivers.
Implement a single POC: A consolidated service desk is used where the contact understands both standards (products, processes, and practices) and the user’s business and technical environment.
2.1.1 Identify IT asset procurement challenges
The first step in your procurement workflow will be to determine what is in scope for a standard request, and how non-standard requests will be handled. Questions that should be answered by this procedure include:
If your end-user device strategy requires an overhaul, schedule time with an Info-Tech analyst to review our blueprint Build an End-User Computing Strategy.
Once you’ve answered questions like these, you can outline your hardware standards as in the example below:
| Use Case | Mobile Standard | Mac Standard | Mobile Power User |
|---|---|---|---|
| Asset | Lenovo ThinkPad T570 | iMac Pro | Lenovo ThinkPad P71 |
| Operating system | Windows 10 Pro | Mac OSX | Windows 10 Pro, 64 bit |
| Display | 15.6" | 21.5" | 17.3” |
|
Memory |
32GB | 8GB | 64GB |
| Processor | Intel i7 – 7600U Processor | 2.3GHz | Xeon E3 v6 Processor |
| Drive | 500GB | 1TB | 1TB |
| Warranty | 3 year | 1 year + 2 extended | 3 year |
Info-Tech Insight
Approach hardware standards from a continual improvement frame of mind. Asset management is a dynamic process. Hardware standards will need to adapt over time to match the needs of the business. Plan assessments at routine intervals to ensure your current hardware standards align with business needs.
Determine environmental requirements and constraints.
Power management
Compare equipment for power consumption and ability to remotely power down machines when not in use.
Heat and noise
Test equipment run to see how hot the device gets, where the heat is expelled, and how much noise is generated. This may be particularly important for users who are working in close quarters.
Carbon footprint
Ask what the manufacturer is doing to reduce post-consumer waste and eliminate hazardous materials and chemicals from their products.
Ensure security requirements can be met.
Review features available to enhance manageability.
"If you are looking for a product for two or three years, you can get it for less than half the price of new. I bought refurbished equipment for my call center for years and never had a problem". – Glen Collins, President, Applied Sales Group
Info-Tech Insight
Price differences are minimal between large and small vendors when dealing with refurbished machines. The decision to purchase should be based on ability to provide and service equipment.
2.1.2 Identify standards for hardware procurement by role
Document in the Standard Operating Procedures, Section 7: Procurement.
| Department | Core Hardware Assets | Optional Hardware Assets |
|---|---|---|
| IT | PC, tablet, monitor | Second monitor |
| Sales | PC, monitor | Laptop |
| HR | PC, monitor | Laptop |
| Marketing | PC (iMac) | Tablet, laptop |
2.1.3 Document standard hardware request procedure
Document in the Standard Operating Procedures, Section 6: End-User Request Process.
Discuss and document the end-user request process:
End-User Request Process
2.1.4 Build a non-standard hardware request form
Info-Tech Insight
Include non-standard requests in continual improvement assessment. If a large portion of requests are for non-standard equipment, it’s possible the hardware doesn’t meet the recommended requirements for specialized software in use with many of your business users. Determine if new standards need to be set for all users or just “power users.”
| Categories | Peripherals | Desktops/Laptops | Servers |
|---|---|---|---|
| Financial |
|
|
|
| Request authorization |
|
|
|
| Required approvals |
|
|
|
| Warranty requirements |
|
|
|
| Inventory requirements |
|
|
|
| Tracking requirements |
|
|
|
Info-Tech Best Practice
Take into account the possibility of encountering taxation issues based on where the equipment is being delivered as well as taxes imposed or incurred in the location from which the asset was shipped or sent. This may impact purchasing decisions and shipping instructions.
Improve procurement decisions:
Document the following in your procurement procedure:
Info-Tech Insight
IT procurement teams are often heavily siloed from ITAM teams. The procurement team is typically found in the finance department. One way to bridge the gap is to implement routine, reliable reporting between departments.
2.1.4 Decide whether to purchase or lease
Document policy decisions in the Standard Operating Procedures – Section 7: Procurement
Determine acceptable response time, and weigh the cost of warranty against the value of service.
Speak to your partner to see how they can help the process of distributing machines.
Transaction-based purchases will receive the smallest discounting.
Bulk purchases will receive more aggressive discounting of 5-15% off suggested retail price, depending on quantities.
Larger quantities rolled out over time will require commitments to the manufacturer to obtain deepest discounts.
New or upgraded components will be introduced into configurations when it makes the most sense in a production cycle. This creates a challenge in comparing products, especially in an RFP. The best way to handle this is to:
"The hardware is the least important part of the equation. What is important is the warranty, delivery, imaging, asset tagging, and if they cannot deliver all these aspects the hardware doesn’t matter." – Doug Stevens, Assistant Manager Contract Services, Toronto District School Board
The procurement process should balance the need to negotiate appropriate pricing with the need to quickly approve and fulfill requests. The process should include steps to follow for approving, ordering, and tracking equipment until it is ready for receipt.
Within the process, it is particularly important to decide if this is where equipment is added into the database or if it will happen upon receipt.
Info-Tech Insight
Where the Hardware Asset Manager is unable to affect procurement processes to reduce time to deliver, consider bringing inventory onsite or having your hardware vendor keep stock, ready to ship on demand. Projects, replacements, and new-user requests cannot be delayed in a service-focused IT organization due to bureaucratic processes.
Determine if you need one workflow for all equipment or multiples for small vs. large purchases.
Occasionally large rollouts require significant changes from lower dollar purchases.
This sample can be found in the HAM Process Workflows.
2.1.6 Illustrate procurement workflow with a tabletop exercise
Document in the Standard Operating Procedures, Section 7: Procurement
2.1.7 Build a purchasing policy
A purchasing policy helps to establish company standards, guidelines, and procedures for the purchase of all information technology hardware, software, and computer-related components as well as the purchase of all technical services.
The policy will ensure that all purchasing processes are consistent and in alignment with company strategy. The purchasing policy is key to ensuring that corporate purchases are effective and the best value for money is obtained.
Implement a purchasing policy to prevent or reduce:
Download Info-Tech’s Purchasing Policytemplate to build your own purchasing policy.
2.1 Request & Procure
2.2 Receive & Deploy
This step will walk you through the following activities:
2.2.1 Select appropriate asset tagging method
2.2.2 Design workflow for receiving and inventorying equipment
2.2.3 Document the deployment workflow(s)
This step involves the following participants:
Industry Networking
Source Cisco IT
Although Cisco Systems had implemented a centralized procurement location for all PCs used in the company, inventory tracking had yet to be addressed.
Inventory tracking was still a manual process. Given the volume of PCs that are purchased each year, this is an incredibly labor-intensive process.
Sharing information with management and end users also required the generation of reports – another manual task.
The team at Cisco recognized that automation was the key component holding back the success of the inventory management program.
Rolling out an automated process across multiple offices and groups, both nationally and internationally, was deemed too difficult to accomplish in the short amount of time needed, so Cisco elected to outsource its PC management needs to an experienced vendor.
As a result of the PC management vendor’s industry experience, the implementation of automated tracking and management functions drastically improved the inventory management situation at Cisco.
The vendor helped determine an ideal leasing set life of 30 months for PCs, while also managing installations, maintenance, and returns.
Even though automation helped improve inventory and deployment practices, Cisco still needed to address another key facet of asset management: security.
This case study continues in phase 3.
Examine your current process for receiving assets. Typical problems include:
Receiving inventory at multiple locations can lead to inconsistent processes. This can make invoice reconciliation challenging and result in untracked or lost equipment and delays in deployment.
Equipment not received and secured quickly. Idle equipment tends to go missing if left unsupervised for too long. Missed opportunities to manage returns where equipment is incorrect or defective.
Disconnect between procurement and receiving where ETAs are unknown or incorrect. This can create an issue where no one is prepared for equipment arrival and is especially problematic on large orders.
How do you solve these problems? Create a standardized workflow that outlines clear steps for asset receiving.
A workflow will help to answer questions such as:
The first step in effective hardware asset intake is establishing proper procedures for receiving and handling of assets.
Process: Start with information from the procurement process to determine what steps need to follow to receive into appropriate systems and what processes will enable tagging to happen as soon as possible.
People: Ensure anyone who may impact this process is aware of the importance of documenting before deployment. Having everyone who may be handling equipment on board is key to success.
Security: Equipment will be secured at the loading dock or reception. It will need to be secured as inventory and be secured if delivering directly to the bench for imaging. Ensure all receiving activities are done before equipment is deployed.
Tools: A centralized ERP system may already provide a place to receive and reconcile with purchasing and invoicing, but there may still be a need to receive directly into the ITAM and/or CMDB database rather than importing directly from the ERP system.
Tagging: A variety of methods can be used to tag equipment to assist with inventory. Consider the overall lifecycle management when determining which tagging methods are best.
Info-Tech Insight
Decentralized receiving doesn’t have to mean multiple processes. Take advantage of enterprise solutions that will centralize the data and ensure everyone follows the same processes unless there is an uncompromising and compelling logistical reason to deviate.
| Method | Cost | Strengths | Weaknesses | Recommendation |
|---|---|---|---|---|
| RFID with barcoding – asset tag with both a barcode and RFID solution | $$$$ |
|
|
|
| RFID only – small chip with significant data capacity | $$$ |
|
|
|
| Barcoding only – adding tags with unique barcodes | $$ |
|
|
|
| Method | Cost | Strengths | Weaknesses | Recommendation |
|---|---|---|---|---|
| QR codes – two-dimensional codes that can store text, binary, image, or URL data | $$ |
|
|
|
| Manual tags – tag each asset with your own internal labels and naming system | $ |
|
|
|
| Asset serial numbers – tag assets using their serial number | $ |
|
|
|
2.2.1 Select asset tagging method
Document in the Standard Operating Procedures, Section 8
| Asset Type | Asset Tag Location |
|---|---|
| PC desktop | Right upper front corner |
| Laptop | Right corner closest to user when laptop is closed |
| Server | Right upper front corner |
| Printer | Right upper front corner |
| Modems | Top side, right corner |
Assign responsibility and accountability for inspection and acceptance of equipment, verifying the following:
The return merchandise authorization (RMA) process should be a standard part of the receiving process to handle the return of defective materials to the vendor for either repair or replacement.
If there is a standard process in place for all returns in the organization, you can follow the same process for returning hardware equipment:
Info-Tech Insight
Make sure you’re well aware of the stipulations in your contract or purchase order. Sometimes acceptance is assumed after 60 days or less, and oftentimes the clock starts as soon as the equipment is shipped out rather than when it is received.
Info-Tech Best Practice
Keep in mind that the serial number on the received assed may not be the asset that ultimately ends up on the user’s desk if the RMA process is initiated. Record the serial number after the RMA process or add a correction process to the workflow to ensure the asset is properly accounted for.
A common technique employed by asset managers is to categorize your assets using an ABC analysis. Assets are classified as either A, B, or C items. The ratings are based on the following criteria:
A
A items have the highest usage. Typically, 10-20% of total assets in your inventory account for upwards of 70-80% of the total asset requests.
A items should be tightly controlled with secure storage areas and policies. Avoiding stock depletion is a top priority.
B
B items are assets that have a moderate usage level, with around 30% of total assets accounting for 15-25% of total requests.
B items must be monitored; B items can transition to A or C items, especially during cycles of heavier business activity.
C
C items are assets that have the lowest usage, with upwards of 50% of your total inventory accounting for just 5% of total asset requests.
C items are reordered the least frequently, and present a low demand and high risk for excessive inventory (especially if they have a short lifecycle). Many organizations look to move towards an on-demand policy to mitigate risk.
Info-Tech Insight
Get your vendor to keep stock of your assets. If large quantities of a certain asset are required but you lack the space to securely store them onsite, ask your vendor to keep stock for you and release as you issue purchase orders. This speeds up delivery and delays warranty activation until the item is shipped. This does require an adherence to equipment standards and understanding of demand to be effective.
Define the following in your receiving process:
2.2.2 Illustrate receiving workflow with a tabletop exercise
Document in the Standard Operating Procedures, Section 8: Receiving and Equipment Inventory
Option 1: Whiteboard
Option 2: Tabletop Exercise
A software usage snapshot for an urban planner/engineer.
Define the process for deploying hardware to users.
Include the following in your workflow:
Large-scale desktop deployments or data center upgrades will likely be managed as projects.
These projects should include project plans, including resources, timelines, and detailed procedures.
Define the process for large-scale deployment if it will differ from the regular deployment process.
2.2.3 Document deployment workflows for desktop and large-scale deployment
Document in the Standard Operating Procedures, Section 9: Deployment
Document each step in the system deployment process with notecards or on a whiteboard. Identify the challenges faced by your organization and strategize potential solutions.
The biggest challenge in deploying equipment is meeting expectations of the business, and without cooperation from multiple departments, this becomes significantly more difficult.
Self-serve kiosks (vending machines) can provide cost reductions in delivery of up to 25%. Organizations that have a high distribution rate are seeing reductions in cost of peripherals averaging 30-35% and a few extreme cases of closer to 85%.
Benefits of using vending machines:
Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion: 4 weeks
Step 2.1: Request & Procure
Start with an analyst kick-off call:
Then complete these activities…
With these tools & templates:
Step 2.2: Receive & Deploy
Review findings with analyst:
Then complete these activities…
With these tools & templates:
Phase 2 Insight: Bridge the gap between IT and Finance to build a smoother request and procurement process through communication and routine reporting. If you’re unable to affect procurement processes to reduce time to deliver, consider bringing inventory onsite or having your hardware vendor keep stock, ready to ship on demand.
2.1.2 Define standard hardware requests
Divide whiteboard into columns representing core business areas. Define core hardware assets for end users in each division along with optional hardware assets. Discuss optional assets to narrow and define standard equipment requests.
2.2.1 Select appropriate method for tagging and tracking assets
Discuss the various asset tagging methods and choose the tagging method that is most appropriate for your organization. Define the process for tagging assets and document the standard asset tag location according to equipment type.
Industry Networking
Source Cisco IT
Cisco Systems had created a dynamic work environment that prized individuality. This environment created high employee satisfaction, but it also created a great deal of risk surrounding device security.
Cisco lacked an asset security policy; there were no standards for employees to follow. This created a surplus of not only hardware, but software to support the variety of needs amongst various teams at Cisco.
The ITAM team at Cisco recognized that their largest problem was the lack of standardization with respect to PCs. Variance in cost, lifecycle, and software needs/compatibility were primary issues.
Cisco introduced a PC leasing program with the help of a PC asset management vendor to correct these issues. The primary goal was to increase on-time returns of PCs. A set life of 30 months was defined by the vendor.
Cisco engaged employees to help contribute to improving its asset management protocols, and the approach worked.
On-time returns increased from 60% to 80%. Costs were reduced due to active tracking and disposal of any owned assets still present.
A reduction in hardware and software platforms has cut costs and increased security thanks to improved tracking capabilities.
This case study continues in phase 4
3.1 Manage & Maintain
3.2 Dispose or Redeploy
3.1.1 Build a MAC policy and request form
3.1.2 Build workflows to document user MAC processes
3.1.3 Design process and policies for hardware maintenance, warranty, and support documentation handling
3.1.4 Revise or create an asset security policy
Info-Tech Insight
One of the most common mistakes we see when it comes to asset management is to assume that the discovery tool will discovery most or all of your inventory and do all the work. It is better to assume only 80-90% coverage by the discovery tool and build ownership records to uncover the unreportable assets that are not tied into the network.
Conduct an annual hardware audit to ensure hardware is still assigned to the person and location identified in your ITAM system, and assess its condition.
Perform a quarterly review of hardware stock levels in order to ensure all equipment is relevant and usable. The table below is an example of how to organize this information.
| Item | Target Stock Levels | Estimated $ Value |
|---|---|---|
| Desktop computers | ||
| Standard issue laptops | ||
| Mice | ||
| Keyboards | ||
| Network cables | ||
| Phones |
Info-Tech Insight
Don’t forget about your remotely deployed assets. Think about how you plan to inventory remotely deployed equipment. Some tools will allow data collection through an agent that will talk to the server over the internet, and some will completely ignore those assets or provide a way to manually collect the data and email back to the asset manager. Mobile device management tools may also help with this inventory process. Determine what is most appropriate based on the volume of remote workers and devices.
IMAC services are usually performed at a user’s deskside by a services technician and can include:
Specific activities may include:
Changes
Moves
Installs and Adds
Recommendations:
Automate. Wherever possible, use tools to automate the IMAC process.
E-forms, help desk, ticketing, or change management software can automate the request workflow by allowing the requestor to submit a request ticket that can then be automatically assigned to a designated team member according to the established chain of command. As work is completed, the ticket can be updated, and the requestor will be able to check the status of the work at any time.
Communicate the length of any downtime associated with execution of the IMAC request to lessen the frustration and impatience among users.
Involve HR. When it comes to adding or removing user accounts, HR can be a valuable resource. As most new employees should be hired through HR, work with them to improve the onboarding process with enough advanced notice to set up accounts and equipment. Role changes with access rights and software modifications can benefit from improved communications. Review the termination process as well, to secure data and equipment.
A consistent Move, Add, Change (MAC) request process is essential for lessening the burden on the IT department. MAC requests are used to address any number of tasks, including:
If you are not using help desk or other ticketing software, create a request template that must be submitted for each MAC. The request should include:
3.1.1 Build a MAC policy and request form
Desktop Move/Add/Change Policy
This desktop move/add/change policy should be put in place to mitigate the risk associated with unauthorized changes, minimize disruption to the business, IT department, and end users, and maintain consistent expectations.
Move, Add, Change Request Form
Help end users navigate the move/add/change process. Use the Move/Add/Change Request Form to increase efficiency and organization for MAC requests.
Include the following in your process documentation:
3.1.2 Build MAC process workflows
Document in the Standard Operating Procedures, Section 10: Equipment Install, Adds, Moves, and Changes
Document each step in the system deployment process using notecards or on a whiteboard. Identify the challenges faced by your organization and strategize potential solutions.
Sample equipment maintenance policy terms:
3.1.3 Design process for hardware maintenance
Document in the Standard Operating Procedures, Section 10
ITAM complements and strengthens security tools and processes, improving the company’s ability to protect its data and systems and reduce operational risk.
It’s estimated that businesses worldwide lose more than $221 billion per year as a result of security breaches. HAM is one important factor in securing data, equipment investment, and meeting certain regulatory requirements.
How does HAM help keep your organization secure?
Best Practices
Organizations with a formal mobile management strategy have fewer problems with their mobile devices.
Develop a secure MDM to:
The benefits of a deployed MDM solution:
Mobile device management is constantly evolving to incorporate new features and expand to new control areas. This is a high-growth area that warrants constant up-to-date knowledge on the latest developments.
What can be packed into an MDM can vary and be customized in many forms for what your organization needs.
| Endpoints | Average | None |
|---|---|---|
| Desktop | 73% | 4% |
| Laptops | 65% | 9% |
| Smartphones | 27% | 28% |
| Netbooks | 26% | 48% |
| Tablets | 16% | 59% |
| Grand average | 41% |
It is nearly impossible to keep the types of data separate, even with a sandbox approach. Selective wipe will miss some corporate data, and even a full remote wipe can only catch some of users’ increasingly widely distributed data.
Not every violation of policy warrants a wipe. Playing Candy Crush during work hours probably does not warrant a wipe, but jail breaking or removing a master data management client can open up security holes that do warrant a wipe.
Data security is not simply restricted to compromised software. In fact, 70% of all data breaches in the healthcare industry since 2010 are due to device theft or loss, not hacking. (California Data Breach Report – October, 2014) ITAM is not just about tracking a device, it is also about tracking the data on the device.
Organizations often struggle with the following with respect to IT asset security:
Your security policy should seek to protect IT hardware and software that:
These assets should be documented and controlled in order to meet security requirements.
The asset security policy should encompass the following:
Info-Tech Insight
Hardware can be pricey; data is priceless. The cost of losing a device is minimal compared to the cost of losing data contained on a device.
3.1.4 Develop IT asset security policy
Document in the Asset Security Policy.
| Challenge | Current Security Risk | Target Policy |
|---|---|---|
| Hardware removal | Secure access and storage, data loss | Designated and secure storage area |
| BYOD | No BYOD policy in place | N/A → phasing out BYOD as an option |
| Hardware data removal | Secure data disposal | Data disposal, disposal vendor |
| Unused software | Lack of support/patching makes software vulnerable | Discovery and retirement of unused software |
| Unauthorized software | Harder to track, less secure | Stricter stance on pirated software |
Industry Legal
Source ICO
The Ministry of Justice (MoJ) in the UK had a security problem: hard drives that contained sensitive prisoner data were unencrypted and largely unprotected for theft.
These hard drives contained information related to health, history of drug use, and past links to organized crime.
After two separate incidents of hard drive theft that resulted in data breaches, the Information Commissioner’s Office (ICO), stepped in.
It was determined that after the first hard drive theft in October 2011, replacement hard drives with encryption software were provisioned to prisons managed by the MoJ.
Unfortunately, the IT security personnel employed by the MoJ were unaware that the encryption software required manual activation.
When the second hard drive theft occurred, the digital encryption could not act as a backup to poor physical security (the hard drive was not secured in a locker as per protocol).
The perpetrators were never found and the stolen hard drives were never recovered.
As a result of the two data breaches, the MoJ had to implement costly security upgrades to its data protection system.
The ICO fined the MoJ £180,000 for its repeated security breaches. This costly fine could have been avoided if more diligence was present in the MoJ’s asset management program.
3.1 Manage & Maintain
3.2 Dispose or Redeploy
3.2.1 Identify challenges with IT asset recovery and disposal
3.2.2 Design hardware asset recovery and disposal workflows
3.2.3 Build a hardware asset disposition policy
$500MM); and orange is Overall.">
(Info-Tech Research Group; N=96)
| Budget profiles | Refresh methods |
|---|---|
|
Stretched Average equipment age: 7+ years |
To save money, some organizations will take a cascading approach, using the most powerful machines for engineers or scientists to ensure processing power, video requirements and drives will meet the needs of their applications and storage needs; then passing systems down to departments who will require standard-use machines. The oldest and least powerful machines are either used as terminals or disposed. |
|
Generous Average equipment age: 3 years |
Organizations that do not want to risk user dissatisfaction or potential compatibility or reliability issues will take a more aggressive replacement approach. These organizations often have less people assigned to end-user device maintenance and will not repair equipment outside of warranty. There is little variation in processing power among devices, with major differences determined by mobility and operating system. |
|
Cautious Average equipment age: 4 to 5 years |
Organizations that fit between the other two profiles will look to stretch the budget beyond warranty years, but will keep a close eye on maintenance requirements. Repairs needed outside of warranty will require an eye to costs, efforts, and subsequent administrative work of loaning equipment to keep the end user productive while waiting on service. Recommendations to keep users happy and equipment in prime form is to check condition at the 2-3 year mark, reimage at least once to improve performance, and have backup machines, if equipment starts to become problematic. |
VS.
Warning! Poor hardware disposal and recovery practices can be caused by the following:
How do you improve your hardware disposal and recovery process?
Sixty-five percent of organizations cite data security as their top concern. Many data breaches are a result of hardware theft or poor data destruction practices.
Choosing a reputable IT disposal company or data removal software is crucial to ensuring data security with asset disposal.
Electronics contain harmful heavy metals such as mercury, arsenic, and cadmium.
Disposal of e-waste is heavily regulated, and improper disposal can result in hefty fines and bad publicity for organizations.
Many obsolete IT assets are simply confined to storage at their end of life.
This often imposes additional costs with maintenance or storage fees and leaves a lot of value on the table through assets that could be sold or re-purposed within the organization.
3.2.1 Identify challenges with IT asset recovery and disposal
| Economic | |||
|---|---|---|---|
| Challenge | Objectives | Targets | Initiatives |
| No data capture during disposal | Develop reporting standards | 80% disposed assets recorded | Work with Finance to develop reporting procedure |
| Idle assets | Find resale market/dispose of idle assets | 50% of idle assets disposed of within the year | Locate resale vendor and disposal service |
Ensure the following are addressed:
3.2.2 Design hardware asset recovery and disposal policies and workflows
Document in the Standard Operating Procedures, Sections 11 and 12
Document each step in the recovery and disposal process in two separate workflows using notecards or on a whiteboard. Identify the challenges faced by your organization and strategize potential solutions.
Although traditionally an afterthought in asset management, IT asset disposition (ITAD) needs to be front and center. Increase focus on data security and concern surrounding environmental sustainability and develop an awareness of the cost efficiencies possible through best-practices disposition.
Optimized ITAD solutions:
Info-Tech Insight
A well-thought-out asset management program mitigates risk and is typically less costly than dealing with a large-scale data loss incident or an inappropriate disposal suit. Also, it protects your company’s reputation – which is difficult to put a price on.
Maximizing returns on assets requires knowledge and skills in asset valuation, upgrading to optimize market return, supply chain management, and packaging and shipping. It’s unlikely that the return will be adequate to justify that level of investment, so partnering with a full-service ITAD vendor is a no-brainer.
Disposal doesn’t mean your equipment has to go to waste.
Additionally, your ITAD vendor can assist with a large donation of hardware to a charitable organization or a school.
Donating equipment to schools or non-profits may provide charitable receipts that can be used as taxable benefits.
Before donating:
Info-Tech Insight
Government assistance grants may be available to help keep your organization’s hardware up to date, thereby providing incentives to upgrade equipment while older equipment still has a useful life.
Failure to thoroughly investigate a vendor could result in a massive data breach, fines for disposal standards violations, or a poor resale price for your disposed assets. Evaluate vendors using questions such as the following:
ITAD vendors that focus on recycling will bundle assets to ship to an e-waste plant – leaving money on the table.
ITAD vendors with a focus on reuse will individually package salable assets for resale – which will yield top dollars.
Info-Tech Insight
To judge the success of a HAM overhaul, you need to establish a baseline with which to compare final results. Be sure to take HAM “snapshots” before ITAD partnering so it’s easy to illustrate the savings later.
Info-Tech Insight
Failure to properly dispose of data can not only result in costly data breaches, but also fines and other regulatory repercussions. Choosing an ITAD vendor or a vendor that specializes in data erasure is crucial. Depending on your needs, there are a variety of data wiping methods available.
Certified data erasure is the only method that leaves the asset’s hard drive intact for resale or donation. Three swipes is the bare minimum, but seven is recommended for more sensitive data (and required by the US Department of Defense). Data erasure applications may be destructive or non-destructive – both methods overwrite data to make it irretrievable.
Physical destruction must be done thoroughly, and rigorous testing must be done to verify data irretrievability. Methods such as hand drilling are proven to be unreliable.
Degaussing uses high-powered magnets to erase hard drives and makes them unusable. This is the most expensive option; degaussing devices can be purchased or rented.
Info-Tech Best Practice
Data wiping can be done onsite or can be contracted to an ITAD partner. Using an ITAD partner can ensure greater security at a more affordable price.
Work these rules into your disposition policy to mitigate data loss risk.
3.2.3 Build a Hardware Asset Disposition Policy
Implementation of a HAM program is a waste of time if you aren’t going to maintain it. Maintenance requires the implementation of detailed policies, training, and an ongoing commitment to proper management.
Use Info-Tech’s Hardware Asset Disposition Policy to:
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion: 4 weeks
Start with an analyst kick-off call:
Then complete these activities…
With these tools & templates:
Review findings with analyst:
Then complete these activities…
With these tools & templates:
Phase 3 Insight: Not all assets are created equal. Taking a blanket approach to asset maintenance and security is time consuming and costly. Focus on the high-cost, high-use, and data-sensitive assets first.
3.1.4 Revise or create an asset security policy
Discuss asset security challenges within the organization; brainstorm reasons the challenges exist and process changes to address them. Document a new asset security policy.
3.2.2 Design hardware asset recovery and disposal workflows
Document each step in the hardware asset recovery and disposal process, including all decision points. Examine challenges and amend the workflow to address them.
Industry Networking
Source Cisco IT
Even though Cisco Systems had designed a comprehensive asset management program, implementing it across the enterprise was another story.
An effective solution, complete with a process that could be adopted by everyone within the organization, would require extensive internal promotion of cost savings, efficiencies, and other benefits to the enterprise and end users.
Cisco’s asset management problem was as much a cultural challenge as it was a process challenge.
The ITAM team at Cisco began discussions with departments that had been tracking and managing their own assets.
These sessions were used as an educational tool, but also as opportunities to gather internal best practices to deploy across the enterprise.
Eventually, Cisco introduced weekly meetings with global representation to encourage company-wide communication and collaboration.
“By establishing a process for managing PC assets, we have cut our hardware costs in half.” – Mark Edmonson, Manager – IT Services Expenses
Cisco reports that although change was difficult to adopt, end-user satisfaction has never been higher. The centralized asset management approach has resulted in better contract negotiations through better data access.
A reduced number of hardware and software platforms has streamlined tracking and support, and will only drive down costs as time goes on.
4.1 Plan Budget
4.2 Communicate & Build Roadmap
This step will walk you through the following activities:
4.1 Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget
This step involves the following participants:
While some asset managers may not have experience managing budgets, there are several advantages to ITAM owning the hardware budget:
Your IT budget should be realistic, accounting for business needs, routine maintenance, hardware replacement costs, unexpected equipment failures, and associated support and warranty costs. Know where to find the data you need and who to work with to forecast hardware needs as accurately as possible.
Plan for:
Take into account:
Where do I find the information I need to budget accurately?
4.1.1 Build HAM budget
This tool is designed to assist in developing and justifying the budget for hardware assets for the upcoming year. The tool will allow you to budget for projects requiring hardware asset purchases as well as equipment requiring refresh and to adjust the budget as needed to accommodate both projects and refreshes. Follow the instructions on each tab to complete the tool.
The most successful relationships have a common vocabulary. Thus, it is important to translate “tech speak” into everyday language and business goals and initiatives as you plan your budget.
One of the biggest barriers that infrastructure and operations team face with regards to equipment budgeting is the lack of understanding of IT infrastructure and how it impacts the rest of the organization. The biggest challenge is to help the rest of the organization overcome this barrier.
There are several things you can do to overcome this barrier:
Info-Tech Insight
Err on the side of inviting more discussion. Your budgeting process relies on business decision makers and receiving actionable feedback requires an ongoing exchange of information.
Getting business users to support regular investments in maintenance relies on understanding and trust. Present the facts in plain language. Provide options, and clearly state the impact of each option.
Example: Your storage environment is nearing capacity.
Don’t:
Explain the project exclusively in technical terms or slang.
“We’re exploring deduping technology as well as cheap solid state, SATA, and tape storage to address capacity.”
Do:
“Deduplication technology can reduce our storage needs by up to 50%, allowing us to defer a new storage purchase.”
“Without implementing deduplication technology, we will need to purchase additional storage by the end of the year at an estimated cost of $25,000.”
“This is a cost-effective technique to increase storage capacity to manage annual average data growth at around 20% per year.”
4.1 Plan Budget
4.2 Communicate & Build Roadmap
This step will walk you through the following activities:
4.2 Develop a HAM implementation roadmap
This step involves the following participants:
As part of your communication plan and overall HAM implementation, training should be provided to end users within the organization.
All facets of the business, from management to new hires, should be provided with ITAM training to help them understand their role in the project’s success.
ITAM solutions are complex by nature with both business process and technical knowledge required to use them correctly. Keep the message appropriate to the audience – end users don’t need to know the complete process, but will need to know policy and how to request.
Management may have priorities that appear to clash with new processes. Engage management by making them aware of the benefits and importance of ITAM. Include the benefits and consequences of not implementing ITAM in your education approach. Encourage them to support efforts by reinforcing your messages to end users.
New hires should have ITAM training bundled into their onboarding process. Fresh minds are easier to train and the ITAM program will be seen as an organizational standard, not merely a change.
Policy documents can help summarize end users’ obligations and clarify processes. Consider an IT Resources Acceptable UsePolicy.
"The lowest user is the most important user in your asset management program. New employees are your most important resource. The life cycle of the assets will go much smoother if new employees are brought on board." – Tyrell Hall, ITAM Program Coordinator
Info-Tech Insight
During training, you should present the material through the lens of “what’s in it for me?” Otherwise, you risk alienating end users through implementing organizational change viewed as low value.
Info-Tech Insight
Use policy templates to jumpstart your policy development and ensure policies are comprehensive, but be sure to modify and adapt policies to suit your corporate culture or they will not gain buy-in from employees. For a policy to be successful, it must be a living document and have participation and involvement from the committees and departments to whom it will pertain.
4.2.1 Build HAM policies
Use these HAM policy templates to get started:
Information Technology Standards Policy
This policy establishes standards and guidelines for a company’s information technology environment to ensure the confidentiality, integrity, and availability of company computing resources.
Desktop Move/Add/Change Policy
This desktop move/add/change policy is put in place for users to request to change their desktop computing environments. This policy applies configuration changes within a company.
The purchasing policy helps to establish company standards, guidelines, and procedures for the purchase of all information technology hardware, software, and computer-related components as well as the purchase of all technical services.
Hardware Asset Disposition Policy
This policy assists in creating guidelines around disposition in the last stage of the asset lifecycle.
Info-Tech Insight
Use policy templates to jumpstart your policy development and ensure policies are comprehensive, but modify and adapt them to suit your corporate culture or they will not gain buy-in from employees. For a policy to be successful, it must be a living document and have participation from the committees and departments to whom it will pertain.
Communication is crucial to the integration and overall implementation of your ITAM program. An effective communication plan will:
Use the variety of components as part of your communication plan in order to reach the organization.
4.2.2 Develop a communication plan to convey the right messages
Document in the HAM Communication Plan
| Group | Benefits | Impact | Method | Timeline |
|---|---|---|---|---|
| Service Desk | Improve end-user device support | Follow new processes | Email campaign | 3 months |
| Executives | Mitigate risks, better security, more data for reporting | Review and sign off on policies | ||
| End Users | Smoother request process | Adhere to device security and use policies | ||
| Infrastructure | Faster access to data and one source of truth | Modified processes for centralized procurement and inventory |
Now that your asset lifecycle environment has been constructed in full, it’s time to study it. Gather data about your assets and use the results to create reports and new solutions to continually improve the business.
↑ ITAM Program Maturity
To integrate your ITAM program into your organization effectively, a clear implementation roadmap needs to be designed. Prioritize “quick wins” in order to demonstrate success to the business early and gain buy-in from your team. Long-term goals should be designed that will be supported by the outcomes of the short-term gains of your ITAM program.
| Short-term goal | Long-term goal |
|---|---|
| Identify inventory classification and tool (hardware first) | Hardware contract data integration (warranty, maintenance, lease) |
| Create basic ITAM policies and processes | Continual improvement through policy impact review and revision |
| Implement ITAM auto-discovery tools | Software compliance reports, internal audits |
Info-Tech Insight
Installing an ITAM tool does not mean you have an effective asset management program. A complete solution needs to be built around your tool, but the strength of ITAM comes from processes embedded in the organization that are shaped and supported by your ITAM data.
4.2.3 Develop a HAM implementation roadmap
Document in the IT Hardware Asset Management Implementation Roadmap
Act → Plan → Do → Check
Once ITAM is in place in your organization, a focus on continual improvement creates the following benefits:
Info-Tech Best Practice
Look for new uses for ITAM data. Ask management what their goals are for the next 12-18 months. Analyze the data you are gathering and determine how your ITAM data can assist with achieving these goals.
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Start with an analyst kick-off call:
Then complete these activities…
With these tools & templates:
HAM Budgeting Tool
Review findings with analyst:
Then complete these activities…
With these tools & templates:
HAM policy templates
HAM Communication Plan
HAM Implementation Roadmap
4.1.1 Build a hardware asset budget
Review upcoming hardware refresh needs and projects requiring hardware purchases. Use this data to forecast and budget equipment for the upcoming year.
4.2.2 Develop a communication plan
Identify groups that will be affected by the new HAM program and for each group, document a communications plan.
HAM is more than just tracking inventory. A mature asset management program provides data for proactive planning and decision making to reduce operating costs and mitigate risk.
ITAM is not just IT. IT leaders need to collaborate with Finance, Procurement, Security, and other business units to make informed decisions and create value across the enterprise.
Treat HAM like a process, not a project. HAM is a dynamic process that must react and adapt to the needs of the business.
For asset management to succeed, it needs to support the business. Engage business leaders to determine needs and build your HAM program around these goals.
Bridge the gap between IT and Finance to build a smoother request and procurement process through communication and routine reporting. If you’re unable to affect procurement processes to reduce time to deliver, consider bringing inventory onsite or having your hardware vendor keep stock, ready to ship on demand.
Not all assets are created equal. Taking a blanket approach to asset maintenance and security is time consuming and costly. Focus on the high-cost, high-use, and data-sensitive assets first.
Deploying a fancy ITAM tool will not make hardware asset management implementation easier. Implementation is a project that requires you focus on people and process first – the technology comes after.
Implement Software Asset Management
Build an End-User Computing Strategy
Find the Value – and Remain Valuable – With Cloud Asset Management
Consolidate IT Asset Management
Chalkley, Martin. “Should ITAM Own Budget?” The ITAM Review. 19 May 2011. Web.
“CHAMP: Certified Hardware Asset Management Professional Manual.” International Association of Information Technology Asset Managers, Inc. 2008. Web.
Foxen, David. “The Importance of Effective HAM (Hardware Asset Management).” The ITAM Review. 19 Feb. 2015. Web.
Foxen, David. “Quick Guide to Hardware Asset Tagging.” The ITAM Review. 5 Sep. 2014. Web.
Galecki, Daniel. “ITAM Lifecycle and Savings Opportunities – Mapping out the Journey.” International Association of IT Asset Managers, Inc. 16 Nov. 2014. Web.
“How Cisco IT Reduced Costs Through PC Asset Management.” Cisco IT Case Study. 2007. Web.
Irwin, Sherry. “ITAM Metrics.” The ITAM Review. 14 Dec. 2009. Web.
“IT Asset and Software Management.” ECP Media LLC, 2006. Web.
Rains, Jenny. “IT Hardware Asset Management.” HDI Research Brief. May 2015. Web.
Riley, Nathan. “IT Asset Management and Tagging Hardware: Best Practices.” Samanage Blog. 5 March 2015. Web.
“The IAITAM Practitioner Survey Results for 2016 – Lean Toward Ongoing Value.” International Association of IT Asset Managers, Inc. 24 May 2016. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Kick off an acquisition by establishing acquisition goals, validating the decision to acquire a service, and structuring an acquisition approach. There are several RFP approaches and strategies – evaluate the options and develop one that aligns with the nature of the acquisition.
A solid RFP is critical to the success of this project. Assess the current and future requirements, examine the characteristics of an effective RFP, and develop an RFP.
Manage the activities surrounding vendor questions and score the RFP responses to select the best-fit solution.
Perform due diligence in reviewing the SLAs and contract before signing. Plan to transition the service into the environment and manage the vendor on an ongoing basis for a successful partnership.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Establish procurement goals and success metrics.
Develop a projected acquisition timeline.
Establish the RFP approach and strategy.
Defined acquisition approach and timeline.
1.1 Establish your acquisition goals.
1.2 Establish your success metrics.
1.3 Develop a projected acquisition timeline.
1.4 Establish your RFP process and refine your RFP timeline.
Acquisition goals
Success metrics
Acquisition timeline
RFP strategy and approach
Gather requirements for services to build into the RFP.
Gathered requirements.
2.1 Assess the current state.
2.2 Evaluate service requirements and targets.
2.3 Assess the gap and validate the service acquisition.
2.4 Define requirements to input into the RFP.
Current State Assessment
Service requirements
Validation of services being acquired and key processes that may need to change
Requirements to input into the RFP
Build the RFP.
RFP development.
3.1 Build the RFP requirement section.
3.2 Develop the rest of the RFP.
Service requirements input into the RFP
Completed RFP
Review RFP responses to select the best solution for the acquisition.
Vendor selected.
4.1 Manage vendor questions regarding the RFP.
4.2 Review RFP responses and shortlist the vendors.
4.3 Conduct additional due diligence on the vendors.
4.4 Select a vendor.
Managed RFP activities
Imperceptive scoring of RFP responses and ranking of vendors
Additional due diligence and further questions for the vendor
Selected vendor
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Select the top automation candidates to score some quick wins.
Map and optimize process flows for each task you wish to automate.
Build a process around managing IT automation to drive value over the long term.
Build a long-term roadmap to enhance your organization's automation capabilities.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Identify top candidates for automation.
Plan to achieve quick wins with automation for early value.
1.1 Identify MRW pain points.
1.2 Drill down pain points into tasks.
1.3 Estimate the MRW involved in each task.
1.4 Rank the tasks based on value and ease.
1.5 Select top candidates and define metrics.
1.6 Draft project charters.
MRW pain points
MRW tasks
Estimate of MRW involved in each task
Ranking of tasks for suitability for automation
Top candidates for automation & success metrics
Project charter(s)
Map and optimize the process flow of the top candidate(s).
Requirements for automation of the top task(s).
2.1 Map process flows.
2.2 Review and optimize process flows.
2.3 Clarify logic and finalize future-state process flows.
Current-state process flows
Optimized process flows
Future-state process flows with complete logic
Develop a lightweight process for rolling out automation and for managing the automation program.
Ability to measure and to demonstrate success of each task automation, and of the program as a whole.
3.1 Kick off your test plan for each automation.
3.2 Define process for automation rollout.
3.3 Define process to manage your automation program.
3.4 Define metrics to measure success of your automation program.
Test plan considerations
Automation rollout process
Automation program management process
Automation program metrics
Build a roadmap to enhance automation capabilities.
A clear timeline of initiatives that will drive improvement in the automation program to reduce MRW.
4.1 Build a roadmap for next steps.
IT automation roadmap
Automation can be very, very good, or very, very bad.
Do it right, and you can make your life a whole lot easier.
Do it wrong, and you can suffer some serious pain.
All too often, automation is deployed willy-nilly, without regard to the overall systems or business processes in which it lives.
IT professionals should follow a disciplined and consistent approach to automation to ensure that they maximize its value for their organization.
Derek Shank,
Research Analyst, Infrastructure & Operations
Info-Tech Research Group
Follow our methodology to focus IT automation on reducing toil.
Queues create waste and are extremely damaging. Like a tire fire, once you get started, they’re almost impossible to stamp out!
(Source: Edwards, citing Donald G. Reinersten: The Principles of Product Development Flow: Second Generation Lean Product Development )
Every additional layer of complexity multiplies points of failure. Beyond a certain level of complexity, troubleshooting can become a nightmare.
Today, Operations is responsible for the outcomes of a full stack of a very complex, software-defined, API-enabled system running on infrastructure they may or may not own.
– Edwards
The systems built under each new technology paradigm never fully replace the systems built under the old paradigms. It’s not uncommon for an enterprise to have an accumulation of systems built over 10-15 years and have no budget, risk appetite, or even a viable path to replace them all. With each shift, who bares [SIC] the brunt of the responsibility for making sure the old and the new hang together? Operations, of course. With each new advance, Operations juggles more complexity and more layers of legacy technologies than ever before.
– Edwards
Personnel resources in most IT organizations overlap heavily between “build” and “run.”
Some CIOs see a Sys Admin and want to replace them with a Roomba. I see a Sys Admin and want to build them an Iron Man suit.
– Deepak Giridharagopal, CTO, Puppet
When we automate, we can make sure we do something the same way every time and produce a consistent result.
We can design an automated execution that will ship logs that provide the context of the action for a detailed audit trail.
Because the C-suite relies on upwards communication — often filtered and sanitized by the time it reaches them — executives don’t see the bottlenecks and broken processes that are stalling progress.
– Andi Mann
To get the full ROI on your automation, you need to treat it like an employee. When you hire an employee, you invest in that person. You spend time and resources training and nurturing new employees so they can reach their full potential. The investment in a new employee is no different than your investment in automation.– Edwards
| Example of How to Estimate Dollar Value Impact of Automation | |||
|---|---|---|---|
| Metric | Timeline | Target | Value |
| Hours of manual repetitive work | 12 months | 20% reduction | $48,000/yr.(1) |
| Hours of project capacity | 18 months | 30% increase | $108,000/yr.(2) |
| Downtime caused by errors | 6 months | 50% reduction | $62,500/yr.(3) |
1 15 FTEs x 80k/yr.; 20% of time on MRW, reduced by 20%
2 15 FTEs x 80k/yr.; 30% project capacity, increased by 30%
3 25k/hr. of downtime.; 5 hours per year of downtime caused by errors
Industry Financial Services
Source Interview
An IT infrastructure manager had established DR failover procedures, but these required a lot of manual work to execute. His team lacked the expertise to build automation for the failover.
The manager hired consultants to build scripts that would execute portions of the failover and pause at certain points to report on outcomes and ask the human operator whether to proceed with the next step.
The infrastructure team reduced their achievable RTOs as follows:
Tier 1: 2.5h → 0.5h
Tier 2: 4h → 1.5h
Tier 3: 8h → 2.5h
And now, anyone on the team could execute the entire failover!
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
| 1. Select Candidates | 2. Map Process Flows | 3. Build Process | 4. Build Roadmap | |
|---|---|---|---|---|
| Best-Practice Toolkit |
1.1 Identify MRW pain points 1.2 Drill down pain points into tasks 1.3 Estimate the MRW involved in each task 1.4 Rank the tasks based on value and ease 1.5 Select top candidates and define metrics 1.6 Draft project charters |
2.1 Map process flows 2.2 Review and optimize process flows 2.3 Clarify logic and finalize future-state process flows |
3.1 Kick off your test plan for each automation 3.2 Define process for automation rollout 3.3 Define process to manage your automation program 3.4 Define metrics to measure success of your automation program |
4.1 Build automation roadmap |
| Guided Implementations |
Introduce methodology. Review automation candidates. Review success metrics. |
Review process flows. Review end-to-end process flows. |
Review testing considerations. Review automation SDLC. Review automation program metrics. |
Review automation roadmap. |
| Onsite Workshop | Module 1: Identify Automation Candidates |
Module 2: Map and Optimize Processes |
Module 3: Build a Process for Managing Automation |
Module 4: Build Automation Roadmap |
| Phase 1 Results: Automation candidates and success metrics |
Phase 2 Results: End-to-end process flows for automation |
Phase 3 Results: Automation SDLC process, and automation program management process |
Phase 4 Results: Automation roadmap |
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Read our executive brief to understand why you should invest in optimizing requirements gathering in your company. We show you how we can support you.
Fully understand the target needs of the requirements gathering process.
Standardize your frameworks for analysis and validation of the business requirements
Formalize governance.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Capture a clear understanding of the target needs for the requirements process.
Develop best practices for conducting and structuring elicitation of business requirements.
Standardize frameworks for analysis and validation of business requirements.
Formalize change control and governance processes for requirements gathering.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Create a clear understanding of the target needs for the requirements gathering process.
A comprehensive review of the current state for requirements gathering across people, processes, and technology.
Identification of major challenges (and opportunity areas) that should be improved via the requirements gathering optimization project.
1.1 Understand current state and document existing requirement process steps.
1.2 Identify stakeholder, process, outcome, and training challenges.
1.3 Conduct target state analysis.
1.4 Establish requirements gathering metrics.
1.5 Identify project levels 1/2/3/4.
1.6 Match control points to project levels 1/2/3/4.
1.7 Conduct project scoping and identify stakeholders.
Requirements Gathering Maturity Assessment
Project Level Selection Tool
Requirements Gathering Documentation Tool
Create best practices for conducting and structuring elicitation of business requirements.
A repeatable framework for initial elicitation of requirements.
Prescribed, project-specific elicitation techniques.
2.1 Understand elicitation techniques and which ones to use.
2.2 Document and confirm elicitation techniques.
2.3 Create a requirements gathering elicitation plan for your project.
2.4 Build the operating model for your project.
2.5 Define SIPOC-MC for your selected project.
2.6 Practice using interviews with business stakeholders to build use case models.
2.7 Practice using table-top testing with business stakeholders to build use case models.
Project Elicitation Schedule
Project Operating Model
Project SIPOC-MC Sub-Processes
Project Use Cases
Build a standardized framework for analysis and validation of business requirements.
Policies for requirements categorization, prioritization, and validation.
Improved project value as a result of better prioritization using the MOSCOW model.
3.1 Categorize gathered requirements for use.
3.2 Consolidate similar requirements and eliminate redundancies.
3.3 Practice prioritizing requirements.
3.4 Build the business process model for the project.
3.5 Rightsize the requirements documentation template.
3.6 Present the business requirements document to business stakeholders.
3.7 Identify testing opportunities.
Requirements Gathering Documentation Tool
Requirements Gathering Testing Checklist
Create formalized change control processes for requirements gathering.
Reduced interjections and rework – strengthened formal evaluation and control of change requests to project requirements.
4.1 Review existing CR process.
4.2 Review change control process best practices and optimization opportunities.
4.3 Build guidelines for escalating changes.
4.4 Confirm your requirements gathering process for project levels 1/2/3/4.
Requirements Traceability Matrix
Requirements Gathering Communication Tracking Template
Establish governance structures and ongoing oversight for business requirements gathering.
Consistent governance and oversight of the requirements gathering process, resulting in fewer “wild west” scenarios.
Better repeatability for the new requirements gathering process, resulting in less wasted time and effort at the outset of projects.
5.1 Define RACI for the requirements gathering process.
5.2 Define the requirements gathering steering committee purpose.
5.3 Define RACI for requirements gathering steering committee.
5.4 Define the agenda and cadence for the requirements gathering steering committee.
5.5 Identify and analyze stakeholders for communication plan.
5.6 Create communication management plan.
5.7 Build the action plan.
Requirements Gathering Action Plan
Back to basics: great products are built on great requirements.
A strong process for business requirements gathering is essential for application project success. However, most organizations do not take a strategic approach to optimizing how they conduct business analysis and requirements definition.
"Robust business requirements are the basis of a successful project. Without requirements that correctly articulate the underlying needs of your business stakeholders, projects will fail to deliver value and involve significant rework. In fact, an Info-Tech study found that of projects that fail over two-thirds fail due to poorly defined business requirements.
Despite the importance of good business requirements to project success, many organizations struggle to define a consistent and repeatable process for requirements gathering. This results in wasted time and effort from both IT and the business, and generates requirements that are incomplete and of dubious value. Additionally, many business analysts lack the competencies and analytical techniques needed to properly execute the requirements gathering process.
This research will help you get requirements gathering right by developing a set of standard operating procedures across requirements elicitation, analysis, and validation. It will also help you identify and fine-tune the business analyst competencies necessary to make requirements gathering a success."
– Ben Dickie, Director, Enterprise Applications, Info-Tech Research Group
A business requirement is a statement that clearly outlines the functional capability that the business needs from a system or application. There are several attributes to look at in requirements:
Verifiable
Stated in a way that can be easily tested
Unambiguous
Free of subjective terms and can only be interpreted in one way
Complete
Contains all relevant information
Consistent
Does not conflict with other requirements
Achievable
Possible to accomplish with budgetary and technological constraints
Traceable
Trackable from inception through to testing
Unitary
Addresses only one thing and cannot be decomposed into multiple requirements
Agnostic
Doesn’t pre-suppose a specific vendor or product
In some situations, an insight will reveal new requirements. This requirement will not follow all of the attributes listed above and that’s okay. If a new insight changes the direction of the project, re-evaluate the scope of the project.
Depending on the scope of the project, certain attributes will carry more weight than others. Weigh the value of each attribute before elicitation and adjust as required. For example, verifiable will be a less-valued attribute when developing a client-facing website with no established measuring method/software.
Proper requirements gathering is critical for delivering business value from IT projects, but it remains an elusive and perplexing task for most organizations. You need to have a strategy for end-to-end requirements gathering, or your projects will consistently fail to meet business expectations.
50% of project rework is attributable to problems with requirements. (Info-Tech Research Group)
45% of delivered features are utilized by end users. (The Standish Group)
78% of IT professionals believe the business is “usually” or “always” out of sync with project requirements. (Blueprint Software Systems)
45% of IT professionals admit to being “fuzzy” about the details of a project’s business objectives. (Blueprint Software Systems)
Requirements gathering is truly an organization-spanning issue, and it falls directly on the IT directors who oversee projects to put prudent SOPs in place for managing the requirements gathering process. Despite its importance, the majority of organizations have challenges with requirements gathering.
What happens when requirements are no longer effective?
PMBOK’s Five Phase Project Lifecycle
Initiate – Plan: Requirements Gathering Lives Here – Execute – Control – Close
Inaccurate requirements is the 2nd most common cause of project failure (Project Management Institute ‒ Smartsheet).
Requirements gathering is a critical stage of project planning.
Depending on whether you take an Agile or Waterfall project management approach, it can be extended into the initiate and execute phases of the project lifecycle.
Organizations that had high satisfaction with requirements gathering were more likely to be highly satisfied with the other areas of IT. In fact, 72% of organizations that had high satisfaction with requirements gathering were also highly satisfied with the availability of IT capacity to complete projects.
Note: High satisfaction was classified as organizations with a score greater or equal to 8. Not high satisfaction was every other organization that scored below 8 on the area questions.
N=395 organizations from Info-Tech’s CIO Business Vision diagnostic
The challenges that afflict requirements gathering are multifaceted and often systemic in nature. There isn’t a single cure that will fix all of your requirements gathering problems, but an awareness of frequently encountered challenges will give you a basis for where to consider establishing better SOPs. Commonly encountered challenges include:
70% of projects fail due to poor requirements. (Info-Tech Research Group)
Root Causes of Poor Requirements Gathering:
Outcomes of Poor Requirements Gathering:
Info-Tech Insight
Requirements gathering is the number one failure point for most development or procurement projects that don’t deliver value. This has been and continues to be the case as most organizations still don't get requirements gathering right. Overcoming organizational cynicism can be a major obstacle when it is time to optimize the requirements gathering process.
You can reduce the amount of wasted work by making sure you have clear business goals. In fact, you could see an improvement of as much as 50% by going from a low level of satisfaction with clarity of business goals (<2) to a high level of satisfaction (≥5).
Likewise, you could see an improvement of as much as 43% by going from a low level of satisfaction with analysis of requirements (less than 2) to a high level of satisfaction (greater than or equal to 5).
Note: Waste is measured by the amount of cancelled projects; suboptimal assignment of resources; analyzing, fixing, and re-deploying; inefficiency, and unassigned resources.
N=200 teams from the Project Portfolio Management diagnostic
Good intentions and hard work aren’t enough to make a project successful. As you proceed with a project, step back and assess the critical success factors. Make sure that the important inputs and critical activities of requirements gathering are supporting, not inhibiting, project success.
Creating a unified SOP guide for requirements elicitation, analysis, and validation is a critical step for requirements optimization; it gives your BAs a common frame of reference for conducting requirements gathering.
Info-Tech Insight
Having a standardized approach to requirements management is critical, and SOPs should be the responsibility of a group. The SOP guide should cover all of the major bases of requirements management. In addition to providing a walk-through of the process, an SOP also clarifies requirements governance.
Info-Tech’s Requirements Gathering Framework is a comprehensive approach to requirements management that can be scaled to any size of project or organization. This framework has been extensively road-tested with our clients to ensure that it balances the needs of IT and business stakeholders to give a holistic, end-to-end approach for requirements gathering. It covers the foundational issues (elicitation, analysis, and validation) and prescribes techniques for planning, monitoring, communicating, and managing the requirements gathering process.
When creating the process for requirements gathering, think about how it will be executed by your BAs, and what the composition of your BA team should look like. A strong BA needs to serve as an effective translator, being able to speak the language of both the business and IT.
What are some core competencies of a good BA?
Throughout this blueprint, look for the “BA Insight” box to learn how steps in the requirements gathering process relate to the skills needed by BAs to facilitate the process effectively.
Government
Info-Tech Research Group Workshop
The Client
The organization was a local government responsible for providing services to approximately 600,000 citizens in the southern US. Its IT department is tasked with deploying applications and systems (such as HRIS) that support the various initiatives and mandate of the local government.
The Requirements Gathering Challenge
The IT department recognized that a strong requirements gathering process was essential to delivering value to its stakeholders. However, there was no codified process in place – each BA unilaterally decided how they would conduct requirements gathering at the start of each project. IT recognized that to enhance both the effectiveness and efficiency of requirements gathering, it needed to put in place a strong, prescriptive set of SOPs.
The Improvement
Working with a team from Info-Tech, the IT leadership and BA team conducted a workshop to develop a new set of SOPs that provided clear guidance for each stage of the requirements process: elicitation, analysis, and validation. As a result, business satisfaction and value alignment increased.
The Requirements Gathering SOP and BA Playbook offers a codified set of SOPs for requirements gathering gave BAs a clear playbook.
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
Diagnostics and consistent frameworks used throughout all four options
| 1. Build the Target State for Requirements Gathering | 2. Define the Elicitation Process | 3. Analyze and Validate Requirements | 4. Create a Requirements Governance Action Plan | |
|---|---|---|---|---|
| Best-Practice Toolkit |
1.1 Understand the Benefits of Requirements Optimization 1.2 Determine Your Target State for Requirements Gathering |
2.1 Determine Elicitation Techniques 2.2 Structure Elicitation Output |
3.1 Create Analysis Framework 3.2 Validate Business Requirements |
4.1 Create Control Processes for Requirements Changes 4.2 Build Requirements Governance and Communication Plan |
| Guided Implementations |
|
|
|
|
| Onsite Workshop | Module 1: Define the Current and Target State | Module 2: Define the Elicitation Process | Module 3: Analyze and Validate Requirements | Module 4: Governance and Continuous Improvement Process |
| Phase 1 Results: Clear understanding of target needs for the requirements process. | Phase 2 Results: Best practices for conducting and structuring elicitation. | Phase 3 Results: Standardized frameworks for analysis and validation of business requirements. | Phase 4 Results: Formalized change control and governance processes for requirements. |
Contact your account representative or email Workshops@InfoTech.com for more information.
| Workshop Day 1 | Workshop Day 2 | Workshop Day 3 | Workshop Day 4 | Workshop Day 5 | |
|---|---|---|---|---|---|
| Activities |
Define Current State and Target State for Requirements Gathering
|
Define the Elicitation Process
|
Analyze and Validate Requirements
|
Establish Change Control Processes
|
Establish Ongoing Governance for Requirements Gathering
|
| Deliverables |
|
|
|
|
|
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion: 2 weeks
Start with an analyst kick off call:
Then complete these activities…
With these tools & templates:
Requirements Gathering SOP and BA Playbook
Review findings with analyst:
Then complete these activities…
With these tools & templates:
Phase 1 Results & Insights:
Clear understanding of target needs for the requirements process.
1.1 Understand the Benefits of Requirements Optimization
1.2 Determine Your Target State for Requirements Gathering
2.1 Determine Elicitation Techniques
2.2 Structure Elicitation Output
3.1 Create Analysis Framework
3.2 Validate Business Requirements
4.1 Create Control Processes for Requirements Changes
4.2 Build Requirements Governance and Communication Plan
Optimizing requirements management is not something that can be done in isolation, and it’s not necessarily going to be easy. Improving your requirements will translate into better value delivery, but it takes real commitment from IT and its business partners.
There are four “pillars of commitment” that will be necessary to succeed with requirements optimization:
When gathering business requirements, it’s critical not to assume that layering on technology to a process will automatically solve your problems.
Proper requirements gathering views projects holistically (i.e. not just as an attempt to deploy an application or technology, but as an endeavor to enable new or re-engineered business processes). Neglecting to see requirements gathering in the context of business process enablement leads to failure.
Info-Tech’s Requirements Gathering Framework is a comprehensive approach to requirements management that can be scaled to any size of project or organization. This framework has been extensively road-tested with our clients to ensure that it balances the needs of IT and business stakeholders to give a holistic, end-to-end approach for requirements gathering. It covers both the foundational issues (elicitation, analysis, and validation) as well as prescribing techniques for planning, monitoring, communicating, and managing the requirements gathering process.
Identify the challenges you’re experiencing with requirements gathering, and identify objectives.
Creating a unified SOP guide for requirements elicitation, analysis, and validation is a critical step for requirements optimization; it gives your BAs a common frame of reference for conducting requirements gathering.
Info-Tech Insight
Having a standardized approach to requirements management is critical, and SOPs should be the responsibility of a group. The SOP guide should cover all of the major bases of requirements management. In addition to providing a walk-through of the process, an SOP also clarifies requirements governance.
Info-Tech’s Requirements Gathering SOP and BA Playbook template forms the basis of this blueprint. It’s a structured document that you can fill out with defined procedures for how requirements should be gathered at your organization.
Info-Tech’s Requirements Gathering SOP and BA Playbook template provides a number of sections that you can populate to provide direction for requirements gathering practitioners. Sections provided include: Organizational Context Governance Procedures Resourcing Model Technology Strategy Knowledge Management Elicitation SOPs Analysis SOPs Validation SOPs.
The template has been pre-populated with an example of requirements management procedures. Feel free to customize it to fit your specific needs.
Download the Requirements Gathering SOP and BA Playbook template.
1.1 Understand the Benefits of Requirements Optimization
1.2 Determine Your Target State for Requirements Gathering
2.1 Determine Elicitation Techniques
2.2 Structure Elicitation Output
3.1 Create Analysis Framework
3.2 Validate Business Requirements
4.1 Create Control Processes for Requirements Changes
4.2 Build Requirements Governance and Communication Plan
Establishing an overarching plan for requirements governance is the first step in building an SOP. You must also decide who will actually execute the requirements gathering processes, and what technology they will use to accomplish this. Planning for governance, resourcing, and technology is something that should be done repeatedly and at a higher strategic level than the more sequential steps of elicitation, analysis, and validation.
Visualize how you want requirements to be gathered in your organization. Do not let elements of the current process restrict your thinking.
For example:
Refrain from only making small changes to improve the existing process. Think about the optimal way to structure the requirements gathering process.
Verifiable – It is stated in a way that can be tested.
Unambiguous – It is free of subjective terms and can only be interpreted in one way.
Complete – It contains all relevant information.
Consistent – It does not conflict with other requirements.
Achievable – It is possible to accomplish given the budgetary and technological constraints.
Traceable – It can tracked from inception to testing.
Unitary – It addresses only one thing and cannot be decomposed into multiple requirements.
Accurate – It is based on proven facts and correct information.
Other Considerations:
Organizations can also track a requirement owner, rationale, priority level (must have vs. nice to have), and current status (approved, tested, etc.).
Info-Tech Insight
Requirements must be solution agnostic – they should focus on the underlying need rather than the technology required to satisfy the need as it can be really easy to fall into the technology solution trap.
Use the Requirements Gathering Maturity Assessment tool to help assess the maturity of your requirements gathering function in your organization, and identify the gaps between the current state and the target state. This will help focus your organization's efforts in closing the gaps that represent high-value opportunities.
Complete the Requirements Gathering Maturity Assessment tool to define your target state, and identify the gaps in your current state.
You need to ensure your requirements gathering procedures are having the desired effect and adjust course when necessary. Establishing an upfront list of key performance indicators that will be benchmarked and tracked is a crucial step.
Document the output from this exercise in section 2.2 of the Requirements Gathering SOP and BA Playbook.
A business process model (BPM) is a simplified depiction of a complex process. These visual representations allow all types of stakeholders to quickly understand a process, how it affects them, and enables more effective decision making. Consider these areas for your model:
Stakeholder Analysis
Elicitation Techniques
Documentation
Validation & Traceability
Managing Requirements
Supporting Tools
It’s important to determine the project levels up front, as each project level will have a specific degree of elicitation, analysis, and validation that will need to be completed. That being said, not all organizations will have four levels.
The Project Level Selection Tool will classify your projects into four levels, enabling you to evaluate the risk and complexity of a particular project and match it with an appropriate requirements gathering process.
Project Level Input
Project Level Selection
Define the project levels to determine the appropriate requirements gathering process for each.
Document the output from this exercise in section 2.3 of the Requirements Gathering SOP and BA Playbook.
| Category | Level 4 | Level 3 | Level 2 | Level 1 |
|---|---|---|---|---|
| Scope of Change | Full system update | Full system update | Multiple modules | Minor change |
| Expected Duration | 12 months + | 6 months + | 3-6 months | 0-3 months |
| Impact | Enterprise-wide, globally dispersed | Enterprise-wide | Department-wide | Low users/single division |
| Budget | $1,000,000+ | $500,000-1,000,000 | $100,000-500,000 | $0-100,000 |
| Services Affected | Mission critical, revenue impacting | Mission critical, revenue impacting | Pervasive but not mission critical | Isolated, non-essential |
| Confidentiality | Yes | Yes | No | No |
The tool is comprised of six questions, each of which is linked to at least one type of project risk.
Using the answers provided, the tool will calculate a level for each risk category. Overall project level is a weighted average of the individual risk levels, based on the importance weighting of each type of risk set by the project manager.
This tool is an excerpt from Info-Tech’s exhaustive Project Level Assessment Tool.
Brainstorm the ideal target business process flows for your requirements gathering process (by project level).
Document the output from this exercise in section 2.4 of the Requirements Gathering SOP and BA Playbook.
Having an SOP is important, but it should be the basis for training the people who will actually execute the requirements gathering process. Your BA team is critical for requirements gathering – they need to know the SOPs in detail, and you need to have a plan for recruiting those with an excellent skill set.
The ideal candidates for requirements gathering are technically savvy analysts (but not necessarily computer science majors) from the business who are already fluent with the business’ language and cognizant of the day-to-day challenges that take place. Organizationally, these BAs should be in a group that bridges IT and the business (such as an RGCOE or PMO) and be specialists rather than generalists in the requirements management space.
A BA resourcing strategy is included in the SOP. Customize it to suit your needs.
"Make sure your people understand the business they are trying to provide the solution for as well if not better than the business folks themselves." – Ken Piddington, CIO, MRE Consulting
If you don’t have a trained group of in-house BAs who can execute your requirements gathering process, consider sourcing the talent from internal candidates or calling for qualified applicants. Our Business Requirements Analyst job description template can help you quickly get the word out.
Info-Tech Deliverable
Download the Business Requirements Analyst job description template.
Industry Government
Source Info-Tech Workshop
A mid-sized US municipality was challenged with managing stakeholder expectations for projects, including the collection and analysis of business requirements.
The lack of a consistent approach to requirements gathering was causing the IT department to lose credibility with department level executives, impacting the ability of the team to engage project stakeholders in defining project needs.
The City contracted Info-Tech to help build an SOP to govern and train all BAs on a consistent requirements gathering process.
The teams first set about establishing a consistent approach to defining project levels, defining six questions to be asked for each project. This framework would be used to assess the complexity, risk, and scope of each project, thereby defining the appropriate level of rigor and documentation required for each initiative.
Once the project levels were defined, the team established a formalized set of steps, tools, and artifacts to be created for each phase of the project. These tools helped the team present a consistent approach to each project to the stakeholders, helping improve credibility and engagement for eliciting requirements.
Choose a level of control that facilitates success without slowing progress.
| No control | Right-sized control | Over-engineered control |
|---|---|---|
| Final deliverable may not satisfy business or user requirements. | Control points and communication are set at appropriate stage-gates to allow for deliverables to be evaluated and assessed before proceeding to the next phase. | Excessive controls can result in too much time spent on stage-gates and approvals, which creates delays in the schedule and causes milestones to be missed. |
Info-Tech Insight
Throughout the requirements gathering process, you need checks and balances to ensure that the projects are going according to plan. Now that we know our stakeholder, elicitation, and prioritization processes, we will set up the control points for each project level.
Determine how you want to receive and distribute messages to stakeholders.
| Communication Milestones | Audience | Artifact | Final Goal |
|---|---|---|---|
| Project Initiation | Project Sponsor | Project Charter | Communicate Goals and Scope of Project |
| Elicitation Scheduling | Selected Stakeholders (SMEs, Power Users) | Proposed Solution | Schedule Elicitation Sessions |
| Elicitation Follow-Up | Selected Stakeholders | Elicitation Notes | Confirm Accuracy of Notes |
| First Pass Validation | Selected Stakeholders | Consolidated Requirements | Validate Aggregated Requirements |
| Second Pass Validation | Selected Stakeholders | Prioritized Requirements | Validate Requirements Priority |
| Eliminated Requirements | Affected Stakeholders | Out of Scope Requirements | Affected Stakeholders Understand Impact of Eliminated Requirements |
| Solution Selection | High Authority/Expertise Stakeholders | Modeled Solutions | Select Solution |
| Selected Solution | High Authority/Expertise Stakeholders and Project Sponsor | Requirements Package | Communicate Solution |
| Requirements Sign-Off | Project Sponsor | Requirements Package | Obtain Sign-Off |
# – Control Point: A decision requiring specific approval or sign-off from defined stakeholders involved with the project. Control points result in accepted or rejected deliverables/documents.
A – Plan Approval: This control point requires a review of the requirements gathering plan, stakeholders, and elicitation techniques.
B – Requirements Validation: This control point requires a review of the requirements documentation that indicates project and product requirements.
C – Prioritization Sign-Off: This requires sign-off from the business and/or user groups. This might be sign-off to approve a document, prioritization, or confirm that testing is complete.
D – IT or Peer Sign-Off: This requires sign-off from IT to approve technical requirements or confirm that IT is ready to accept a change.
Define all of the key control points, required documentation, and involved stakeholders.
Document the output from this exercise in section 6.1 of the Requirements Gathering SOP and BA Playbook.
Before commencing requirements gathering, it’s critical that your practitioners have a clear understanding of the initial business case and rationale for the project that they’re supporting. This is vital for providing the business context that elicitation activities must be geared towards.
During requirements gathering, BAs should steer clear of solutions and focus on capturing requirements. Focus on traceable, hierarchical, and testable requirements. Focusing on solution design means you are out of requirements mode.
Constraints come in many forms (i.e. financial, regulatory, and technological). Identifying these constraints prior to entering requirements gathering enables you to remain alert; you can separate what is possible from what is impossible, and set stakeholder expectations accordingly.
Stakeholder management is a critical aspect of the BA’s role. Part of the BA’s responsibility is prioritizing solutions and demonstrating to stakeholders the level of effort required and the value attained.
Begin the requirements gathering process by conducting some initial scoping on why we are doing the project, the goals, and the constraints.
Before you can dive into most elicitation techniques, you need to know who you’re going to speak with – not all stakeholders hold the same value.
There are two broad categories of stakeholders:
Customers: Those who ask for a system/project/change but do not necessarily use it. These are typically executive sponsors, project managers, or interested stakeholders. They are customers in the sense that they may provide the funding or budget for a project, and may have requests for features and functionality, but they won’t have to use it in their own workflows.
Users: Those who may not ask for a system but must use it in their routine workflows. These are your end users, those who will actually interact with the system. Users don’t necessarily have to be people – they can also be other systems that will require inputs or outputs from the proposed solution. Understand their needs to best drive more granular functional requirements.
"The people you need to make happy at the end of the day are the people who are going to help you identify and prioritize requirements." – Director of IT, Municipal Utilities Provider
Need a hand with stakeholder identification? Leverage Info-Tech’s Stakeholder Planning Tool to catalog and prioritize the stakeholders your BAs will need to contact during the elicitation phase.
Practice the process for identifying and analyzing key stakeholders for requirements gathering.
Use the Requirements Gathering Communication Tracking Template for structuring and managing ongoing communications among key requirements gathering implementation stakeholders.
Use the Stakeholder Power Map tab to:
Use the Communication Management Plan tab to:
Recording and analyzing requirements needs some kind of tool, but don’t overinvest in a dedicated suite if you can manage with a more inexpensive solution (such as Word, Excel, and/or Visio). Top-tier solutions may be necessary for an enterprise ERP deployment, but you can use a low-cost solution for low-level productivity application.
Your SOP guide should specify the technology platform that your analysts are expected to use for initial elicitation as well as analysis and validation. You don’t want them to use Word if you’ve invested in a full-out IBM RM solution.
Dedicated requirements management suites are a great (although pricey) way to have full control over recording, analysis, and hierarchical categorization of requirements. Consider some of the major vendors in the space if Word, Excel, and Visio aren’t suitable for you.
Industry Consulting
Source Jama Software
ArcherPoint is a leading Microsoft Partner responsible for providing business solutions to its clients. Its varied customer base now requires a more sophisticated requirements gathering software.
Its process was centered around emailing Word documents, creating versions, and merging issues. ArcherPoint recognized the need to enhance effectiveness, efficiency, and accuracy of requirements gathering through a prescriptive set of elicitation procedures.
The IT department at ArcherPoint recognized that a strong requirements gathering process was essential to delivering value to stakeholders. It needed more scalable and flexible requirements gathering software to enhance requirements traceability. The company implemented SaaS solutions that included traceability and seamless integration features.
These features reduced the incidences of repetition, allowed for tracing of requirements relationships, and ultimately led to an exhaustive understanding of stakeholders’ needs.
Projects are now vetted upon an understanding of the business client’s needs with a thorough requirements gathering collection and analysis.
A deeper understanding of the business needs also allows ArcherPoint to better understand the roles and responsibilities of stakeholders. This allows for the implementation of structures and policies which makes the requirements gathering process rigorous.
Solution options or preferences are not requirements. Be sure to identify these quickly to avoid being forced into untimely discussions and sub-optimal solution decisions.
Solution Requirements: Describe the characteristics of a solution that meet business requirements and stakeholder requirements. They are frequently divided into sub-categories, particularly when the requirements describe a software solution:
Functional Requirements
Non-Functional Requirements
Remember that solution requirements are distinct from solution specifications; in time, specifications will be developed from the requirements. Don’t get ahead of the process.
An analyst will facilitate a discussion to assess the maturity of your requirements gathering process and identify any gaps in the current state.
Speak to an analyst to discuss and determine key metrics for measuring the effectiveness of your requirements gathering processes.
An analyst will facilitate a discussion to determine the ideal target business process flow for your requirements gathering.
An analyst will assist you with determining the appropriate requirements gathering approach for different project levels. The discussion will highlight key control points and define stakeholders who will be involved in each one.
An analyst will facilitate a discussion to highlight the scope of the requirements gathering optimization project as well as identify and analyze key stakeholders in the process.
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion: 2 weeks
Start with an analyst kick off call:
Then complete these activities…
Review findings with analyst:
Then complete these activities…
With these tools & templates:
1.1 Understand the Benefits of Requirements Optimization
1.2 Determine Your Target State for Requirements Gathering
2.1 Determine Elicitation Techniques
2.2 Structure Elicitation Output
3.1 Create Analysis Framework
3.2 Validate Business Requirements
4.1 Create Control Processes for Requirements Changes
4.2 Build Requirements Governance and Communication Plan
The elicitation phase is where the BAs actually meet with project stakeholders and uncover the requirements for the application. Major tasks within this phase include stakeholder identification, selecting elicitation techniques, and conducting the elicitation sessions. This phase involves the most information gathering and therefore requires a significant amount of time to be done properly.
A mediocre requirements practitioner takes an order taker approach to elicitation: they elicit requirements by showing up to a meeting with the stakeholder and asking, “What do you want?” This approach frequently results in gaps in requirements, as most stakeholders cannot free-form spit out an accurate inventory of their needs.
A strong requirements practitioner first decides on an elicitation framework – a mechanism to anchor the discussion about the business requirements. Info-Tech recommends using business process modelling (BPM) as the most effective framework. The BA can now work through several key questions:
The second key element to elicitation is using the right blend of elicitation techniques: the tactical approach used to actually collect the requirements. Interviews are the most popular means, but focus groups, JAD sessions, and observational techniques can often yield better results – faster. This section will touch on BPM/BPI as an elicitation framework, then do deep dive on different elicitation techniques.
Stakeholders must be identified, and elicitation frameworks and techniques selected. Each technique requires different preparation. For example, brainstorming requires ground rules; focus groups require invitations, specific focus areas, and meeting rooms (perhaps even cameras). Look at each of these techniques and discuss how you would prepare.
A good elicitor has the following underlying competencies: analytical thinking, problem solving, behavioral characteristics, business knowledge, communication skills, interaction skills, and proficiency in BA tools. In both group and individual elicitation techniques, interpersonal proficiency and strong facilitation is a must. A good BA has an intuitive sense of how to manage the flow of conversations, keep them results-oriented, and prevent stakeholder tangents or gripe sessions.
How you document will depend on the technique you use. For example, recording and transcribing a focus group is probably a good idea, but you still need to analyze the results and determine the actual requirements. Use cases demand a software tool – without one, they become cumbersome and unwieldy. Consider how you would document the results before you choose the technique. Some analysts prefer to use solutions like OneNote or Evernote for capturing the raw initial notes, others prefer pen and paper: it’s what works best for the BA at hand.
Review the documentation with your stakeholder and confirm the understanding of each requirement via active listening skills. Revise requirements as necessary. Circulating the initial notes of a requirements interview or focus group is a great practice to get into – it ensures jargon and acronyms are correctly captured, and that nothing has been lost in the initial translation.
BPMs can take multiple forms, but they are created as visual process flows that depict a series of events. They can be customized at the discretion of the requirements gathering team (swim lanes, legends, etc.) based on the level of detail needed from the input.
BPMs can be used as the basis for further process improvement or re-engineering efforts for IT and applications projects. When the requirements gathering process owner needs to validate whether or not a specific step involved in the process is necessary, BPM provides the necessary breakdown.
Different individuals absorb information in a variety of ways. Visual representations of a process or set of steps tend to be well received by a large sub-set of individuals, making BPMs an effective analysis technique.
This related Info-Tech blueprint provides an extremely thorough overview of how to leverage BPM and process improvement approaches.
| Build a Sales Report | |
|---|---|
|
|
|
|
|
|
|
|
Source: iSixSigma
Look at an example for a claims process, and focus on the Record Claim task (event).
| Task | Input | Output | Risks | Opportunities | Condition | Sample Requirements |
|---|---|---|---|---|---|---|
| Record Claim | Customer Email | Case Record |
|
|
|
Business:
Non-Functional:
Functional:
|
Conducting elicitation typically takes the greatest part of the requirements management process. During elicitation, the designated BA(s) should be reviewing documentation, and conducting individual and group sessions with key stakeholders.
Elicitation is an iterative process – requirements should be refined in successive steps. If you need more information in the analysis phases, don’t be afraid to go back and conduct more elicitation.
Document any changes to the elicitation techniques in section 4.0 of the Requirements Gathering SOP and BA Playbook.
| Technique | Description | Assessment and Best Practices | Stakeholder Effort | BA Effort |
|---|---|---|---|---|
| Structured One-on-One Interview | In a structured one-on-one interview, the BA has a fixed list of questions to ask the stakeholder and follows up where necessary. | Structured interviews provide the opportunity to quickly home in on areas of concern that were identified during process mapping or group elicitation techniques. They should be employed with purpose, i.e. to receive specific stakeholder feedback on proposed requirements or to help identify systemic constraints. Generally speaking, they should be 30 minutes or less. | Low | Medium |
| Unstructured One-on-One Interview | In an unstructured one-on-one interview, the BA allows the conversation to flow free form. The BA may have broad themes to touch on but does not run down a specific question list. | Unstructured interviews are most useful for initial elicitation, when brainstorming a draft list of potential requirements is paramount. Unstructured interviews work best with senior stakeholders (sponsors or power users), since they can be time consuming if they’re applied to a large sample size. It’s important for BAs not to stifle open dialogue and allow the participants to speak openly. They should be 60 minutes or less. | Medium | Low |
Interviews should be used with high-value targets. Those who receive one-on-one face time can help generate good requirements, as well as allow effective communication around requirements at a later point (i.e. during the analysis and validation phases).
Use a clear interview approach to guide the preparation, facilitation styles, participants, and interview schedules you manage for a specific project.
Depending on your stakeholder audience and interview objectives, apply one or more of the following approaches to interviews.
Fosters direct engagement
IT is able to hear directly from stakeholders about what they are looking to do with a solution and the level of functionality that they expect from it.
Offers greater detail
With interviews, a greater degree of insight can be gained by leveraging information that wouldn’t be collected through traditional surveys. Face-to-face interactions provide thorough answers and context that helps inform requirements.
Removes ambiguity
Face-to-face interactions allow opportunities for follow-up around ambiguous answers. Clarify what stakeholders are looking for and expect in a project.
Enables stakeholder management
Interviews are a direct line of communication with a project stakeholder. They provide input and insight, and help to maintain alignment, plan next steps, and increase awareness within the IT organization.
Consider stakeholder types and characteristics, in conjunction with the best way to maximize time, when selecting which of the three interview structures to leverage during the elicitation phase of requirements gathering.
Review the following questions to determine what interview structure you should utilize. If you answer the question with “Yes,” then follow the corresponding recommendations for the interview elements.
| Question | Structure Type | Facilitation Technique | # of Participants |
|---|---|---|---|
| Do you have to interview multiple participants at once because of time constraints? | Semi-structured | Discussion | 1+ |
| Does the business or stakeholders want you to ask specific questions? | Structured | Q&A | 1 |
| Have you already tried an unsuccessful survey to gather information? | Semi-structured | Discussion | 1+ |
| Are you utilizing interviews to understand the area? | Unstructured | Discussion | 1+ |
| Do you need to gather requirements for an immediate project? | Structured | Q&A | 1+ |
Interviews should be used with high-value targets. Those who receive one-on-one face time can help generate good requirements and allow for effective communication around requirements during the analysis and validation stages.
Interviews generally follow the same workflow regardless of which structure you select. You must manage the process to ensure that the interview runs smoothly and results in an effective gathering requirements process.
The interview process may grind to a halt due to challenging situations. Below are common scenarios and corresponding troubleshooting techniques to get your interview back on track.
| Scenario | Technique |
|---|---|
| Quiet interviewee | Begin all interviews by asking courteous and welcoming questions. This technique will warm the interviewee up and make them feel more comfortable. Ask prompting questions during periods of silence in the interview. Take note of the answers provided by the interviewee in your interview guide, along with observations and impact statements that occur throughout the duration of the interview process. |
| Disgruntled interviewee | Avoid creating a hostile environment by eliminating the interviewee’s perception that you are choosing to focus on issues that the interviewee feels will not be resolved. Ask questions to contextualize the issue. For example, ask why they feel a particular way about the issue, and determine whether they have valid concerns that you can resolve. |
| Interviewee has issues articulating their answer | Encourage the interviewee to use a whiteboard or pen and paper to kick start their thought process. Make sure you book a room with these resources readily available. |
| Technique | Description | Assessment and Best Practices | Stakeholder Effort | BA Effort |
|---|---|---|---|---|
| Casual Observation | The process of observing stakeholders performing tasks where the stakeholders are unaware they are being observed. | Capture true behavior through observation of stakeholders performing tasks without informing them they are being observed. This information can be valuable for mapping business process; however, it is difficult to isolate the core business activities from unnecessary actions. | Low | Medium |
| Formal Observation | The process of observing stakeholders performing tasks where the stakeholders are aware they are being observed. | Formal observation allows BAs to isolate and study the core activities in a business process because the stakeholder is aware they are being observed. Stakeholders may become distrusting of the BA and modify their behavior if they feel their job responsibilities or job security are at risk | Low | Medium |
Info-Tech Insight
Observing stakeholders does not uncover any information about the target state. Be sure to use contextual observation in conjunction with other techniques to discover the target state.
| Technique | Description | Assessment and Best Practices | Stakeholder Effort | BA Effort |
|---|---|---|---|---|
| Closed-Response Survey | A survey that has fixed responses for each answer. A Likert-scale (or similar measures) can be used to have respondents evaluate and prioritize possible requirements. | Closed response surveys can be sent to large groups and used to quickly gauge user interest in different functional areas. They are easy for users to fill out and don’t require a high investment of time. However, their main deficit is that they are likely to miss novel requirements not listed. As such, closed response surveys are best used after initial elicitation or brainstorming to validate feature groups. | Low | Medium |
| Open-Response Survey | A survey that has open-ended response fields. Questions are fixed, but respondents are free to populate the field in their own words. Open-response surveys take longer to fill out than closed, but can garner deeper insights. | Open-response surveys are a useful supplement (and occasionally replacement) for group elicitation techniques, like focus groups, when you need to receive an initial list of requirements from a broad cross-section of stakeholders. Their primary shortcoming is the analyst can’t immediately follow up on interesting points. However, they are particularly useful for reaching stakeholders who are unavailable for individual one-on-ones or group meetings. | Low | Medium |
Info-Tech Insight
Surveys can be useful mechanisms for initial drafting of raw requirements (open-response) and gauging user interest in proposed requirements or feature sets (closed-response). However, they should not be the sole focus of your elicitation program due to lack of interactivity and two-way dialogue with the BA.
What are surveys?
Surveys take a sample population’s written responses for data collection. Survey respondents can identify themselves or choose to remain anonymous. Anonymity removes the fear of repercussions for giving critical responses to sensitive topics.
Who needs to be involved?
Participants of a survey include the survey writer, respondent(s), and results compiler. There is a moderate amount of work that comes from both the writer and compiler, with little work involved on the end of the respondent.
What are the benefits?
The main benefit of surveys is their ability to reach large population groups and segments without requiring personal interaction, thus saving money. Surveys are also very responsive and can be created and modified rapidly to address needs as they arise on an on-going basis.
Surveys are most valuable when completed early in the requirements gathering stage.
Intake and Scoping → Requirements Gathering → Solution Design → Development/ Procurement → Implementation/ Deployment
When a project is announced, develop surveys to gauge what users consider must-have, should-have, and could-have requirements.
Use surveys to profile the demand for specific requirements.
It is often difficult to determine if requirements are must haves or should haves. Surveys are a strong method to assist in narrowing down a wide range of requirements.
Are surveys worth the time and effort? Most of the time.
Surveys can generate insights. However, there are potential barriers:
Surveys should only be done if the above barriers can easily be overcome.
Scenario
There is an unclear picture of the business needs and functional requirements for a solution.
Survey Approach
Use open-ended questions to allow respondents to propose requirements they see as necessary.
Sample questions
What to do with your results
Take a step back
If you are using surveys to elicit a large number of requirements, there is probably a lack of clear scope and vision. Focus on scope clarification. Joint development sessions are a great technique for defining your scope with SMEs.
Moving ahead
Proper survey design determines how valuable the responses will be. Review survey principles released by the University of Wisconsin-Madison.
Provide context
Include enough detail to contextualize questions to the employee’s job duties.
Where necessary:
Give clear instructions
When introducing a question identify if it should be answered by giving one answer, multiple answers, or a ranking of answers.
Avoid IT jargon
Ensure the survey’s language is easily understood.
When surveying colleagues from the business use their own terms, not IT’s.
E.g. laptops vs. hardware
Saying “laptops” is more detailed and is a universal term.
Use ranges
Recommended:
In a month your Outlook fails:
Not Recommended:
Your Outlook fails:
Keep surveys short
Improve responses and maintain stakeholder interest by only including relevant questions that have corresponding actions.
Recommended: Keep surveys to ten or less prompts.
Scenario
There is a large list of requirements and the business is unsure of which ones to further pursue.
Survey Approach
Use closed-ended questions to give degrees of importance and rank requirements.
Sample questions
What to do with your results
Determine which requirements to further explore
Avoid simply aggregating average importance and using the highest average as the number-one priority. Group the highest average importance requirements to be further explored with other elicitation techniques.
Moving ahead
The group of highly important requirements needs to be further explored during interviews, joint development sessions, and rapid development sessions.
Scenario
The business wanted a closer look into a specific process to determine if the project could be improved to better address process issues.
Survey Approach
Use open-ended questions to allow employees to articulate very specific details of a process.
Sample questions
What to do with your results
Set up prototyping
Prototype a portion with the new requirement to see if it meets the user’s needs. Joint application development and rapid development sessions pair developers and users together to collaboratively build a solution.
Next steps
Free online surveys offer quick survey templates but may lack customization. Paid options include customizable features. Studies show that most participants find web-based surveys more appealing, as web surveys tend to have a higher rate of completion.
Potential Services (Not a comprehensive list)
SurveyMonkey – free and paid options
Good Forms – free options
Ideal for:
Paper surveys offer complete customizability. However, paper surveys take longer to distribute and record, and are also more expensive to administer.
Ideal for:
Internally-developed surveys can be distributed via the intranet or email. Internal surveys offer the most customization. Cost is the creator’s time, but cost can be saved on distribution versus paper and paid online surveys.
Ideal for:
| Technique | Description | Assessment and Best Practices | Stakeholder Effort | BA Effort |
|---|---|---|---|---|
| Focus Group | Focus groups are sessions held between a small group (typically ten individuals or less) and an experienced facilitator who leads the conversation in a productive direction. | Focus groups are highly effective for initial requirements brainstorming. The best practice is to structure them in a cross-functional manner to ensure multiple viewpoints are represented, and the conversation doesn’t become dominated by one particular individual. Facilitators must be wary of groupthink in these meetings (i.e. the tendency to converge on a single POV). | Medium | Medium |
| Workshop | Workshops are larger sessions (typically ten people or more) that are led by a facilitator, and are dependent on targeted exercises. Workshops may be occasionally decomposed into smaller group sessions. | Workshops are highly versatile: they can be used for initial brainstorming, requirement prioritization, constraint identification, and business process mapping. Typically, the facilitator will use exercises or activities (such as whiteboarding, sticky note prioritization, role-playing, etc.) to get participants to share and evaluate sets of requirements. The main downside to workshops is a high time commitment from both stakeholders and the BA. | Medium | High |
Info-Tech Insight
Group elicitation techniques are most useful for gathering a wide spectrum of requirements from a broad group of stakeholders. Individual or observational techniques are typically needed for further follow-up and in-depth analysis with critical power users or sponsors.
There are two specific types of group interviews that can be utilized to elicit requirements: focus groups and workshops. Understand each type’s strengths and weaknesses to determine which is better to use in certain situations.
| Focus Groups | Workshops | |
|---|---|---|
| Description |
|
|
| Strengths |
|
|
| Weaknesses |
|
|
| Facilitation Guidance |
|
|
| Technique | Description | Assessment and Best Practices | Stakeholder Effort | BA Effort |
|---|---|---|---|---|
| Solution Mapping Session | A one-on-one session to outline business processes. BPM methods are used to write possible target states for the solution on a whiteboard and to engineer requirements based on steps in the model. | Solution mapping should be done with technically savvy stakeholders with a firm understanding of BPM methodologies and nomenclature. Generally, this type of elicitation method should be done with stakeholders who participated in tier one elicitation techniques who can assist with reverse-engineering business models into requirement lists. | Medium | Medium |
| Joint Requirements Review Session | This elicitation method is sometimes used as a last step prior to moving to formal requirements analysis. During the review session, the rough list of requirements is vetted and confirmed with stakeholders. | A one-on-one (or small group) requirements review session gives your BAs the opportunity to ensure that what was recorded/transcribed during previous one-on-ones (or group elicitation sessions) is materially accurate and representative of the intent of the stakeholder. This elicitation step allows you to do a preliminary clean up of the requirements list before entering the formal analysis phase. | Low | Low |
Info-Tech Insight
Solution mapping and joint requirements review sessions are more advanced elicitation techniques that should be employed after preliminary techniques have been utilized. They should be reserved for technically sophisticated, high-value stakeholders.
| Technique | Description | Assessment and Best Practices | Stakeholder Effort | BA Effort |
|---|---|---|---|---|
| Interactive White- boarding | A group session where either a) requirements are converted to BPM diagrams and process flows, or b) these flows are reverse engineered to distil requirement sets. | While the focus of workshops and focus groups is more on direct requirements elicitation, interactive whiteboarding sessions are used to assist with creating initial solution maps (or reverse engineering proposed solutions into requirements). By bringing stakeholders into the process, the BA benefits from a greater depth of experience and access to SMEs. | Medium | Medium |
| Joint Application Development (JAD) | JAD sessions pair end-user teams together with developers (and BA facilitators) to collect requirements and begin mapping and developing prototypes directly on the spot. | JAD sessions fit well with organizations that use Agile processes. They are particularly useful when the overall project scope is ambiguous; they can be used for project scoping, requirements definition, and initial prototyping. JAD techniques are heavily dependent on having SMEs in the room – they should preference knowledge power users over the “rank and file.” | High | High |
Info-Tech Insight
Interactive whiteboarding should be heavily BPM-centric, creating models that link requirements to specific workflow activities. Joint development sessions are time-consuming but create greater cohesion and understanding between BAs, developers, and SMEs.
| Technique | Description | Assessment and Best Practices | Stakeholder Effort | BA Effort |
|---|---|---|---|---|
| Rapid Application Development | A form of prototyping, RAD sessions are akin to joint development sessions but with greater emphasis on back-and-forth mock-ups of the proposed solution. | RAD sessions are highly iterative – requirements are gathered in sessions, developers create prototypes offline, and the results are validated by stakeholders in the next meeting. This approach should only be employed in highly Agile-centric environments. | High | High |
For more information specific to using the Agile development methodology, refer to the project blueprint Implement Agile Practices That Work.
The role of the BA differs with an Agile approach to requirements gathering. A traditional BA is a subset of the Agile BA, who typically serves as product owner. Agile BAs have elevated responsibilities that include bridging communication between stakeholders and developers, prioritizing and detailing the requirements, and testing solutions.
Use the following slides to gain a thorough understanding of both JAD and rapid development sessions (RDS) to decide which fits your project best.
| Joint Application Development | Rapid Development Sessions | |
|---|---|---|
| Description | JAD pairs end users and developers with a facilitator to collect requirements and begin solution mapping to create an initial prototype. | RDS is an advanced approach to JAD. After an initial meeting, prototypes are developed and validated by stakeholders. Improvements are suggested by stakeholders and another prototype is created. This process is iterated until a complete solution is created. |
| Who is involved? | End users, SMEs, developers, and a facilitator (you). | |
| Who should use this technique? | JAD is best employed in an Agile organization. Agile organizations can take advantage of the high amount of collaboration involved. RDS requires a more Agile organization that can effectively and efficiently handle impromptu meetings to improve iterations. | |
| Time/effort versus value | JAD is a time/effort-intensive activity, requiring different parties at the same time. However, the value is well worth it. JAD provides clarity for the project’s scope, justifies the requirements gathered, and could result in an initial prototype. | RDS is even more time/effort intensive than JAD. While it is more resource intensive, the reward is a more quickly developed full solution that is more customized with fewer bugs. |
Projects that use JAD should not expect dramatically quicker solution development. JAD is a thorough look at the elicitation process to make sure that the right requirements are found for the final solution’s needs. If done well, JAD eliminates rework.
Employees vary in their project engagement. Certain employees leverage JAD because they care about the solution. Others are asked for their expertise (SMEs) or because they perform the process often and understand it well.
JAD’s thorough process guarantees that requirements gathering is done well.
Projects that use RDS can either expect quicker or slower requirements gathering depending on the quality of iteration. If each iteration solves a requirement issue, then one can expect that the solution will be developed fairly rapidly. If the iterations fail to meet requirements the process will be quite lengthy.
Employees doing RDS are typically very engaged in the project and play a large role in helping to create the solution.
RDS success is tied to the organization’s ability to collaborate. Strong collaboration will lead to:
Poor collaboration will lead to RDS losing its full value.
JAD is best employed in an Agile organization for application development and selection. This technique best serves relatively complicated, large-scale projects that require rapid or sequential iterations on a prototype or solution as a part of requirements gathering elicitation. JAD effectuates each step in the elicitation process well, from initial elicitation to narrowing down requirements.
Most requirement gathering professionals will use their experience with project type standards to establish key requirements. Avoid only relying on standards when tackling a new project type. Apply JAD’s structured approach to a new project type to be thorough during the elicitation phase.
While JAD is an overarching requirements elicitation technique, it should not be the only one used. Combine the strengths of other elicitation techniques for the best results.
RDS is best utilized when one, but preferably both, of the below criteria is met.
RDS’ strengths lie in being able to tailor-make certain aspects of the solution. If the solution is too large, tailor-made sections are impossible as multiple user groups have different needs or there is insufficient resources. When a project is small to medium sized, developers can take the time to custom make sections for a specific user group.
RDS requires developers spending a large amount of time with users, leaving less time for development. Having developers at the ready to take on users’ improvement maintains the effectiveness of RDS. If the same developer who speaks to users develops the entire iteration, the process would be slowed down dramatically, losing effectiveness.
JAD relies on unstructured conversations to clarify scope, gain insights, and discuss prototyping. However, a structure must exist to guarantee that all topics are discussed and meetings are not wasted.
JAD often involves visually illustrating how high-level concepts connect as well as prototypes. Use solution mapping and interactive whiteboarding to help users and participants better understand the solution.
Having a group development session provides all the benefits of focus groups while reducing time spent in the typically time-intensive JAD process.
1. Prepare for the meeting
Email all parties a meeting overview of topics that will be discussed.
2. Discussion
3. Wrap-up
4. Follow-up
JAD provides a detail-oriented view into the elicitation process. As a facilitator, take detailed notes to maximize the outputs of JAD.
1. Prepare for the meeting
2. Hold the discussion
3. Wrap-up
4. Follow-up
RDS is best done in quick succession. Keep in constant contact with both employees and developers to maintain positive momentum from a successful iteration improvement.
JAD/RDS are both collaborative activities, and as with all group activities, issues are bound to arise. Be proactive and resolve issues using the following guidelines.
| Scenario | Technique |
|---|---|
| Employee and developer visions for the solution don’t match up | Focus on what both solutions have in common first to dissolve any tension. Next, understand the reason why both parties have differences. Was it a difference in assumptions? Difference in what is a requirement? Once the answer has been determined, work on bridging the gaps. If there is no resolution, appoint a credible authority (or yourself) to become the final decision maker. |
| Employee has difficulty understanding the technical aspect of the developer’s solution | Translate the developer’s technical terms into a language that the employee understands. Encourage the employee to ask questions to further their understanding. |
| Employee was told that their requirement or proposed solution is not feasible | Have a high-level member of the development team explain how the requirement/solution is not feasible. If it’s possible, tell the employee that the requirement can be done in a future release and keep them updated. |
| Technique | Description | Assessment and Best Practices | Stakeholder Effort | BA Effort |
|---|---|---|---|---|
| Legacy System Manuals | The process of reviewing documentation and manuals associated with legacy systems to identify constraints and exact requirements for reuse. | Reviewing legacy systems and accompanying documentation is an excellent way to gain a preliminary understanding of the requirements for the upcoming application. Be careful not to overly rely on requirements from legacy systems; if legacy systems have a feature set up one way, this does not mean it should be set up the same way on the upcoming application. If an upcoming application must interact with other systems, it is ideal to understand the integration points early. | None | High |
| Historical Projects | The process of reviewing documentation from historical projects to extract reusable requirements. | Previous project documentation can be a great source of information and historical lessons learned. Unfortunately, historical projects may not be well documented. Historical mining can save a great deal of time; however, the fact that it was done historically does not mean that it was done properly. | None | High |
Info-Tech Insight
Document mining is a laborious process, and as the term “mining” suggests the yield will vary. Regardless of the outcome, document mining must be performed and should be viewed as an investment in the requirements gathering process.
| Technique | Description | Assessment and Best Practices | Stakeholder Effort | BA Effort |
|---|---|---|---|---|
| Rules | The process of extracting business logic from pre-existing business rules (e.g. explicit or implied workflows). | Stakeholders may not be fully aware of all of the business rules or the underlying rationale for the rules. Unfortunately, business rule documents can be lengthy and the number of rules relevant to the project will vary. | None | High |
| Glossary | The process of extracting terminology and definitions from glossaries. | Terminology and definitions do not directly lead to the generation of requirements. However, reviewing glossaries will allow BAs to better understand domain SMEs and interpret their requirements. | None | High |
| Policy | The process of extracting business logic from business policy documents (e.g. security policy and acceptable use). | Stakeholders may not be fully aware of the different policies or the underlying rationale for why they were created. Going directly to the source is an excellent way to identify constraints and requirements. Unfortunately, policies can be lengthy and the number of items relevant to the project will vary. | None | High |
Info-Tech Insight
Document mining should be the first type of elicitation activity that is conducted because it allows the BA to become familiar with organizational terminology and processes. As a result, the stakeholder facing elicitation sessions will be more productive.
1. Glossary
Extract terminology and definitions from glossaries. A glossary is an excellent source to understand the terminology that SMEs will use.
2. Policy
Pull business logic from policy documents (e.g. security policy and acceptable use). Policies generally have mandatory requirements for projects, such as standard compliance requirements.
3. Rules
Review and reuse business logic that comes from pre-existing rules (e.g. explicit or implied workflows). Like policies, rules often have mandatory requirements or at least will require significant change for something to no longer be a requirement.
4. Legacy System
Review documents and manuals of legacy systems, and identify reusable constraints and requirements. Benefits include:
Remember to not use all of the basic requirements of a legacy system. Always strive to find a better, more productive solution.
5. Historical Projects
Review documents from historical projects to extract reusable requirements. Lessons learned from the company’s previous projects are more applicable than case studies. While historical projects can be of great use, consider that previous projects may not be well documented.
Project managers frequently state that aligning projects to the business goals is a key objective of effective project management; however, it is rarely carried out throughout the project itself. This gap is often due to a lack of understanding around how to create true alignment between individual projects and the business needs.
Extract business wants and needs from official statements and reports (e.g. press releases, yearly reports). Statements and reports outline where the organization wants to go which helps to unearth relevant project requirements.
Documented requirements should always align with the scope of the project and the business objectives. Refer back frequently to your set of gathered requirements to check if they are properly aligned and ensure the project is not veering away from the original scope and business objectives.
The largest problem with documentation review is that requirements gathering professionals do it for the sake of saying they did it. As a result, projects often go off course due to not aligning to business objectives following the review sessions.
There is a time and place for each technique. Don’t become too reliant on the same ones. Diversify your approach based on the elicitation goal.
This table shows the relative strengths and weaknesses of each elicitation technique compared against the five basic elicitation scenarios.
A typical project will encounter most of the elicitation scenarios. Therefore, it is important to utilize a healthy mix of techniques to optimize effectiveness.
Very Strong = Very Effective
Strong = Effective
Medium = Somewhat Effective
Weak = Minimally Effective
Very Weak = Not Effective
Record the approved elicitation methods and best practices for each technique in the SOP.
Identify which techniques should be utilized with the different stakeholder classes.
Segment the different techniques based by project complexity level.
Use the following chart to record the approved techniques.
| Stakeholder | L1 Projects | L2 Projects | L3 Projects | L4 Projects |
|---|---|---|---|---|
| Senior Management | Structured Interviews | |||
| Project Sponsor | Unstructured Interviews | |||
| SME (Business) | Focus Groups | Unstructured Interviews | ||
| Functional Manager | Focus Groups | Structured Interviews | ||
| End Users | Surveys; Focus Groups; Follow-Up Interviews; Observational Techniques | |||
Document the output from this exercise in section 4.0 of the Requirements Gathering SOP and BA Playbook.
Open lines of communication with stakeholders and keep them involved in the requirements gathering process; confirm the initial elicitation before proceeding.
Confirming the notes from the elicitation session with stakeholders will result in three benefits:
This is the Confirm stage of the Confirm, Verify, Approve process.
“Are these notes accurate and complete?”
An analyst will walk you through the different elicitation techniques including observations, document reviews, surveys, focus groups, and interviews, and highlight the level of effort required for each.
An analyst will facilitate the discussion to determine which techniques should be utilized with the different stakeholder classes.
1.1 Understand the Benefits of Requirements Optimization
1.2 Determine Your Target State for Requirements Gathering
2.1 Determine Elicitation Techniques
2.2 Structure Elicitation Output
3.1 Create Analysis Framework
3.2 Validate Business Requirements
4.1 Create Control Processes for Requirements Changes
4.2 Build Requirements Governance and Communication Plan
Unstructured notes for each requirement are difficult to manage and create ambiguity. Using solution-oriented formats during elicitation sessions ensures that the content can be digested by IT and business users.
This table shows common solution-oriented formats for recording requirements. Determine which formats the development team and BAs are comfortable using and create a list of acceptable formats to use in projects.
| Format | Description | Examples |
|---|---|---|
| Behavior Diagrams | These diagrams describe what must happen in the system. | Business Process Models, Swim Lane Diagram, Use Case Diagram |
| Interaction Diagrams | These diagrams describe the flow and control of data within a system. | Sequence Diagrams, Entity Diagrams |
| Stories | These text-based representations take the perspective of a user and describe the activities and benefits of a process. | Scenarios, User Stories |
Info-Tech Insight
Business process modeling is an excellent way to visually represent intricate processes for both IT and business users. For complex projects with high business significance, business process modeling is the best way to capture requirements and create transformational gains.
Define Use Cases for Each Stakeholder
Define Applications for Each Use Case
Consider the following guidelines:
Use cases can conflict with each other. In certain situations, specific requirements of these use cases may clash with one another even though they are functionally sound. Evaluate use-case requirements and determine how they satisfy the overall business need.
Use cases are not necessarily isolated; they can be nested. Certain functionalities are dependent on the results of another action, often in a hierarchical fashion. By mapping out the expected workflows, BAs can determine the most appropriate way to implement.
Use cases can be functionally implemented in many ways. There could be multiple ways to accomplish the same use case. Each of these needs to be documented so that functional testing and user documentation can be based on them.
| Log Into Account | ← Depends on (Nested) | Ordering Products Online |
|---|---|---|
| Enter username and password | Complete order form | |
| Verify user is a real person | Process order | |
| Send user forgotten password message | Check user’s account | |
| Send order confirmation to user |
Inspector: Log into system → Search for case → Identify recipient → Determine letter type → Print letter
Admin: Receive letter from inspector → Package and mail letter
Citizen: Receive letter from inspector
What are they?
User stories describe what requirement a user wants in the solution and why they want it. The end goal of a user story is to create a simple description of a requirement for developers.
When to use them
User stories should always be used in requirements gathering. User stories should be collected throughout the elicitation process. Try to recapture user stories as new project information is released to capture any changes in end-customer needs.
What’s the benefit?
User stories help capture target users, customers, and stakeholders. They also create a “face” for individual user requirements by providing user context. This detail enables IT leaders to associate goals and end objectives with each persona.
Takeaway
To better understand the characteristics driving user requirements, begin to map objectives to separate user personas that represent each of the project stakeholders.
Are user stories worth the time and effort?
Absolutely.
A user’s wants and needs serve as a constant reminder to developers. Developers can use this information to focus on how a solution needs to accomplish a goal instead of only focusing on what goals need to be completed.
Instructions
| As a | I want to | So that | Size | Priority |
|---|---|---|---|---|
| Developer | Learn network and system constraints | The churn between Operations and I will be reduced. | 1 point | Low |
|
Team member |
Increase the number of demonstrations | I can achieve greater alignment with business stakeholders. | 3 points | High |
| Product owner | Implement a user story prioritization technique | I can delegate stories in my product backlog to multiple Agile teams. | 3 points | Medium |
Keep your user stories short and impactful to ensure that they retain their impact.
As a [stakeholder title], I want to [one requirement] so that [reason for wanting that requirement].
Use this template for all user stories. Other formats will undermine the point of a user story. Multiple requirements from a single user must be made into multiple stories and given to the appropriate developer. User stories should fit onto a sticky note or small card.
| As an: | I want to: | So that: | |
|---|---|---|---|
| ✓ | Administrator | Integrate with Excel | File transfer won’t possibly lose information |
| X | Administrator | Integrate with Excel and Word | File transfer won’t possibly lose information |
While the difference between the two may be small, it would still undermine the effectiveness of a user story. Different developers may work on the integration of Excel or Word and may not receive this user story.
Size is an estimate of how many resources must be dedicated to accomplish the want. Assign a size to each user story to help determine resource allocation.
Based on how important the requirement is to project success, assign each user story a rating of high, medium, or low. The priority given will dictate which requirements are completed first.
Example:
Scope: Design software to simplify financial reporting
| User Story | Estimated Size | Priority |
|---|---|---|
| As an administrator, I want to integrate with Excel so that file transfer won’t possibly lose information. | Low | High |
| As an administrator, I want to simplify graph construction so that I can more easily display information for stakeholders. | High | Medium |
Combine both size and priority to decide resource allocation. Low-size, high-priority tasks should always be done first.
When collecting user stories, many will be centered around the same requirement. Group similar user stories together to show the need for that requirement’s inclusion in the solution.
Even if it isn’t a must-have requirement, if the number of similar user stories is high enough, it would become the most important should-have requirement.
| As an | I want | So that |
|---|---|---|
| Administrator | To be able to create bar graphs | Information can be more easily illustrated |
| Accountant | To be able to make pie charts | Budget information can be visually represented |
Both user stories are about creating charts and would be developed similarly.
| As an | I want | So that |
|---|---|---|
| Administrator | The program to auto-save | Information won’t be lost during power outages |
| Accountant | To be able to save to SharePoint | My colleagues can easily view and edit my work |
While both stories are about saving documents, the development of each feature is vastly different.
User profiles are a way of grouping users based on a significant shared details (e.g. in the finance department, website user).
Go beyond the user profile
When creating the profile, consider more than the group’s name. Ask yourself the following questions:
For example, if a user profile has low expertise but interacts and depends heavily on the program, a more thorough tutorial of the FAQ section is needed.
Profiles put developers in user’s shoes
Grouping users together helps developers put a face to the name. Developers can then more easily empathize with users and develop an end solution that is directly catered to their needs.
Work in groups to run through the following story-sizing activities.
Planning Poker: This approach uses the Delphi method where members estimate the size of each user story by revealing numbered cards. These estimates are then discussed and agreed upon as a group.
Team Sort: This approach can assist in expediting estimation when you are handling numerous user stories.
Use the product backlog to capture expected work and create a roadmap for the project by showing what requirements need to be delivered.
How is the product owner involved?
How do I create a product backlog?
What are the approaches to generate my backlog?
Epics and Themes
As you begin to take on larger projects, it may be advantageous to organize and group your user stories to simplify your release plan:
To avoid confusion, the pilot product backlog will be solely composed of user stories.
Example:
| Theme: Increase user exposure to corporate services through mobile devices | |
|---|---|
| Epic: Access corporate services through a mobile application | Epic: Access corporate services through mobile website |
| User Story: As a user, I want to find the closest office so that I can minimize travel time As a user, I want to find the closest office so that I can minimize travel time | User Story: As a user, I want to submit a complaint so that I can improve company processes |
Overview
Leverage Info-Tech’s Scrum Documentation Template, using the Backlog and Planning tab, to help walk you through this activity.
Instructions
Examples:
As a citizen, I want to know about road construction so that I can save time when driving. Business Value: High
As a customer, I want to find the nearest government office so that I can register for benefits. Business Value: Medium
As a voter, I want to know what each candidate believes in so that I can make an informed decision. Business Value: High
2.2.1 Build use-case models
An analyst will assist in demonstrating how to use elicitation techniques to build use-case models. The analyst will walk you through the table testing to visually map out and design process flows for each use case.
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Start with an analyst kick off call:
Then complete these activities…
With these tools & templates:
Review findings with analyst:
Then complete these activities…
With these tools & templates:
Phase 3 Results & Insights:
1.1 Understand the Benefits of Requirements Optimization
1.2 Determine Your Target State for Requirements Gathering
2.1 Determine Elicitation Techniques
2.2 Structure Elicitation Output
3.1 Create Analysis Framework
3.2 Validate Business Requirements
4.1 Create Control Processes for Requirements Changes
4.2 Build Requirements Governance and Communication Plan
The analysis phase is where requirements are compiled, categorized, and prioritized to make managing large volumes easier. Many organizations prematurely celebrate being finished the elicitation phase and do not perform adequate diligence in this phase; however, the analysis phase is crucial for a smooth transition into validation and application development or procurement.
Eliciting requirements is an important step in the process, but turning endless pages of notes into something meaningful to all stakeholders is the major challenge.
Begin the analysis phase by categorizing requirements to make locating, reconciling, and managing them much easier. There are often complex relationships and dependencies among requirements that do not get noted or emphasized to the development team and as a result get overlooked.
Typically, requirements are classified as functional and non-functional at the high level. Functional requirements specify WHAT the system or component needs to do and non-functional requirements explain HOW the system must behave.
Examples
Functional Requirement: The application must produce a sales report at the end of the month.
Non-Functional Requirement: The report must be available within one minute after midnight (EST) of the last day of the month. The report will be available for five years after the report is produced. All numbers in the report will be displayed to two decimal places.
Further sub-categorization of requirements is necessary to realize the full benefit of categorization. Proficient BAs will even work backwards from the categories to drive the elicitation sessions. The categories used will depend on the type of project, but for categorizing non-functional requirements, the Volere Requirements Resources has created an exhaustive list of sub-categories.
| Requirements Category | Elements |
Example |
|---|---|---|
| Look & Feel | Appearance, Style |
User Experience |
| Usability & Humanity | Ease of Use, Personalization, Internationalization, Learning, Understandability, Accessibility | Language Support |
| Performance | Speed, Latency, Safety, Precision, Reliability, Availability, Robustness, Capacity, Scalability, Longevity | Bandwidth |
| Operational & Environmental | Expected Physical Environment, Interfacing With Adjacent Systems, Productization, Release | Heating and Cooling |
| Maintainability & Support | Maintenance, Supportability, Adaptability | Warranty SLAs |
|
Security |
Access, Integrity, Privacy, Audit, Immunity | Intrusion Prevention |
| Cultural & Political | Global Differentiation | Different Statutory Holidays |
| Legal | Compliance, Standards | Hosting Regulations |
Complete – Expressed a whole idea or statement.
Correct – Technically and legally possible.
Clear – Unambiguous and not confusing.
Verifiable – It can be determined that the system meets the requirement.
Necessary – Should support one of the project goals.
Feasible – Can be accomplished within cost and schedule.
Prioritized – Tracked according to business need levels.
Consistent – Not in conflict with other requirements.
Traceable – Uniquely identified and tracked.
Modular – Can be changed without excessive impact.
Design-independent – Does not pose specific solutions on design.
Document any changes to the requirements categories in section 5.1 of the Requirements Gathering SOP and BA Playbook.
After elicitation, it is very common for an organization to end up with redundant, complementary, and conflicting requirements. Consolidation will make managing a large volume of requirements much easier.
| Redundant Requirements | Owner | Priority | |
|---|---|---|---|
| 1. | The application shall feed employee information into the payroll system. | Payroll | High |
| 2. | The application shall feed employee information into the payroll system. | HR | Low |
| Result | The application shall feed employee information into the payroll system. | Payroll & HR | High |
| Complementary Requirements | Owner | Priority | |
|---|---|---|---|
| 1. | The application shall export reports in XLS and PDF format. | Marketing | High |
| 2. | The application shall export reports in CSV and PDF format. | Finance | High |
| Result | The application shall export reports in XLS, CSV, and PDF format. | Marketing & Finance | High |
Info-Tech Insight
When collapsing redundant or complementary requirements, it is imperative that the ownership and priority metadata be preserved for future reference. Avoid consolidating complementary requirements with drastically different priority levels.
Conflicting requirements are unavoidable; identify and resolve them as early as possible to minimize rework and grief.
Conflicting requirements occur when stakeholders have requirements that either partially or fully contradict one another, and as a result, it is not possible or practical to implement all of the requirements.
Steps to Resolving Conflict:
Info-Tech Insight
Resolve conflicts whenever possible during the elicitation phase by using cross-functional workshops to facilitate discussions that address and settle conflicts in the room.
Review the outputs from the last exercise and ensure that the list is mutually exclusive by consolidating similar requirements and eliminating redundancies.
Prioritization is the process of ranking each requirement based on its importance to project success. Hold a separate meeting for the domain SMEs, implementation SMEs, project managers, and project sponsors to prioritize the requirements list. At the conclusion of the meeting, each requirement should be assigned a priority level. The implementation SMEs will use these priority levels to ensure efforts are targeted towards the proper requirements as well as to plan features available on each release. Use the MoSCoW Model of Prioritization to effectively order requirements.
The MoSCoW Model of Prioritization
The MoSCoW model was introduced by Dai Clegg of Oracle UK in 1994 (Source: ProductPlan).
Effective Prioritization Criteria
| Criteria |
Description |
|---|---|
| Regulatory & Legal Compliance | These requirements will be considered mandatory. |
| Policy Compliance | Unless an internal policy can be altered or an exception can be made, these requirements will be considered mandatory. |
| Business Value Significance | Give a higher priority to high-value requirements. |
| Business Risk | Any requirement with the potential to jeopardize the entire project should be given a high priority and implemented early. |
| Likelihood of Success | Especially in proof-of-concept projects, it is recommended that requirements have good odds. |
| Implementation Complexity | Give a higher priority to low implementation difficulty requirements. |
| Alignment With Strategy | Give a higher priority to requirements that enable the corporate strategy. |
| Urgency | Prioritize requirements based on time sensitivity. |
| Dependencies | A requirement on its own may be low priority, but if it supports a high-priority requirement, then its priority must match it. |
Info-Tech Insight
It is easier to prioritize requirements if they have already been collapsed, resolved, and rewritten. There is no point in prioritizing every requirement that is elicited up front when some of them will eventually be eliminated.
Use the Requirements Gathering Documentation Tool to identify and track stakeholder involvement, elicitation techniques, and scheduling, as well as to track categorization and prioritization of requirements.
Using the output from the MoSCoW model, prioritize the requirements according to those you must have, should have, could have, and won’t have.
3.1.1 Create functional requirements categories
An analyst will facilitate the discussion to brainstorm and determine criteria for requirements categories.
3.1.2 Consolidate similar requirements and eliminate redundancies
An analyst will facilitate a session to review the requirements categories to ensure the list is mutually exclusive by consolidating similar requirements and eliminating redundancies.
3.1.3 Prioritize requirements
An analyst will facilitate the discussion on how to prioritize requirements according to the MoSCoW prioritization framework. The analyst will also walk you through the exercise of determining dependencies for each requirement.
1.1 Understand the Benefits of Requirements Optimization
1.2 Determine Your Target State for Requirements Gathering
2.1 Determine Elicitation Techniques
2.2 Structure Elicitation Output
3.1 Create Analysis Framework
3.2 Validate Business Requirements
4.1 Create Control Processes for Requirements Changes
4.2 Build Requirements Governance and Communication Plan
This step involves the following participants:
Outcomes of this step
The validation phase involves translating the requirements, modeling the solutions, allocating features across the phased deployment plan, preparing the requirements package, and getting requirement sign-off. This is the last step in the Info-Tech Requirements Gathering Framework.
Before going for final sign-off, ensure that you have pulled together all of the relevant documentation.
The requirements package is a compilation of all of the business analysis and requirements gathering that occurred. The document will be distributed among major stakeholders for review and sign-off.
Some may argue that the biggest challenge in the validation phase is getting the stakeholders to sign off on the requirements package; however, the real challenge is getting them to actually read it. Often, stakeholders sign the requirements document without fully understanding the scope of the application, details of deployment, and how it affects them.
Remember, this document is not for the BAs; it’s for the stakeholders. Make the package with the stakeholders in mind. Create multiple versions of the requirements package where the length and level of technical details is tailored to the audience. Consider creating a supplementary PowerPoint version of the requirements package to present to senior management.
Contents of Requirements Package:
"Sit down with your stakeholders, read them the document line by line, and have them paraphrase it back to you so you’re on the same page." – Anonymous City Manager of IT Project Planning Info-Tech Interview
The BRD captures the original business objectives and high-level business requirements for the system/process. The system requirements document (SRD) captures the more detailed functional and technical requirements.
The Business Requirements Document Template can be used to record the functional, quality, and usability requirements into formats that are easily consumable for future analysis, architectural and design activities, and most importantly in a format that is understandable by all business partners.
The BRD is designed to take the reader from a high-level understanding of the business processes down to the detailed automation requirements. It should capture the following:
Build the required documentation for requirements gathering.
Document the output from this exercise in section 6 of the Requirements Gathering SOP and BA Playbook.
Practice presenting the requirements document to business stakeholders.
Example:
| Typical Requirements Gathering Validation Meeting Agenda | |
|---|---|
| Project overview | 5 minutes |
| Project operating model | 10 minutes |
| Prioritized requirements list | 5 minutes |
| Business process model | 30 minutes |
| Implementation considerations | 5 minutes |
Practice translating business requirements into system requirements.
Download the Requirements Gathering Testing Checklist template.
Identify how to test the effectiveness of different requirements.
Keep the stakeholders involved in the process in between elicitation and sign-off to ensure that nothing gets lost in transition.
After an organization’s requirements have been aggregated, categorized, and consolidated, the business requirements package will begin to take shape. However, there is still a great deal of work to complete. Prior to proceeding with the process, requirements should be verified by domain SMEs to ensure that the analyzed requirements continue to meet their needs. This step is often overlooked because it is laborious and can create additional work; however, the workload associated with verification is much less than the eventual rework stemming from poor requirements.
All errors in the requirements gathering process eventually surface; it is only a matter of time. Control when these errors appear and minimize costs by soliciting feedback from stakeholders early and often.
This is the Verify stage of the Confirm, Verify, Approve process.
“Do these requirements still meet your needs?”
Use the sign-off process as one last opportunity to manage expectations, obtain commitment from the stakeholders, and minimize change requests.
Development or procurement of the application cannot begin until the requirements package has been approved by all of the key stakeholders. This will be the third time that the stakeholders are asked to review the requirements; however, this will be the first time that the stakeholders are asked to sign off on them.
It is important that the stakeholders understand the significance of their signatures. This is their last opportunity to see exactly what the solution will look like and to make change requests. Ensure that the stakeholders also recognize which requirements were omitted from the solution that may affect them.
The sign-off process needs to mean something to the stakeholders. Once a signature is given, that stakeholder must be accountable for it and should not be able to make change requests. Note that there are some requests from senior stakeholders that can’t be refused; use discretion when declining requests.
This is the Approve stage of the Confirm, Verify, Approve process.
"Once requirements are signed off, stay firm on them!" – Anonymous Hospital Business Systems Analyst Info-Tech Interview
3.2.1; 3.2.2 Rightsize the BRD and present it to business stakeholders
An analyst will facilitate the discussion to gather the required documentation for building the BRD. The analyst will also assist with practicing the presenting of each section of the document to business stakeholders.
3.2.3; 3.2.4 Translate business requirements into technical requirements and identify testing opportunities
An analyst will facilitate the session to practice translating business requirements into testing requirements and assist in determining how to test the effectiveness of different requirements.
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion: 3 weeks
Start with an analyst kick off call:
Then complete these activities…
With these tools & templates:
Review findings with analyst:
Then complete these activities…
With these tools & templates:
Requirements Gathering Communication Tracking Template
1.1 Understand the Benefits of Requirements Optimization
1.2 Determine Your Target State for Requirements Gathering
2.1 Determine Elicitation Techniques
2.2 Structure Elicitation Output
3.1 Create Analysis Framework
3.2 Validate Business Requirements
4.1 Create Control Processes for Requirements Changes
4.2 Build Requirements Governance and Communication Plan
Although the manage, communicate, and test requirements section chronologically falls as the last section of this blueprint, that does not imply that this section is to be performed only at the end. These tasks are meant to be completed iteratively throughout the project to support the core requirements gathering tasks.
Once the stakeholders sign off on the requirements document, any changes need to be tracked and managed. To do that, you need a change control process.
Thoroughly validating requirements should reduce the amount of change requests you receive. However, eliminating all changes is unavoidable.
The BAs, sponsor, and stakeholders should have agreed upon a clearly defined scope for the project during the planning phase, but there will almost always be requests for change as the project progresses. Even a high number of small changes can negatively impact the project schedule and budget.
To avoid scope creep, route all changes, including small ones, through a formal change control process that will be adapted depending on the level of project and impact of the change.
Document any changes from this exercise in section 7.1 of the Requirements Gathering SOP and BA Playbook.
Determine how changes will be escalated for level 1/2/3/4 projects.
Document any changes from this exercise in section 7.2 of the Requirements Gathering SOP and BA Playbook.
| Impact Category | Final Decision Rests With Project Manager If: | Escalate to Steering Committee If: | Escalate to Change Control Board If: | Escalate to Sponsor If: |
|---|---|---|---|---|
| Scope |
|
|
||
| Budget |
|
|
|
|
| Schedule |
|
|
|
|
| Requirements |
|
|
| Impact Category | Final Decision Rests With Project Manager If: | Escalate to Steering Committee If: | Escalate to Sponsor If: |
|---|---|---|---|
| Scope |
|
| |
| Budget |
|
| |
| Schedule |
|
| |
| Requirements |
|
|
Info-Tech Deliverable
Take advantage of Info-Tech’s Requirements Traceability Matrix to track requirements from inception through to testing.
Review the requirements gathering process and control levels for project levels 1/2/3/4 and add as much detail as possible to each process.
Document the output from this exercise in section 2.4 of the Requirements Gathering SOP and BA Playbook.
Understand who is responsible, accountable, consulted, and informed for key elements of the requirements gathering process for project levels 1/2/3/4.
| Project Requestor | Project Sponsor | Customers | Suppliers | Subject Matter Experts | Vendors | Executives | Project Management | IT Management | Developer/ Business Analyst | Network Services | Support | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Intake Form | A | C | C | I | R | |||||||
| High-Level Business Case | R | A | C | C | C | C | I | I | C | |||
| Project Classification | I | I | C | I | R | A | R | |||||
| Project Approval | R | R | I | I | I | I | I | I | A | I | I | |
| Project Charter | R | C | R | R | C | R | I | A | I | R | C | C |
| Develop BRD | R | I | R | C | C | C | R | A | C | C | ||
| Sign-Off on BRD/ Project Charter | R | A | R | R | R | R | ||||||
| Develop System Requirements | C | C | C | R | I | C | A | R | R | |||
| Sign-Off on SRD | R | R | R | I | A | R | R | |||||
| Testing/Validation | A | I | R | C | R | C | R | I | R | R | ||
| Change Requests | R | R | C | C | A | I | R | C | ||||
| Sign-Off on Change Request | R | A | R | R | R | R | ||||||
| Final Acceptance | R | A | R | I | I | I | I | R | R | R | I | I |
4.1.1; 4.1.2 Develop a change control process and guidelines for escalating changes
An analyst will facilitate the discussion on how to improve upon your organization’s change control processes and how changes will be escalated to ensure effective tracking and management of changes.
4.1.3 Confirm your requirements gathering process
With the group, an analyst will review the requirements gathering process and control levels for the different project levels.
4.1.4 Define the RACI for the requirements gathering process
An analyst will facilitate a whiteboard exercise to understand who is responsible, accountable, informed, and consulted for key elements of the requirements gathering process.
1.1 Understand the Benefits of Requirements Optimization
1.2 Determine Your Target State for Requirements Gathering
2.1 Determine Elicitation Techniques
2.2 Structure Elicitation Output
3.1 Create Analysis Framework
3.2 Validate Business Requirements
4.1 Create Control Processes for Requirements Changes
4.2 Build Requirements Governance and Communication Plan
Requirements Governance Responsibilities
1. Provide oversight and review of SOPs pertaining to requirements elicitation, analysis, and validation.
2. Establish corporate policies with respect to requirements gathering SOP training and education of analysts.
3. Prioritize efforts for requirements optimization.
4. Determine and track metrics that will be used to gauge the success (or failure) of requirements optimization efforts and make process and policy changes as needed.
Use a power map to determine which governance model best fits your organization.
This exercise will help to define the purpose statement for the applicable requirements gathering governance team.
Example:
The requirements gathering governance team oversees the procedures that are employed by BAs and other requirements gathering practitioners for [insert company name]. Members of the team are appointed by [insert role] and are accountable to [typically the chair of the committee].
Day-to-day operations of the requirements gathering team are expected to be at the practitioner (i.e. BA) level. The team is not responsible for conducting elicitation on its own, although members of the team may be involved from a project perspective.
Document the output from this exercise in section 3.1 of the Requirements Gathering SOP and BA Playbook.
Industry Not-for-Profit
Source Info-Tech Workshop
This organization is a not-for-profit benefits provider that offers dental coverage to more than 1.5 million people across three states.
With a wide ranging application portfolio that includes in-house, custom developed applications as well as commercial off-the-shelf solutions, the company had no consistent method of gathering requirements.
The organization contracted Info-Tech to help build an SOP to put in place a rigorous and efficient methodology for requirements elicitation, analysis, and validation.
One of the key realizations in the workshop was the need for governance and oversight over the requirements gathering process. As a result, the organization developed a Requirements Management Steering Committee to provide strategic oversight and governance over requirements gathering processes.
The Requirements Management Steering Committee introduced accountability and oversight into the procedures that are employed by BAs. The Committee’s mandate included:
R – Responsible
The one responsible for getting the job done.
A – Accountable
Only one person can be accountable for each task.
C – Consulted
Involvement through input of knowledge and information.
I – Informed
Receiving information about process execution and quality.
Build the participation list and authority matrix for the requirements gathering governance team.
Document any changes from this exercise in section 3.1 of the Requirements Gathering SOP and BA Playbook.
Define your governance team procedures, cadence, and agenda.
| Meeting call to order | [Committee Chair] | [Time] |
|---|---|---|
| Roll call | [Committee Chair] | [Time] |
| Review of SOPs | ||
| A. Requirements gathering dashboard review | [Presenters, department] | [Time] |
| B. Review targets | [Presenters, department] | [Time] |
| C. Policy Review | [Presenters, department] | [Time] |
Document any changes from this exercise in section 3.1 of the Requirements Gathering SOP and BA Playbook.
A successful communication plan involves making the initiative visible and creating staff awareness around it. Educate the organization on how the requirements gathering process will differ.
People can be adverse to change and may be unreceptive to being told they must “comply” to new policies and procedures. Demonstrate the value in requirements gathering and show how it will assist people in their day-to-day activities.
By demonstrating how an improved requirements gathering process will impact staff directly, you create a deeper level of understanding across lines-of-business, and ultimately a higher level of acceptance for new processes, rules, and guidelines.
Stakeholder:
Key Stakeholder:
User Group Representatives:
Unwilling – Individuals who are unwilling to change may need additional encouragement. For these individuals, you’ll need to reframe the situation and emphasize how the change will benefit them specifically.
Unable – All involved requirements gathering will need some form of training on the process, committee roles, and responsibilities. Be sure to have training and support available for employees who need it and communicate this to staff.
Unaware – Until people understand exactly what is going on, they will not be able to conform to the process. Communicate change regularly at the appropriate detail to encourage stakeholder support.
Info-Tech Insight
Resisters who have influence present a high risk to the implementation as they may encourage others to resist as well. Know where and why each stakeholder is likely to resist to mitigate risk. A detailed plan will ensure you have the needed documentation and communications to successfully manage stakeholder resistance.
Identify the impact and level of resistance of all stakeholders to come up with the right communication plan.
Use a power map to plot key stakeholders according to influence and involvement.
Use a power map to plot key stakeholders according to influence and involvement.
High Risk:
Stakeholders with high influence who are not as involved in the project or are heavily impacted by the project are less likely to give feedback throughout the project lifecycle and need to be engaged. They are not as involved but have the ability to impact project success, so stay one step ahead.
Do not limit your engagement to kick-off and close – you need to continue seeking input and support at all stages of the project.
Mid Risk:
Key players have high influence, but they are also more involved with the project or impacted by its outcomes and are thus easier to engage.
Stakeholders who are heavily impacted by project outcomes will be essential to your organizational change management strategy. Do not wait until implementation to engage them in preparing the organization to accept the project – make them change champions.
Low Risk:
Stakeholders with low influence who are not impacted by the project do not pose as great of a risk, but you need to keep them consistently informed of the project and involve them at the appropriate control points to collect feedback and approval.
Leaders of successful change spend considerable time developing a powerful change message: a compelling narrative that articulates the desired end state and makes the change concrete and meaningful to staff. They create the change vision with staff to build ownership and commitment.
The change message should:
The five elements of communicating the reason for the change:
COMMUNICATING THE CHANGE
What is the change?
Why are we doing it?
How are we going to go about it?
How long will it take us?
What will the role be for each department and individual?
Build the communications management plan around your stakeholders’ needs.
Sample communications plan: Status reports
| Vehicle | Audience | Purpose | Frequency | Owner | Distribution | Level of Detail |
|---|---|---|---|---|---|---|
Sample communications plan: Status reports
| Vehicle | Audience | Purpose | Frequency | Owner | Distribution | Level of Detail |
|---|---|---|---|---|---|---|
| Status Report | Sponsor | Project progress and deliverable status | Weekly | Project Manager |
Details for
|
|
| Status Report | Line of Business VP | Project progress | Monthly | Project Manager |
High Level for
|
Build a high-level timeline for the implementation.
Major KPIs typically used for benchmarking include:
Revisit the requirements gathering metrics selected in the planning phase and recalculate them after requirements gathering optimization has been attempted.
4.2.1; 4.2.2; 4.2.3 – Build a requirements gathering steering committee
The analyst will facilitate the discussion to define the purpose statement of the steering committee, build the participation list and authority matrix for its members, and define the procedures and agenda.
4.2.4 Identify and analyze stakeholders
An analyst will facilitate the discussion on how to identify the impact and level of resistance of all stakeholders to come up with the communication plan.
4.2.5 Create a communications management plan
An analyst will assist the team in building the communications management plan based on the stakeholders’ needs that were outlined in the stakeholder analysis exercise.
4.2.6 Build a requirements gathering implementation timeline
An analyst will facilitate a session to brainstorm and document any action items and build a high-level timeline for implementation.
Note: This research also incorporates extensive insights and feedback from our advisory service and related research projects.
“10 Ways Requirements Can Sabotage Your Projects Right From the Start.” Blueprint Software Systems, 2012. Web.
“BPM Definition.” BPMInstitute.org, n.d. Web.
“Capturing the Value of Project Management.” PMI’s Pulse of the Profession, 2015. Web.
Eby, Kate. “Demystifying the 5 Phases of Project Management.” Smartsheet, 29 May 2019. Web.
“Product Management: MoSCoW Prioritization.” ProductPlan, n.d. Web.
“Projects Delivered on Time & on Budget Result in Larger Market Opportunities.” Jama Software, 2015. Web.
“SIPOC Table.” iSixSigma, n.d. Web.
“Survey Principles.” University of Wisconsin-Madison, n.d. Web.
“The Standish Group 2015 Chaos Report.” The Standish Group, 2015. Web.
IT incidents—such as outages, software bugs, or security alerts—are a routine part of managing business technology. The effectiveness of incident management depends not only on technical resolution but also on how clearly the situation is communicated across the organization.
It’s important that communication during an IT incident separates technical details from business impact.
Technical communications focus on the nature of the incident, technical root cause, and steps to resolution.
Business communications address what the incident means for users, customers, and ongoing operations.
Tactical vs. Strategic Impact
A key aspect of effective communication is differentiating between tactical and strategic impact:
This refers to the immediate, short-term effects of the incident. For example, a payment processing outage might delay customer transactions or require manual workarounds. Tactical impact is about “what’s happening right now,” how it disrupts daily operations, and what steps are being taken to restore service.
This concerns whether the incident has any meaningful effect on the organization’s long-term goals, strategic initiatives, or overall direction. In most cases, IT incidents do not affect strategic objectives. Communication should make it clear to leadership and stakeholders if an incident is limited to tactical impact, helping to avoid unnecessary escalation or concern.
1. Technical Teams
“The payment gateway service is returning intermittent 503 errors due to a backend database lock. We are currently restarting the affected services and monitoring log files for additional errors. No data loss has been detected, and all failed transactions are being queued for reprocessing.”
2. Business Operations
“We are experiencing a temporary issue with our payment processing system. Some transactions may be delayed. Our IT team is actively working on a resolution, and we expect normal operations to resume within the hour. In the meantime, please inform customers of the delay and assure them that no payments have been lost.”
3. Executive Leadership
“There is a temporary disruption in our payment processing system that is affecting transaction completion for some customers. The issue is strictly tactical and does not have any impact on our strategic initiatives or financial targets. The technical team is addressing the problem, and we anticipate full resolution shortly. No long-term risk or reputational impact is expected.”
Segment communications by audience and need.
Be explicit about whether an incident has any strategic impact—most do not.
Use plain language for non-technical stakeholders, focusing on what matters to them.
Provide timely updates and clarify as the situation evolves.
Clear communication during IT incidents means more than just relaying facts—it means ensuring that all audiences understand the scope of the impact, especially the difference between tactical disruptions and strategic threats. Consistently making this distinction helps manage expectations, reduces unnecessary concern, and supports more effective incident management.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Assess the organization’s fit for MMS technology and structure the MMS selection project.
Produce a vendor shortlist for your MMS.
Evaluate RFPs, conduct vendor demonstrations, and select an MMS.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Determine a “right-size” approach to marketing enablement applications.
Confirmation of the goals, objectives, and direction of the organization is marketing application strategy.
1.1 Assess the value and identify the organization’s fit for MMS technology.
1.2 Understand the art of the possible.
1.3 Understand CXM strategy and identify your fit for MMS technology.
1.4 Build procurement team and project customer experience management (CXM) strategy.
1.5 Identify your MMS requirements.
Project team list.
Preliminary requirements list.
Enumerate relevant marketing management suites and point solutions.
List of marketing enablement applications based on requirements articulated in the preliminary requirements list strategy.
2.1 Identify relevant use cases.
2.2 Discuss the vendor landscape.
Vendor shortlist.
Develop a rationale for selecting a specific MMS vendor.
MMS Vendor decision.
A template to communicate the decision to executives.
3.1 Create a procurement strategy.
3.2 Discuss the executive presentation.
3.3 Plan the procurement process.
Executive/stakeholder PowerPoint presentation.
Selection of an MMS.
“Marketing applications are in high demand, but it is difficult to select a suite that is right for your organization. Market offerings have grown from 50 vendors to over 800 in the past five years. Much of the process of identifying an appropriate vendor is not about the vendor at all, but rather about having a comprehensive understanding of internal needs. There are instances where a smaller-point solution is necessary to satisfy requirements and a full marketing management suite is an overinvestment.
Likewise, a partner with differentiating features such as AI-driven workflows and a mobile software development kit can act as a powerful extension of an overall customer experience management strategy. It is crucial to make the right decision; missing the mark on an MMS selection will have a direct impact on the business’ bottom line.”
Ben Dickie
Research Director, Enterprise Applications
Info-Tech Research Group
This Research Is Designed For:
|
This Research Will Help You:
|
This Research Will Also Assist:
|
This Research Will Help Them
|
The MMS market is a landscape of vendors offering campaign management, multichannel support, analytics, and publishing tools. Many vendors specialize in some of these areas but not all. Sometimes multiple products are necessary – but determining which feature sets the organization truly needs can be a challenging task. The right technology stack is critical in order to bring automation to marketing initiatives.
| “When it comes to marketing automation capabilities, using CRM is like building a car from a kit. All the parts are there, but you need the time and skill to put it all together. Using marketing automation is like buying the car you want or need, with all the features you want already installed and some gas in the tank, ready to drive. In either case, you still need to know how to drive and where you want to go.” (Mac McIntosh, Marketo Inc.) |  |
A master database – the central place where all up-to-the-minute data on a customer profile is stored – is essential for MMS success. This is particularly true for real-time capability effectiveness and to minimize customer fatigue. |
MMS helps marketers in two primary ways:
|
“A marketing automation solution delivers essentially all the benefits of an email marketing solution along with integrated capabilities that would otherwise need to be cobbled together using various standalone technologies.” (Marketo Inc.) |
1 |
2 |
3 |
4 |
5 |
| Establish Resources | Gather Requirements | Write and Assemble RFP | Exercise Due Diligence | Evaluate Candidate Solutions |
|
|
|
|
|
Contact your account representative or email Workshops@InfoTech.com for more information.
CASE STUDY |
Industry: Professional Services | Source: Info-Tech Consulting |
ChallengeA large professional services firm specializing in knowledge development was looking to modernize an outdated marketing services stack. Previous investments in marketing tools ranging from email automation to marketing analytics led to system fragmentation. As a result, there was no 360-degree overview of marketing operations and no way to run campaigns at scale. To satisfy the organization’s aspirations, a comprehensive marketing management suite had to be selected that met needs for the foreseeable future. |
SolutionThe Info-Tech consulting team was brought in to assist in the MMS selection process. After meeting with several stakeholders, MMS requirements were developed and weighted. An RFP was then created from these requirements. Following a market scan, four vendors were selected to complete the organization’s RFP. Demonstration scripts were then developed as the RFPs were completed by vendors. Shortlisted vendors progressed to the demonstration phase. |
ResultsVendor scorecards were utilized during the two-day demonstrations with the core project team to score each vendor. During the scoring process the team also identified the need to replace the organization’s core customer repository (a legacy CRM). The decision was made to select a CRM before finalizing the MMS selection. Doing so ensured uniform system architecture and strong interoperability between the firm’s MMS and its CRM. |
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
| "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Diagnostics and consistent frameworks used throughout all four options |
|||
| 1. Launch the MMS Project and Collect Requirements | 2. Shortlist Marketing Management Suites | 3. Select Vendor and Communicate Decision to Stakeholders | |
 Best-Practice Toolkit |
1.1 Assess the value and identify your organization’s fit for MMS technology. 1.2 Build your procurement team and project customer experience management (CXM) strategy. 1.3 Identify your MMS requirements. |
2.1 Produce your shortlist |
3.1 Select your MMS 3.2 Present selection |
Guided Implementations |
|
|
|
 Onsite Workshop |
Module 1:
Launch Your MMS Selection Project |
Module 2:
Analyze MMS Requirements and Shortlist Vendors |
Module 3:
Plan Your Procurement Process |
Phase 1 Outcome:
|
Phase 2 Outcome:
|
Phase 3 Outcome:
|
Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.
|
This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project. |
|
This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members who will come onsite to facilitate a workshop for your organization. |
 |
This icon denotes a slide that pertains directly to the Info-Tech vendor profiles on marketing management technology. Use these slides to support and guide your evaluation of the MMS vendors included in the research. |
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
| Step 1.2: Structure the Project | Step 1.3: Gather Requirements |
Start with an analyst kick-off call:
|
Review findings with analyst:
|
Then complete these activities…
|
Then complete these activities…
|
With these tools & templates:
|
With these tools & templates:
|
Phase 1 Results:
|
|
1.1 |
1.2 |
1.3 |
||
| Understand the MMS Market | Structure the Project | Gather MMS Requirements |
| Analytics | The practice of measuring marketing performance to improve return on investment (ROI). It is often carried out through the visualization of meaningful patterns in data as a result of marketing initiatives. |
| Channels | The different places where marketers can reach customers (e.g. social media, print mail, television). |
| Click-through rate | The percentage of individuals who proceed (click-through) from one part of a marketing campaign to the next. |
| Content management | Curating, creating, editing, and keeping track of content and client-facing assets. |
| Customer relationship management (CRM) | A core enterprise application that provides a broad feature set for supporting customer interaction processes. The CRM frequently serves as a core customer data repository. |
| Customer experience management (CXM) | The holistic management of customer interaction processes across marketing, sales, and customer service to create valuable, mutually beneficial customer experiences. |
| Engagement rate | A social media metric used to describe the amount of likes, comments, shares, etc., that a piece of content receives. |
| Lead | An individual or organization who has shown interest in the product or service being marketed. |
| Omnichannel | The portfolio of interaction channels you use. |
A master database – the central place where all up-to-the-minute data on a customer profile is stored – is essential for MMS success. This is particularly true for real-time capability effectiveness and to minimize customer fatigue. If you have customer records in multiple places, you risk missing customer opportunities and potentially upsetting clients. For example, if a client has communicated preferences or disinterest through one channel, and this is not effectively recorded throughout the organization, another representative is likely to contact them in the same method again – possibly alienating the customer for good. A master database requires automatic synchronization with all point solutions, POS, billing systems, agencies, etc. If you don’t have up-to-the-minute information, you can’t score prospects effectively and you lose out on the benefits of the MMS. |
|
| Focus on the fundamentals before proceeding. | Secure organizational readiness to reduce project risk using Info-Tech’s Build a Strong Technology Foundation for CXM and Select and Implement a CRM Platform blueprints. |
| The world of marketing technology changes rapidly! Understand how modern marketing management suites are used in most organizations. An MMS helps marketers in two primary ways:
Marketing suites accomplish these tasks by:
A strong MMS provides marketers with the data they need for actionable insights about their customers. “A marketing automation solution delivers essentially all the benefits of an email marketing solution along with integrated capabilities that would otherwise need to be cobbled together using various standalone technologies.” (Marketo Inc.) | Inform your way of thinking by understanding the capabilities of modern marketing applications.
|
(Source: Info-Tech Research Group; N=23)
The key drivers for MMS are business-related, not IT-related. However, this does not mean that there are no benefits to IT. In fact, the IT department will see numerous benefits, including time and resource savings. Further, not having an MMS creates more work for your IT department. IT must serve as a valued partner for selection and implementation.
Marketing management suites are ideal for large organizations with multiple product lines in complex marketing environments. IT is often more centralized than its counterparts in the business, making it uniquely positioned to encourage greater coordination by helping the business units understand the shared goals and the benefits of working together to roll out suites for marketing workflow management, intelligence, and channel management.
| Cross-Segmentation | Additional Revenue Generation | Real-Time Capabilities | Lead Growth/ Conversion Rate | |
| Business Value |
|
|
|
|
| IT Value |
|
|
|
|
Don’t forget that MMS technologies deliver on the overarching suite value proposition: a robust solution within one integrated offering. Without an MMS in play, organizations in need of this functionality are forced to piece together point solutions (or ad hoc management). This not only increases costs but also is an integration nightmare for IT.
1.1 | 1.2 | 1.3 | ||
| Understand the MMS Market | Structure the Project | Gather MMS Requirements |
Sample Project Overview[Organization] plans to select and implement a marketing management suite in order to introduce better campaign management to the business’ processes. This procurement and implementation of an MMS tool will enable the business to improve the efficiency and effectiveness of marketing campaign execution. This project will oversee the assessment and shortlisting of MMS vendors, selection of an MMS tool, the configuration of the solution, and the implementation of the technology into the business environment. Rationale Behind the ProjectConsider the business drivers behind the interest in MMS technology. Be specific to business units impacted and identify key considerations (both opportunities and risks). |
Business Drivers
|
Creating repeatable and streamlined marketing processes is a common overarching business objective that is driven by multiple factors. To ensure this objective is achieved, confirm that the primary drivers are following the implementation of the first automated marketing channels.
1.2.1 1 hour
INPUT: Stakeholder user stories
OUTPUT: Understanding of ideal outcomes from MMS implementation
MATERIALS: Whiteboard and marker or sticky notes
PARTICIPANTS: Project sponsor, Project stakeholders, Business analysts, Business unit reps
| Improve | Reduce/Eliminate | KPIs |
| Multichannel marketing | Duplication of effort | Number of customer interaction channels supported |
| Social integration | Process inefficiencies | Number of social signals received (likes, shares, etc.) |
| … | … | … |
If you do not have a well-defined CXM strategy, leverage Info-Tech’s research to Build a Strong Technology Foundation for Customer Experience Management.
This blueprint focuses on complete, integrated marketing management suitesAn integrated suite is a single product that is designed to assist with multiple marketing processes. Information from these suites is deeply connected to the core CRM. Changing a piece of information for one process will update all affected. |
 |
A point solution typically interfaces with a single customer interaction channel with minimal CRM integration. Why use a marketing point solution?
Refer to Phase 2 for a bird’s-eye view of the point solution marketplace. |
Marketing Point Solutions
|
Adopt an MMS if:
|
Bypass an MMS if:
|
Using an MMS is ideal for organizations with multiple brands and product portfolios (e.g. consumer packaged goods). Ad hoc management and email marketing services are best for small organizations with a client base that requires only bare bones engagement.
1.2.2 MMS Readiness Assessment Checklist
Use Info-Tech’s MMS Readiness Assessment Checklist to determine if your organization has sufficient process and campaign maturity to warrant the investment in a consolidated marketing management suite.
Sections of the Tool:
|
INFO-TECH DELIVERABLE
Complete the MMS Readiness Assessment Checklist by following the instructions in Activity 1.2.3. |
1.2.3 30 minutes
INPUT: MMS foundation, MMS strategy
OUTPUT: Readiness remediation approach, Validation of MMS project readiness
MATERIALS: Info-Tech’s MMS Readiness Assessment Checklist
PARTICIPANTS: Project sponsor, Core project team
1.1 | 1.2 | 1.3 | ||
| Understand the MMS Market | Structure the Project | Gather MMS Requirements |
USE CASES |
While an organization may be product- or service-centric, most fall into one of the three use cases described on this slide. |
1) Marketing AutomationWorkflow ManagementManaging complex marketing campaigns and building and tracking marketing workflows are the mainstay responsibilities of brand managers and other senior marketing professionals. In this category, we evaluated vendors that provide marketers with comprehensive tools for marketing campaign automation, workflow building and tracking, lead management, and marketing resource planning for campaigns that need to reach a large segment of customers. Omnichannel ManagementThe proliferation of marketing channels has created significant challenges for many organizations. In this use case, we executed a special evaluation of vendors that are well suited for the intricacies of juggling multiple channels, particularly mobile, social, and email marketing. |
2) Marketing IntelligenceSifting through data from a myriad of sources and coming up with actionable intelligence and insights remains a critical activity for marketing departments, particularly for market researchers. In this category, we evaluated solutions that aggregate, analyze, and visualize complex marketing data from multiple sources to allow decision makers to execute informed decisions. 3) Social MarketingThe proliferation of social networks, customer data, and use cases has made ad hoc social media management challenging. In this category we evaluated vendors that bring uniformity to an organization’s social media capabilities and contribute to a 360-degree customer view. |
1.3.1 30 minutes
INPUT: Use-case breakdown
OUTPUT: Project use-case alignments
Materials: Whiteboard, markers
Participants: Project manager, Core project team (optional)
The use-case view of vendor and product performance provides multiple opportunities for vendors to fit into your application architecture depending on their product and market performance. The use cases selected are based on market research and client demand.
Determining your use case is crucial for:
The following slides illustrate how the three most common use cases (marketing automation, marketing intelligence, and social marketing) align with business needs. As shown by the case studies, the right MMS can result in great benefits to your organization.
| Marketing Need | Manage customer experience across multiple channels | Manage multiple campaigns simultaneously | Integrate web-enabled devices (IoT) into marketing campaigns | Run and track email marketing campaigns |
 |
||||
| Corresponding Feature | End-to-end management of email marketing | Visual workflow editor | Customer journey mapping | Business rules engine | A/B tracking |
CASE STUDY | Industry: Entertainment | Source: Marketo |
ChallengeThe Portland Trail Blazers, an NBA franchise, were looking to expand their appeal beyond the city of Portland and into the greater Pacific Northwest Region. The team’s management group also wanted to showcase the full range of events that were hosted in the team’s multipurpose stadium. The Trail Blazers were looking to engage fans in a more targeted fashion than their CRM allowed for. Ultimately, they hoped to move from “batch and blast” email campaigns to an automated and targeted approach. | SolutionThe Trail Blazers implemented an MMS that allowed it to rapidly build different types of campaigns. These campaigns could be executed across a variety of channels and target multiple demographics at various points in the fan journey. Contextual ads were implemented using the marketing suite’s automated customer journey mapping feature. Targeted ads were served based on a fan’s location in the journey and interactions with the Trail Blazers’ online collateral. | ResultsThe automated campaigns led to a 75% email open rate, which contributed to a 96% renewal rate for season ticket holders – a franchise record. Other benefits resulting from the improved conversion rate included an increased cohesion between the Trail Blazers’ marketing, analytics, and ticket sales operations. |
| Marketing Need | Capture marketing- and customer-related data from multiple sources | Analyze large quantities of marketing data | Visualize marketing-related data in a manner that is easy for decision makers to consume | Perform trend and predictive analysis |
|
||||
| Corresponding Feature | Integrate data across customer segments | Analysis through machine learning | Assign attributers to unstructured data | Displays featuring data from external sources | Create complex customer data visualizations |
CASE STUDY | Industry: Retail | Source: SAS |
ChallengeWomen’s apparel retailer Chico’s FAS was looking to capitalize on customer data from in-store and online experiences. Chico’s hoped to consolidate customer data from multiple online and brick-and-mortar retail channels to get a complete view of the customer. Doing so would satisfy Chico’s need to create more highly segmented, cost-effective marketing campaigns | SolutionChico’s selected an MMS with strong marketing intelligence, analysis, and data visualization capability. The MMS could consolidate and analyze customer and transactional information. The suite’s functionality enabled Chico’s marketing team to work directly with the data, without help from statisticians or IT staff. | ResultsThe approach to marketing indigence led to customers getting deals on products that were actually relevant to them, increasing sales and brand loyalty. Moreover, the time it took to perform data consolidation decreased dramatically, from 17 hours to two hours, allowing the process to be performed daily instead of weekly. |
| Marketing Need | Understand customers' likes and dislikes | Manage and analyze social media channels like Facebook and Twitter | Foster a conversation around specific products | Engage international audiences through regional messaging apps |
|
||||
| Corresponding Feature | Social listening capabilities | Tools for curating customer community content | Ability to aggregate social data | Integration with popular social networks | Ability to conduct trend reporting |
CASE STUDY | Industry: Life Sciences | Source: Adobe |
ChallengeBayer, a Fortune 500 health and life sciences company, was looking for a new way to communicate its complex medical breakthroughs to the general public. The decision was made to share the science behind its products via social channels in order to generate excitement. Bayer needed tools to publish content across a variety of social media platforms while fostering conversations that were more focused on the science behind products. | SolutionBased on the requirements, Bayer decided that an MMS would be the best fit. After conducting a market scan, the company selected an MMS with a comprehensive social media suite. The suite included tools for social listening and moderation and tools to guide conversations initiated by both marketers and customers. | ResultsThe MMS provided Bayer with the toolkit to engage its audience. Bayer took control of the conversation about its products by serving potential customers with relevant video content on social media. Its social strategy coupled with advanced engagement tools resulted in new business opportunities and more than 65,000 views on YouTube and more than 87,000 Facebook views in a single month. |
| REQUIREMENTS GATHERING
Info-Tech’s requirements gathering framework is a comprehensive approach to requirements management that can be scaled to any size of project or organization. This framework ensures that the application created will capture the needs of all stakeholders and deliver business value. Develop and right-size a proven standard operating procedure for requirements gathering with Info-Tech’s blueprint Build a Strong Approach to Business Requirements Gathering. |
 |
| Requirements Gathering Methodology
Requirements Gathering Blueprint Slide 25: Understand the best-practice framework for requirements gathering for enterprise applications projects. |
Requirements Gathering SOP
Requirements Gathering Blueprint Activities 1.2.2-1.2.5, 2.1.1, 2.1.2, 3.1.1, 3.2.1, 4.1.1-4.1.3, 4.2.2: Consolidate outputs to right-size a best-practice SOP for your organization. |
Project Level Selection Tool
Requirements Gathering Blueprint Activity 1.2.4: Determine project-level selection guidelines to inform the due diligence required in your MMS requirements gathering. |
1.3.2 Varies
INPUT: MMS tool user expertise, MMS Requirements Picklist Tool
OUTPUT: A list of needs from the MMS tool user perspective
Materials: Note-taking materials, Whiteboard or flip chart, markers
Participants: MMS users in the organization, MMS selection committee
Download the MMS Requirements Picklist Tool to help with completing this activity.
The return on investment (ROI) and perceived value of the organization’s marketing solution will be a critical indication of the likelihood of success of the suite’s selection and implementation.
| EXAMPLE METRICS |
MMS and Technology AdoptionMarketing Performance Metrics |
|
| Average revenue gain per campaign | Quantity and quality of marketing insights | |
| Average time to execute a campaign | Customer acquisition rates | |
| Savings from automated processes | Marketing cycle times | |
User Adoption and Business Feedback Metrics |
||
| User satisfaction feedback | User satisfaction survey with the technology | |
| Business adoption rates | Application overhead cost reduction | |
Even if marketing metrics are difficult to track right now, the implementation of an MMS brings access to valuable customer intelligence from data that was once kept in silos.
 |
|
1.2.1 |
 |
Align the CXM strategy value proposition to MMS capabilities
Our facilitator will help your team identify the IT CXM strategy and marketing goals. The analyst will then work with the team to map the strategy to technological drivers available in the MMS market. |
1.3.2 |
 |
Define the needs of MMS users
Our facilitator will work with your team to identify user requirements for the MMS Requirements Picklist Tool. The analyst will facilitate a discussion with your team to prioritize identified requirements. |
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
| Step 2.1: Analyze and Shortlist MMS Vendors | |
Start with an analyst kick-off call:
|
|
Then complete these activities…
|
|
With these tools & templates:
|
|
Phase 2 Results:
|
|
2.1 |
| Analyze and Shortlist MMS Vendors |
Loosely Tied TogetherOriginally the sales and marketing enterprise application space was highly fragmented, with disparate best-of-breed point solutions patched together. Soon after, vendors in the late 1990s started bundling automation technologies into a single suite offering. Marketing capabilities of CRM suites were minimal at best and often restricted to web and email only. Limited to Large EnterprisesMany vendors started to combine all marketing tools into a single, comprehensive marketing suite, but cost and complexity limited them to large enterprises and marketing agencies. Best-of-breed solutions targeting new channels and new goals, like closed-loop sales and marketing, continued driving new marketing software genres, like dedicated lead management suites. |
“In today’s volatile business environment, judgment built from past experience is increasingly unreliable. With consumer behaviors in flux, once-valid assumptions (e.g. ‘older consumers don’t use Facebook or send text messages’) can quickly become outdated.” (SAS Magazine) |
As the market evolves, capabilities that were once cutting edge become default and new functionality becomes differentiating. Some features, like basic CRM integration, have become table stakes capabilities. Focus on advanced analytics features and omnichannel integration capabilities to get the best fit for your requirements.
AI and Machine LearningVendors are beginning to offer AI capabilities across MMS for data-driven customer engagement scoring and social listening insights. Machine learning capability is being leveraged to determine optimal customer journey and suggest next steps to users. Marketplace FragmentationThe number of players in the marketing application space has grown exponentially. The majority of these new vendors offer point solutions rather than full-blown marketing suites. Fragmentation is leading to tougher choices when looking to augment an existing platform with specific functionality. Improving Application IntegrationMMS vendors are fostering deeper integrations between their marketing products and core CRM products, leading to improved data hygiene. At the same time, vendors are improving flexibility in the marketing suite so that new channels can be added easily. Greater Self-ServiceVendors have an increased emphasis on application usability. Their goal is to enable marketers to execute campaigns without relying on specialists. |
“There’s a firehose of customer data coming at marketers today, and with more interconnected devices emerging (wearables, smart watches, etc.), cultivating a seamless customer experience is likely to grow even more challenging. Building out a data-driven marketing strategy and technology stack that enables you to capture behaviors across channels is key.” (IBM, Ideas for Exceeding Customer Expectations) |
VENDOR PROFILESReview the MMS Vendor Evaluation |
 |
TABLE STAKES
| What does this mean?The products assessed in these vendor profiles meet, at the very least, the requirements outlined as table stakes. Many of the vendors go above and beyond the outlined table stakes; some even do so in multiple categories. This section aims to highlight the products’ capabilities in excess of the criteria listed here. Info-Tech InsightIf table stakes are all you need from your MMS, determine whether your existing CRM platform already satisfies your requirements. Otherwise, dig deeper to find the best price-to-value ratio for your needs. |
Almost – or equally – as important as evaluating vendor feature capabilities is the need to evaluate vendor viability and non-functional aspects of the MMS. Include an evaluation of the following criteria in your vendor scoring methodology:
| Vendor Attribute | Description |
| Vendor Stability and Variability | The vendor’s proven ability to execute on constant product improvement, deliberate strategic direction, and overall commitment to research and development efforts in responding to emerging trends. |
| Security Model | The potential to integrate the application to existing security models and the vendor's approach to handling customer data. |
| Deployment Style | The choice to deploy a single or multi-tenant SaaS environment via a perpetual license. |
| Ease of Customization | The relative ease with which a system can be customized to accommodate niche or industry-specific business or functional needs. |
| Vendor Support Options | The availability of vendor support options, including selection consulting, application development resources, implementation assistance, and ongoing support resources. |
| Size of Partner Ecosystem | The quantity of enterprise applications and third-party add-ons that can be linked to the MMS, as well as the number of system integrators available. |
| Ease of Data Integration | The relative ease with which the system can be integrated with an organization’s existing application environment, including legacy systems, point solutions, and other large enterprise applications. |
Evaluate vendor capabilities, not just product capabilities. An MMS is typically a long-term commitment; ensure that your organization is teaming up with a vendor or provider that you feel you can work well with and depend on.
Evaluation MethodologyThese product features were assessed as part of the classification of vendors into use cases. In determining use-case leaders and players, select features were considered based on best alignment with the use case. |
|
Evaluation MethodologyThese product features were assessed as part of the classification of vendors into use cases. In determining use-case leaders and players, select features were considered based on best alignment with the use case. |
|
This section includes profiles of the vendors evaluated against the previously outlined framework.
Review the use-case scenarios relevant to your organization’s use case to identify a vendor’s fit to your organization’s MMS needs.
|
 |
Understand your organization’s size and whether it falls within the product’s market focus.
|
 |
| Review the differentiating features to identify where the application performs best. |  |
| Colors signify a feature’s performance. |  |
 |
FUNCTIONAL SPOTLIGHT
Creative Cloud Integration: To make for a more seamless cross-product experience, projects can be sent between Marketing Cloud and Creative Cloud apps such as Photoshop and After Effects. Sensei: Adobe has revamped its machine learning and AI platform in an effort to integrate AI into all of its marketing applications. Sensei includes data from Microsoft in a new partnership program. Anomaly Detection: Adobe’s Anomaly Detection contextualizes data and provides a statistical method to determine how a given metric has changed in relation to previous metrics. |
||||||||||
USE-CASE PERFORMANCE
|
MARKET FOCUS
|
||||||||||
| Adobe’s goal with Marketing Cloud is to help businesses provide customers with cohesive, seamless experiences by surfacing customer profiles in relevant situations quickly. Adobe Marketing Cloud has traditionally been used in the B2C space but has seen an increase in B2C use cases driven by the finance and technology sectors. | FEATURES
 |
| Employees (2018): 17,000 | Presence: Global | Founded: 1982 | NASDAQ: ADBE |
 | FUNCTIONAL SPOTLIGHT Content Optimization System (COS): The fully integrated system stores assets and serves them to their designated channels at relevant times. The COS is integrated into HubSpot's marketing platform. Email Automation: HubSpot provides basic email that can be linked to a specific part of an organization’s marketing funnel. These emails can also be added to pre-existing automated workflows. Email Deliverability Tool: HubSpot identifies HTML or content that will be flagged by spam filters. It also validates links and minimizes email load times. | ||||||||||
USE-CASE PERFORMANCE
| MARKET FOCUS
| ||||||||||
| Hubspot’s primary focus has been on email marketing campaigns. It has put effort into developing solid “click not code” email marketing capabilities. Also, Hubspot has an official integration with Salesforce for expanded operations management and analytics capabilities. | FEATURES
 |
| Employees (2018): 1,400 | Presence: Global | Founded: 2006 | NYSE: HUBS |
 | FUNCTIONAL SPOTLIGHT Watson: IBM is leveraging its popular Watson AI brand to generate marketing insights for automated campaigns. Weather Effects: Set campaign rules based on connections between weather conditions and customer behavior relative to zip code made by Watson. Real-Time Personalization: IBM has made efforts to remove campaign interaction latency and optimize live customer engagement by acting on information about what customers are doing in the current moment. | ||||||||||
USE-CASE PERFORMANCE
| MARKET FOCUS
| ||||||||||
| IBM has remained ahead of the curve by incorporating its well-known AI technology throughout Marketing Cloud. The application’s integration with the wide array of IBM products makes it a powerful tool for users already in the IBM ecosystem. | FEATURES
 |
| Employees (2018): 380,000 | Presence: Global | Founded: 1911 | NYSE: IBM |
 | FUNCTIONAL SPOTLIGHT Content AI: Marketo has leveraged its investments in machine learning to intelligently fetch marketing assets and serve them to customers based on their interactions with a campaign. Email A/B Testing: To improve lead generation from email campaigns, Marketo features the ability to execute A/B testing for customized campaigns. Partnership with Google: Marketo is now hosted on Google’s cloud platform, enabling it to provide support for larger enterprise clients and improve GDPR compliance. | ||||||||||
USE-CASE PERFORMANCE
| MARKET FOCUS
| ||||||||||
| Marketo has strong capabilities for lead management but has recently bolstered its analytics capabilities. Marketo is hoping to capture some of the analytics application market share by offering tools with varying complexity and to cater to firms with a wide range of analytics needs. | FEATURES
 |
| Employees (2018): 1,000 | Presence: Global | Founded: 2006 | Private Corporation |
 | FUNCTIONAL SPOTLIGHT Data Visualization: To make for a more seamless cross-product experience, marketing projects can be sent between Marketing Cloud and Creative Cloud apps such as Dreamweaver. ID Graph: Use ID Graph to unite disparate data sources to form a singular profile of leads, making the personalization and contextualization of campaigns more efficient. Interest-Based Messaging: Pause a campaign to update a segment or content based on aggregated customer activity and interaction data. | ||||||||||
USE-CASE PERFORMANCE
| MARKET FOCUS
| ||||||||||
| Oracle Marketing Cloud is known for its balance between campaigns and analytics products. Oracle has taken the lead on expanding its marketing channel mix to include international options such as WeChat. Users already using Oracle’s CRM/CEM products will derive the most value from Marketing Cloud. | FEATURES
 |
| Employees (2018): 138,000 | Presence: Global | Founded: 1977 | NYSE: ORCL |
 | FUNCTIONAL SPOTLIGHT Einstein: Salesforce is putting effort into integrating AI into all of its applications. The Einstein AI platform provides marketers with predictive analytics and insights into customer behavior. Mobile Studio: Salesforce has a robust mobile marketing offering that encompasses SMS/MMS, in-app engagement, and group messaging platforms. Journey Builder: Salesforce created Journey Builder, which is a workflow automation tool. Its user-friendly drag-and-drop interface makes it easy to automate responses to customer actions. | ||||||||||
USE-CASE PERFORMANCE
| MARKET FOCUS
| ||||||||||
| Salesforce Marketing Cloud is primarily used by organizations in the B2C space. It has strong Sales Cloud CRM integration. Pardot is positioning itself as a tool for sales teams in addition to marketers. | FEATURES
 |
| Employees (2018): 1,800 | Presence: Global | Founded: 2000 | NYSE: CRM |
 | FUNCTIONAL SPOTLIGHT Engagement Studio: Salesforce is putting marketing capabilities in the hands of sales reps by giving them access to a team email engagement platform. Einstein: Salesforce’s Einstein AI platform helps marketers and sales reps identify the right accounts to target with predictive lead scoring. Program Steps: Salesforce developed a distinct own workflow building tool for Pardot. Workflows are made of “Program Steps” that have the functionality to initiate campaigns based on insights from Einstein. | ||||||||||
USE-CASE PERFORMANCE
| MARKET FOCUS
| ||||||||||
| Pardot is Salesforce’s B2B marketing solution. Pardot has focused on developing tools that enable sales teams and marketers to work in lockstep in order to achieve lead-generation goals. Pardot has deep integration with Salesforce’s CRM and customer service management products. | FEATURES
 |
| Employees (2018): 1,800 | Presence: Global | Founded: 2000 | NYSE: CRM |
 | FUNCTIONAL SPOTLIGHT CMO Dashboard: The specialized dashboard is aimed at providing overviews for the executive level. It includes the ability to coordinate marketing activities and project budgets, KPIs, and timelines. Loyalty Management: SAP features in-app tools to manage campaigns specifically geared toward customer loyalty with digital coupons and iBeacons. Customer Segmentation: SAP’s predictive capabilities dynamically suggest relevant customer profiles for new campaigns. | ||||||||||
USE-CASE PERFORMANCE
| MARKET FOCUS
| ||||||||||
| SAP Hybris Marketing Cloud optimizes marketing strategies in real time with accurate attribution and measurements. SAP’s operations management capabilities are robust, including the ability to view consolidated data streams from ongoing marketing plans, performance targets, and budgets. | FEATURES
 |
| Employees (2018): 84,000 | Presence: Global | Founded: 1972 | NYSE: SAP |
 | FUNCTIONAL SPOTLIGHT Activity Map: A user-friendly workflow builder that can be used to execute campaigns. Multiple activities can be simultaneously A/B tested within the Activity Map UI. The outcome of the test can automatically adjust the workflow. Spots: A native digital asset manager that can store property that is part of existing and future campaigns. Viya: A framework for fully integrating third-party data sources into SAS Marketing Intelligence. Viya assists with pairing on-premises databases with a cloud platform for use with the SAS suite. | ||||||||||
USE-CASE PERFORMANCE
| MARKET FOCUS
| ||||||||||
| SAS has been a leading BI and analytics provider for more than 35 years. Rooted in statistical analysis of data, SAS products provide forward-looking strategic insights. Organizations that require extensive customer intelligence capabilities and the ability to “slice and dice” segments should have SAS on their shortlist. | FEATURES
 |
| Employees (2018): 14,000 | Presence: Global | Founded: 1976 | Private Corporation |
Additional vendors in the MMS market: |
|
 |
 |
See the next slides for suggested point solutions. |
|
Web experience management (WXM) and social media management platforms (SMMP) act in concert with your MMS to execute complex campaigns.
| Social Media Management
Info-Tech’s SMMP selection guide enables you to find a solution that satisfies your objectives across marketing, sales, public relations, HR, and customer service. Create a unified framework for driving successful implementation and adoption of your SMMP that fully addresses CRM and marketing automation integration, end-user adoption, and social analytics with Info-Tech’s blueprint Select and Implement a Social Media Management Platform. |
 |
| Web Experience Management
Info-Tech’s approach to WXM ensures you have the right suite of tools for web content management, experience design, and web analytics. Put your best foot forward by conducting due diligence as the selection project advances. Ensure that your organization will see quick results with Info-Tech’s blueprint Select and Implement a Web Experience Management Solution. |
 |
POINT SOLUTION PROFILESReview this cursory list of point solutions by use caseConsider point solutions if a full suite is not required |
 |
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
| Step 3.1: Select Your MMS | Step 3.2: Communicate the Decision to Stakeholders |
Start with an analyst kick-off call:
|
Review findings with analyst:
|
Then complete these activities…
|
Then complete these activities…
|
With these tools & templates:
|
With these tools & templates:
|
Phase 3 Results
|
|
3.1 |
3.2 |
|
| Select Your MMS | Communicate Decision to Stakeholders |
3.1.1 30 minutes
INPUT: Organizational use-case fit
OUTPUT: MMS vendor shortlist
Materials: Info-Tech’s MMS use cases, Info-Tech’s vendor profiles, Whiteboard, markers
Participants: Core project team
3.1.2 MMS Request for Proposal Template
| Use the MMS Request for Proposal Template as a step-by-step guide on how to request interested vendors to submit written proposals that meet your set of requirements. If interested in bidding for your project, vendors will respond with a description of the techniques they would employ to address your organizational challenges and meet your requirements, along with a plan of work and detailed budget for the project. The RFP is an important piece of setting and aligning your expectations with the vendors’ product offerings. Make sure to address the following elements in the RFP: Sections of the Tool:
| INFO-TECH DELIVERABLE Complete the MMS Request for Proposal Template by following the instructions in Activity 3.1.3. |
3.1.3 1-2 hours
INPUT: Business requirements document, Procurement procedures
OUTPUT: MMS RFP
Materials: Internal RFP tools or templates (if available), Info-Tech’s MMS Request for Proposal Template (optional)
Participants: Procurement SMEs, Project manager, Core project team (optional)
Vendor demonstrations are an integral part of the selection process. Having clearly defined selection criteria will help with setting up relevant demos as well as inform the vendor scorecards.
| EXAMPLE EVALUATION CRITERIA |  | |
Functionality (30%)
| Ease of Use (25%)
| |
Cost (15%)
| Vendor (15%)
| |
Technology (15%)
| Info-Tech InsightBase your vendor evaluations not on the capabilities of the solutions but instead on how the solutions align with your organization’s process automation requirements and considerations. | |
Examine how the vendor’s solution performs against your evaluation framework.
Vendor demonstrations create a valuable opportunity for your organization to confirm that the vendor’s claims in the RFP are actually true.
A display of the vendor’s functional capabilities and its execution of the scenarios given in your demo script will help to support your assessment of whether a vendor aligns with your MMS requirements.
3.1.4 1-2 hours
INPUT: Business requirements document, Logistical considerations, Usage scenarios by functional area
OUTPUT: MMS demo script
Materials: Info-Tech’s MMS Vendor Demo Script
Participants: Procurement SMEs, Core project team
Challenge vendor project teams during product demonstrations. Asking the vendor to make adjustments or customizations on the fly will allow you to get an authentic feel of product capability and flexibility, as well as of the degree of adaptability of the vendor project team. Ask the vendor to demonstrate how to do things not listed in your user scenarios, such as change system visualizations or design, change underlying data, add additional datasets, demonstrate analytics capabilities, or channel specific automation.
MMS Vendor Demo Script
| Customize and use Info-Tech’s MMS Vendor Demo Script to help identify how a vendor’s solution will fit your organization’s particular business capability needs. This tool assists with outlining logistical considerations for the demo itself and the scenarios with which the vendors should script their demonstration. Sections of the Tool:
Info-Tech Best PracticeAvoid providing vendors with a rigid script for product demonstration; instead, provide user scenarios. Part of the value of a vendor demonstration is the opportunity to assess whether or not the vendor project team has a solid understanding of your organization’s MMS challenges and requirements and can work with your team to determine the best solution possible. A rigid script may result in your inability to assess whether the vendor will adjust for and scale with your project and organization as a technology partner. | INFO-TECH DELIVERABLE Use the MMS Vendor Demo Script by following the instructions in Activity 3.1.4. |
Design a procurement process that is robust, ruthless, and reasonable. Rooting out bias during negotiation is vital to making unbiased vendor selections.
| Vendor Selection
Info-Tech’s approach to vendor selection gets you to design a procurement process that is robust, ruthless, and reasonable. This approach enables you to take control of vendor communications. Implement formal processes with an engaged team to achieve the right price, the right functionality, and the right fit for the organization with Info-Tech's blueprint Implement a Proactive and Consistent Vendor Selection Process. |
 |
| Vendor Negotiation
Info-Tech’s SaaS negotiation strategy focuses on taking control of implementation from the beginning. The strategy allows you to work with your internal stakeholders to make sure they do not team up with the vendor instead of you. Reach an agreement with your vendor that takes into account both parties’ best interests with Info-Tech’s blueprint Negotiate SaaS Agreements That Are Built to Last. |
 |
3.1 |
3.2 |
|
| Select Your MMS | Communicate Decision to Stakeholders |
Ensure traceability from the selected tool to the needs identified in the first phase. Internal stakeholders must understand the reasoning behind the final selection and see the alignment to their defined requirements and needs.
| Document the selection process to show how the selected tool aligns to stakeholder needs:
|
Documentation will assist with:
|
3.2.1 1 week
INPUT: MMS tool selection committee expertise
OUTPUT: Decision to invest or not invest in an MMS tool
Materials: Note-taking materials, Whiteboard or flip chart, markers
Participants: MMS tool selection committee
Documenting the process of how the selection decision was made will avoid major headaches down the road. Without a documented process, internal stakeholders and even vendors can challenge and discredit the selection process.
Adobe Systems Incorporated. “Bayer builds understanding, socially.” Adobe.com, 2017. Web.
IBM Corporation, “10 Key Marketing Trends for 2017.” IBM.com, 2017. Web.
Marketo, Inc. “The Definitive Guide to Marketing Automation.” Marketo.com, 2013. Web.
Marketo, Inc. “NBA franchise amplifies its message with help from Marketo’s marketing automation technology.” Marketo.com, 2017. Web.
Salesforce Pardot. “Marketing Automation & Your CRM: The Dynamic Duo.” Pardot.com, 2017. Web.
SAS Institute Inc. “Marketing Analytics: How, why and what’s next.” SAS Magazine, 2013. Web.
SAS Institute Inc. “Give shoppers offers they’ll love.” SAS.com, 2017. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Identify the organization’s standing in terms of the enterprise architecture practice, and know the gaps and what the EA practice needs to fulfill to create a good governance framework.
Understand the EA fundamentals and then refresh them to better align the EA practice with the organization and create business benefit.
Analyze the IT operating model and identify EA’s role at each stage; refine it to promote effective EA engagement upfront in the early stages of the IT operating model.
Set up EA governing bodies to provide guidance and foster a collaborative environment by identifying the correct number of EA governing bodies, defining the game plan to initialize the governing bodies, and creating an architecture review process.
Create an EA policy to provide a set of guidelines designed to direct and constrain the architecture actions of the organization in the pursuit of its goals in order to improve architecture compliance and drive business value.
Define architecture standards to facilitate information exchange, improve collaboration, and provide stability. Develop a process to update the architectural standards to ensure relevancy and promote process transparency.
Craft a plan to engage the relevant stakeholders, ascertain the benefits of the initiative, and identify the various communication methods in order to maximize the chances of success.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Conduct stakeholder interviews to understand current state of EA practice and prioritize gaps for EA governance based on organizational complexity.
Prioritized list of actions to arrive at the target state based on the complexity of the organization
1.1 Determine organizational complexity.
1.2 Conduct an assessment of the EA governance components.
1.3 Identify and prioritize gaps.
1.4 Conduct senior management interviews.
Organizational complexity score
EA governance current state and prioritized list of EA governance component gaps
Stakeholder perception of the EA practice
Refine EA fundamentals to align the EA practice with the organization and identify EA touchpoints to provide guidance for projects.
Alignment of EA goals and objectives with the goals and objectives of the organization
Early involvement of EA in the IT operating model
2.1 Review the output of the organizational complexity and EA assessment tools.
2.2 Craft the EA vision and mission.
2.3 Develop the EA principles.
2.4 Identify the EA goals.
2.5 Identify EA engagement touchpoints within the IT operating model.
EA vision and mission statement
EA principles
EA goals and measures
Identified EA engagement touchpoints and EA level of involvement
Set up EA governing bodies to provide guidance and foster a collaborative environment by identifying the correct number of EA governing bodies, defining the game plan to initialize the governing bodies and creating an architecture review process.
Business benefits are maximized and solution design is within the options set forth by the architectural reference models while no additional layers of bureaucracy are introduced
3.1 Identify the number of governing bodies.
3.2 Define the game plan to initialize the governing bodies.
3.3 Define the architecture review process.
Architecture board structure and coverage
Identified architecture review template
Create an EA policy to provide a set of guidelines designed to direct and constrain the architecture actions of the organization in the pursuit of its goals in order to improve architecture compliance and drive business value.
Improved architecture compliance, which ties investments to business value and provides guidance to architecture practitioners
4.1 Define the scope.
4.2 Identify the target audience.
4.3 Determine the inclusion and exclusion criteria.
4.4 Craft an assessment checklist.
Defined scope
Inclusion and exclusion criteria for project review
Architecture assessment checklist
Define architecture standards to facilitate information exchange, improve collaboration, and provide stability.
Craft a communication plan to implement the new EA governance framework in order to maximize the chances of success.
Consistent development of architecture, increased information exchange between stakeholders
Improved process transparency
Improved stakeholder engagement
5.1 Identify and standardize EA work products.
5.2 Classifying the architectural standards.
5.3 Identifying the custodian of standards.
5.4 Update the standards.
5.5 List the changes identified in the EA governance initiative
5.6 Create a communication plan.
Identified set of EA work products to standardize
Architecture information taxonomy
Identified set of custodian of standards
Standard update process
List of EA governance initiatives
Communication plan for EA governance initiatives
"Enterprise architecture is not a technology concept, rather it is the foundation on which businesses orient themselves to create and capture value in the marketplace. Designing architecture is not a simple task and creating organizations for the future requires forward thinking and rigorous planning.
Architecture processes that are supposed to help facilitate discussions and drive option analysis are often seen as an unnecessary overhead. The negative perception is due to enterprise architecture groups being overly prescriptive rather than providing a set of options that guide and constrain solutions at the same time.
EA groups should do away with the direct and control mindset and change to a collaborate and mentor mindset. As part of the architecture governance, EA teams should provide an option set that constrains design choices, and also be open to changes to standards or best practices. "
Gopi Bheemavarapu, Sr. Manager, CIO Advisory Info-Tech Research Group
Info-Tech Insight
Enterprise architecture is critical to ensuring that an organization has the solid IT foundation it needs to efficiently enable the achievement of its current and future strategic goals rather than focusing on short-term tactical gains.
An architecture governance process is the set of activities an organization executes to ensure that decisions are made and accountability is enforced during the execution of its architecture strategy. (Hopkins, “The Essential EA Toolkit.”)
EA governance includes the following:
(TOGAF)
IT governance sets direction through prioritization and decision making, and monitors overall IT performance.
EA governance ensures that optimal architectural design choices are being made that focus on long-term value creation.
Effective EA governance ensures alignment between organizational investments and corporate strategic goals and objectives.
Architecture standards provide guidance to identify opportunities for reuse and eliminate redundancies in an organization.
Architecture review processes and assessment checklists ensure that solutions are within the acceptable risk levels of the organization.
EA governance is difficult to structure appropriately, but having an effective structure will allow you to:
Recent Info-Tech research found that organizations that establish EA governance realize greater benefits from their EA initiatives.
(Info-Tech Research Group, N=89)
Define key operational measures for internal use by IT and EA practitioners. Also, define business value measures that communicate and demonstrate the value of EA as an “enabler” of business outcomes to senior executives.
| EA performance measures (lead, operational) | EA value measures (lag) | |
|---|---|---|
| Application of EA management process | EA’s contribution to IT performance | EA’s contribution to business value |
Enterprise Architecture Management
IT Investment Portfolio Management
Solution Development
Operations Management
Business Value
Industry Insurance
Source Info-Tech
The insurance sector has been undergoing major changes, and as a reaction, businesses within the sector have been embracing technology to provide innovative solutions.
The head of EA in a major insurance provider (henceforth to be referred to as “INSPRO01”) was given the mandate to ensure that solutions are architected right the first time to maximize reuse and reduce technology debt. The EA group was at a critical point – to demonstrate business value or become irrelevant.
The project management office had been accountable for solution architecture and had placed emphasis on short-term project cost savings at the expense of long term durability.
There was a lack of awareness of the Enterprise Architecture group within INSPRO01, and people misunderstood the roles and responsibilities of the EA team.
Info-Tech helped define the responsibilities of the EA team and clarify the differences between the role of a Solution Architect vs. Enterprise Architect.
The EA team was able to make the case for change in the project management practices to ensure architectures are reviewed and approved prior to implementation.
As a result, INSPRO01 saw substantial increases in reuse opportunities and thereby derived more value from its technology investments.
The success of any EA governance initiative revolves around adopting best practices, setting up repeatable processes, and establishing appropriate controls.
Our best-practice approach is grounded in TOGAF and enhanced by the insights and guidance from our analysts, industry experts, and our clients.
Value-focused. Focus EA governance on helping the organization achieve business benefits. Promote EA’s contribution in realizing business value.
Right-sized. Insert EA governance into existing process checkpoints rather than creating new ones. Clearly define EA governance inclusion criteria for projects.
Measured. Define metrics to measure EA’s performance, and integrate EA governance with other governance processes such as project governance. Also clearly define the EA governing bodies’ composition, domain, inputs, and outputs.
Balanced. Adopt architecture principles that strikes the right balance between business and technology.
Info-Tech’s architectural governance framework provides a value-focused, right-sized approach with a strong emphasis on process standardization, repeatability, and sustainability.
As you move through the project, capture your progress with a summary in the EA Governance Framework Template.
Download the EA Governance Framework Template document for use throughout this project.
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
| Current state of EA governance | EA Fundamentals | Engagement Model | EA Governing Bodies | |
|---|---|---|---|---|
| Best-Practice Toolkit |
1.1 Determine organizational complexity 1.2 Conduct an assessment of the EA governance components 1.3 Identify and prioritize gaps |
2.1 Craft the EA vision and mission 2.2 Develop the EA principles 2.3 Identify the EA goals |
3.1 Build the case for EA engagement 3.2 Identify engagement touchpoints within the IT operating model |
4.1 Identify the number of governing bodies 4.2 Define the game plan to initialize the governing bodies 4.3 Define the architecture review process |
| Guided Implementations |
|
|
|
|
|
Phase 1 Results:
|
Phase 2 Results:
|
Phase 3 Results:
|
Phase 4 Results:
|
| EA Policy | Architectural Standards | Communication Plan | |
|---|---|---|---|
| Best-Practice Toolkit |
5.1 Define the scope of EA policy 5.2 Identify the target audience 5.3 Determine the inclusion and exclusion criteria 5.4 Craft an assessment checklist |
6.1 Identify and standardize EA work products 6.2 Classify the architectural standards 6.3 Identify the custodian of standards 6.4 Update the standards |
7.1 List the changes identified in the EA governance initiative 7.2 Identify stakeholders 7.3 Create a communication plan |
| Guided Implementations |
|
|
|
|
Phase 5 Results:
|
Phase 6 Results:
|
Phase 7 Results:
|
Contact your account representative or email Workshops@InfoTech.com for more information.
| Pre-workshop | Workshop Day 1 | Workshop Day 2 | Workshop Day 3 | Workshop Day 4 | |
|---|---|---|---|---|---|
| Activities | Current state of EA governance | EA fundamentals and engagement model | EA governing bodies | EA policy | Architectural standards and communication plan |
1.1 Determine organizational complexity 1.2 Conduct an assessment of the EA governance components 1.3 Identify and prioritize gaps 1.4 Senior management interviews |
|
|
|
| |
| Deliverables |
|
|
|
|
|
This phase will walk you through the following activities:
This step involves the following participants:
Outcomes of this step
Info-Tech Insight
Correlation is not causation – an apparent problem might be a symptom rather than a cause. Assess the organization’s current EA governance to discover the root cause and go beyond the symptoms.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Guided Implementation 1: Current State of EA Governance
Proposed Time to Completion: 2 weeks
Step 1.1: Determine organizational complexity
Start with an analyst kick-off call:
Then complete these activities…
With these tools & templates:
Step 1.2: Assess current state of EA governance
Start with an analyst kick-off call:
Then complete these activities…
With these tools & templates:
Determining organizational complexity is not rocket science. Use Info-Tech’s tool to quantify the complexity and use it, along with common sense, to determine the appropriate level of architecture governance.
1.1 2 hours
Step 1 - Facilitate
Download the EA Capability – Risk and Complexity Assessment Tool to facilitate a session on determining your organization’s complexity.
Download EA Organizational - Risk and Complexity Assessment Tool
Step 2 - Summarize
Summarize the results in the EA governance framework document.
Update the EA Governance Framework Template
EA governance is multi-faceted and it facilitates effective use of resources to meet organizational strategic objectives through well-defined structural elements.
EA Governance
Components of architecture governance
Next Step: Based on the organization’s complexity, conduct a current state assessment of EA governance using Info-Tech’s EA Governance Assessment Tool.
1.2 2 hrs
Step 1 - Facilitate
Download the “EA Governance Assessment Tool” to facilitate a session on identifying the best practices to be applied in your organization.
Download Info-Tech’s EA Governance Assessment Tool
Step 2 - Summarize
Summarize the identified best practices in the EA governance framework document.
Update the EA Governance Framework Template
Industry Insurance
Source Info-Tech
INSPRO01 was planning a major transformation initiative. The organization determined that EA is a strategic function.
The CIO had pledged support to the EA group and had given them a mandate to deliver long-term strategic architecture.
The business leaders did not trust the EA team and believed that lack of business skills in the group put the business transformation at risk.
The EA group had been traditionally seen as a technology organization that helps with software design.
The EA team lacked understanding of the business and hence there had been no common language between business and technology.
Info-Tech helped the EA team create a set of 10 architectural principles that are business-value driven rather than technical statements.
The team socialized the principles with the business and technology stakeholders and got their approvals.
By applying the business focused architectural principles, the EA team was able to connect with the business leaders and gain their support.
The following are sample activities that will be conducted by Info-Tech analysts with your team:
Key Activities
Outcomes
This phase will walk you through the following activities:
This step involves the following participants:
Outcomes of this step
Info-Tech Insight
A house divided against itself cannot stand – ensure that the EA fundamentals are aligned with the organization’s goals and objectives.
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion: 3 weeks
Step 2.1: Develop the EA fundamentals
Review findings with analyst:
Then complete these activities…
With these tools & templates:
Review findings with analyst:
Then complete these activities…
With these tools & templates:
Vision, mission, goals and measures, and principles form the foundation of the EA function.
The vision and mission statements provide strategic direction to the EA team. These statements should be created based on the business and technology drivers in the organization.
"The very essence of leadership is [that] you have a vision. It's got to be a vision you articulate clearly and forcefully on every occasion. You can't blow an uncertain trumpet." – Theodore Hesburgh
Articulates the desired future state of EA capability expressed in the present tense.
Example: To be recognized by both the business and IT as a trusted partner that drives [Company Name]’s effectiveness, efficiency, and agility.
Articulates the fundamental purpose of the EA capability.
Example: Define target enterprise architecture for [Company Name], identify solution opportunities, inform IT investment management, and direct solution development, acquisition, and operation compliance.
EA capability goals define specific desired outcomes of an EA management process execution. EA capability measures define how to validate the achievement of the EA capability goals.
Example:
Goal: Improve reuse of IT assets at [Company Name].
Measures:
EA principles are shared, long-lasting beliefs that guide the use of IT in constructing, transforming, and operating the enterprise by informing and restricting target-state enterprise architecture design, solution development, and procurement decisions.
Example:
Policies can be seen as “the letter of the law,” whereas EA principles summarize “the spirit of the law.”
EA capability goals, i.e. specific desired outcomes of an EA management process execution. Use COBIT 5, APO03 process goals, and metrics as a starting point.
Define key operational measures for internal use by IT and EA practitioners. Also, define business value measures that communicate and demonstrate the value of EA as an enabler of business outcomes to senior executives.
| EA performance measures (lead, operational) | EA value measures (lag) | |
|---|---|---|
| Application of EA management process | EA’s contribution to IT performance | EA’s contribution to business value |
Enterprise Architecture Management
IT Investment Portfolio Management
Solution Development
Operations Management
Business Value
2.1 2 hrs
Download the three templates and hold a working session to facilitate a session on creating EA fundamentals.
Download the EA Vision and Mission Template, the EA Principles Template, and the EA Goals and Measures Template
Document the final vision, mission, principles, goals, and measures within the EA Governance Framework.
Update the EA Governance Framework Template
Industry Insurance
Source Info-Tech
The EA group at INSPRO01 was being pulled in multiple directions with requests ranging from architecture review to solution design to code reviews.
Project level architecture was being practiced with no clarity on the end goal. This led to EA being viewed as just another IT function without any added benefits.
Info-Tech recommended that the EA team ensure that the fundamentals (vision, mission, principles, goals, and measures) reflect what the team aspired to achieve before fixing any of the process concerns.
The EA team was mostly comprised of technical people and hence the best practices outlined were not driven by business value.
The team had no documented vision and mission statements in place. In addition, the existing goals and measures were not tied to the business strategic objectives.
The team had architectural principles documented, but there were too many and they were very technical in nature.
With Info-Tech’s guidance, the team developed a vision and mission statement to succinctly communicate the purpose of the EA function.
The team also reduced and simplified the EA principles to make sure they were value driven and communicated in business terms.
Finally, the team proposed goals and measures to track the performance of the EA team.
With the fundamentals in place, the team was able to show the value of EA and gain organization-wide acceptance.
The following are sample activities that will be conducted by Info-Tech analysts with your team:
Info-Tech Insight
Perform due diligence prior to decision making. Use the EA Engagement Model to promote conversations between stage gate meetings as opposed to having the conversation during the stage gate meetings.
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion: 2 weeks
Start with an analyst kick-off call:
Then complete these activities…
With these tools & templates:
Review findings with analyst:
Then complete these activities…
With these tools & templates:
Effective EA engagement revolves around three basic principles – generating business benefits, creating adaptable models, and being able to replicate the process across the organization.
Business Value Driven
Focus on generating business value from organizational investments.
Repeatable
Process should be standardized, transparent, and repeatable so that it can be consistently applied across the organization.
Flexible
Accommodate the varying needs of projects of different sizes.
Where these pillars meet: Advocates long-term strategic vs. short-term tactical solutions.
EA’s engagement in each stage within the plan, build, and run phases should be clearly defined and communicated.
| Plan | Strategy Development | Business Planning | Conceptualization | Portfolio Management |
|---|---|---|---|---|
| ↓ | ||||
| Build | Requirements | Solution Design | Application Development/ Procurement | Quality Assurance |
| ↓ | ||||
| Run | Deploy | Operate |
3.1 2-3 hr
Hold a working session with the participants to document the current IT operating model. Facilitate the activity using the following steps:
1. Map out the IT operating model.
2. Determine EA’s current role in the operating model.
Download the EA Engagement Model Template to document the organization’s current IT operating model.
Strategy Development
Also known as strategic planning, strategy development is fundamental to creating and running a business. It involves the creation of a longer-term game plan or vision that sets specific goals and objectives for a business.
| R | Those in charge of performing the task. These are the people actively involved in the completion of the required work. | → | Business VPs, EA, IT directors | R |
| A | The one ultimately answerable for the correct and thorough completion of the deliverable or task, and the one who delegates the work to those responsible. | → | CEO | A |
| C | Those whose opinions are sought before a decision is made, and with whom there is two-way communication. | → | PMO, Line managers, etc. | C |
| I | Those who are kept up to date on progress, and with whom there is one-way communication. | → | Development managers, etc. | I |
Next Step: Similarly define the RACI for each stage of the IT operating model; refer to the activity slide for prompts.
| Plan |
Strategy Development C |
Business Planning C |
Conceptualization A |
Portfolio Management C |
|---|---|---|---|---|
| Build |
Requirements C |
Solution Design R |
Application Development/ Procurement R |
Quality Assurance I |
| Run |
Deploy I |
Operate I |
Next Step: Define the role of EA in each stage of the IT operating model; refer to the activity slide for prompts.
3.2 2 hrs
Download the EA Engagement Model Template and hold a working session to define EA’s target role in each step of the IT operating model.
Download the EA Engagement Model Template
Document the target state role of EA within the EA Governance Framework document.
Update the EA Governance Framework Template
Industry Insurance
Source Info-Tech
INSPRO01 had a high IT cost structure with looming technology debt due to a preference for short-term tactical gains over long-term solutions.
The business satisfaction with IT was at an all-time low due to expensive solutions that did not meet business needs.
INSPRO01’s technology landscape was in disarray with many overlapping systems and interoperability issues.
No single team within the organization had an end-to-end perspective all the way from strategy to project execution. A lot of information was being lost in handoffs between different teams.
This led to inconsistent design/solution patterns being applied. Investment decisions had not been grounded in reality and this often led to cost overruns.
Info-Tech helped INSPRO01 identify opportunities for EA team engagement at different stages of the IT operating model. EA’s role within each stage was clearly defined and documented.
With Info-Tech’s help, the EA team successfully made the case for engagement upfront during strategy development rather than during project execution.
The increased transparency enabled the EA team to ensure that investments were aligned to organizational strategic goals and objectives.
The following are sample activities that will be conducted by Info-Tech analysts with your team:
Key Activities
Outcomes
This phase will walk you through the following activities:
This step involves the following participants:
Outcomes of this step
Info-Tech Insight
Use architecture governance like a scalpel rather than a hatchet. Implement governing bodies to provide guidance rather than act as a police force.
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion: 2 weeks
Step 4.1: Identify architecture boards and develop charters
Start with an analyst kick-off call:
Then complete these activities…
With these tools & templates:
Step 4.2: Develop an architecture review process
Follow-up with an analyst call:
Then complete these activities…
With these tools & templates:
The primary purpose of architecture boards is to ensure that business benefits are maximized and solution design is within the options set forth by the architectural reference models without introducing additional layers of bureaucracy.
The optimal number of architecture boards required in an organization is a function of the following factors:
Commonly observed architecture boards:
Info-Tech Insight
Before building out a new governance board, start small by repurposing existing forums by adding architecture as an agenda item. As the items for review increase consider introducing dedicated governing bodies.
EA teams can be organized in three ways – distributed, federated, and centralized. Each model has its own strengths and weaknesses. EA governance must be structured in a way such that the strengths are harvested and the weaknesses are mitigated.
| Distributed | Federated | Centralized | |
|---|---|---|---|
| EA org. structure |
|
|
|
| Implications |
|
|
|
| Architectural boards |
|
|
|
| Level 1 | Architecture Review Board | IT and Business Leaders | ||||
| Level 2 | Business Architecture Board | Data Architecture Board | Application Architecture Board | Infrastructure Architecture Board | Security Architecture Board | IT and Business Managers |
| Level 3 | Architecture Working Groups | Architects | ||||
Start with this:
| Level 1 | Architecture Review Board |
| Level 2 | Technical Architecture Committee |
| Level 3 | Architecture Working Groups |
Change to this:
| Architecture Review Board | IT and Business Leaders | ||||
| Business Architecture Board | Data Architecture Board | Application Architecture Board | Infrastructure Architecture Board | Security Architecture Board | IT and Business Managers |
| Architecture Working Groups | Architects | ||||
The boards at each level should be set up with the correct agenda – ensure that the boards’ composition and activities reflect their objective. Use the entry criteria to communicate the agenda for their meetings.
| Architecture Review Board | Technical Architecture Committee | |
|---|---|---|
| Objective |
|
|
| Composition |
|
|
| Activities |
|
|
| Entry Criteria |
|
|
4.1 2 hrs
Hold a working session with the participants to identify the number of governing bodies. Facilitate the activity using the following steps:
Download the Architecture Board Charter Template to document this activity.
The charter represents the agreement between the governing body and its stakeholders about the value proposition and obligations to the organization.
4.2 3 hrs
Hold a working session with the stakeholders to define the charter for each of the identified architecture boards.
Download Architecture Board Charter Template
Update the EA Governance Framework document
The best-practice model presented facilitates the creation of sound solution architecture through continuous engagement with the EA team and well-defined governance checkpoints.
4.3 2 hours
Hold a working session with the participants to develop the architecture review process. Facilitate the activity using the following steps:
Download the Architecture Review Process Template for additional guidance regarding developing an architecture review process.
4.3 2 hrs
Download Architecture Review Process Template and facilitate a session to customize the best-practice model presented in the template.
Download the Architecture Review Process Template
Summarize the process changes and document the process flow in the EA Governance Framework document.
Update the EA Governance Framework Template
Industry Insurance
Source Info-Tech
At INSPRO01, architecture governance boards were a bottleneck. The boards fielded all project requests, ranging from simple screen label changes to complex initiatives spanning multiple applications.
These boards were designed as forums for technology discussions without any business stakeholder involvement.
INSPRO01’s management never gave buy-in to the architecture governance boards since their value was uncertain.
Additionally, architectural reviews were perceived as an item to be checked off rather than a forum for getting feedback.
Architectural exceptions were not being followed through due to the lack of a dispensation process.
Info-Tech has helped the team define adaptable inclusion/exclusion criteria (based on project complexity) for each of the architectural governing boards.
The EA team was able to make the case for business participation in the architecture forums to better align business and technology investment.
An architecture dispensation process was created and operationalized. As a result architecture reviews became more transparent with well-defined next steps.
The following are sample activities that will be conducted by Info-Tech analysts with your team:
Key Activities
Info-Tech Insight
Use the EA policy to promote EA’s commitment to deliver value to business stakeholders through process transparency, stakeholder engagement, and compliance.
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion: 3 weeks
Start with an analyst kick-off call:
Then complete these activities…
With these tools & templates:
Review findings with analyst:
Then complete these activities…
With these tools & templates:
Architecture policy is a set of guidelines, formulated and enforced by the governing bodies of an organization, to guide and constrain architectural choices in pursuit of strategic goals.
Architecture compliance – promotes compliance to organizational standards through well-defined assessment checklists across architectural domains.
Business value – ensures that investments are tied to business value by enforcing traceability to business capabilities.
Architectural guidance – provides guidance to architecture practitioners on the application of the business and technology standards.
An enterprise architecture policy is an actionable document that can be applied to projects of varying complexity across the organization.
5.1 2.5 hrs
Step 1 - Facilitate
Download the EA Policy Template and hold a working session to draft the EA policy.
Download the EA Policy Template
Step 2 - Summarize
Update the EA Governance Framework Template
Architecture assessment checklist is a list of future-looking criteria that a project will be assessed against. It provides a set of standards against which projects can be assessed in order to render a decision on whether or not the project can be greenlighted.
Architecture checklists should be created for each EA domain since each domain provides guidance on specific aspects of the project.
Business Architecture:
Data Architecture:
Application Architecture:
Infrastructure Architecture:
Security Architecture:
5.2 2 hrs
Step 1 - Facilitate
Download the EA Assessment Checklist Template and hold a working session to create the architectural assessment checklists.
Download the EA Assessment Checklist Template
Step 2 - Summarize
Update the EA Governance Framework Template
Approved
Conditional Approval
Not Approved
Waivers are not permanent. Waiver terms must be documented for each waiver specifying:
5.4 3-4 hrs
Step 1 - Facilitate
Download the EA compliance waiver template and hold a working session to customize the best-practice process to your organization’s needs.
Download the EA Compliance Waiver Process Template
Step 2 - Summarize
Update the EA Governance Framework Template
Industry Insurance
Source Info-Tech
EA program adoption across INSPRO01 was at its lowest point due to a lack of transparency into the activities performed by the EA group.
Often, projects ignored EA entirely as it was viewed as a nebulous and non-value-added activity that produced no measurable results.
There was very little documented information about the architecture assessment process and the standards against which project solution architectures were evaluated.
Additionally, there were no well-defined outcomes for the assessment.
Project groups were left speculating about the next steps and with little guidance on what to do after completing an assessment.
Info-Tech helped the EA team create an EA policy containing architecture significance criteria, assessment checklists, and reference to the architecture review process.
Additionally, the team also identified guidelines and detailed next steps for projects based on the outcome of the architecture assessment.
These actions brought clarity to EA processes and fostered better engagement with the EA group.
The following are sample activities that will be conducted by Info-Tech analysts with your team:
Key Activities
Outcomes
Info-Tech Insight
The architecture standard is the currency that facilitates information exchange between stakeholders. The primary purpose is to minimize transaction costs by providing a balance between stability and relevancy.
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion: 4 weeks
Start with an analyst kick-off call:
Then complete these activities…
Review with analyst:
Then complete these activities…
With these tools & templates:
6.1 3 hrs
Instructions:
Hold a working session with the participants to identify and standardize work products. Facilitate the activity using the steps below.
As the EA function begins to grow and accumulates EA work products, having a well-designed folder structure helps you find the necessary information efficiently.
Describes the organizationally tailored architecture framework.
Defines the parameters, structures, and processes that support the enterprise architecture group.
An architectural presentation of assets in use by the enterprise at particular points in time.
Captures the standards with which new architectures and deployed services must comply.
Provides guidelines, templates, patterns, and other forms of reference material to accelerate the creation of new architectures for the enterprise.
Provides a record of governance activity across the enterprise.
6.2 5-6 hrs
Instructions:
Hold a working session with the participants to create a repository structure. Facilitate the activity using the steps below:
Identify
Assess
Document
Approve
Communicate
6.3 1.5 hrs
Step 1 - Facilitate
Download the standards update process template and hold a working session to customize the best practice process to your organization’s needs.
Download the Architecture Standards Update Process Template
Step 2 - Summarize
Summarize the objectives and the process flow in the EA governance framework document.
Update the EA Governance Framework Template
Industry Insurance
Source Info-Tech
INSPRO01 didn’t maintain any centralized standards and each project had its own solution/design work products based on the preference of the architect on the project. This led to multiple standards across the organization.
Lack of consistency in architectural deliverables made the information hand-offs expensive.
INSPRO01 didn’t maintain the architectural documents in a central repository and the information was scattered across multiple project folders.
This caused key stakeholders to make decisions based on incomplete information and resulted in constant revisions as new information became available.
Info-Tech recommended that the EA team identify and standardize the various EA work products so that information was collected in a consistent manner across the organization.
The team also recommended an information taxonomy to store the architectural deliverables and other collateral.
This resulted in increased consistency and standardization leading to efficiency gains.
The following are sample activities that will be conducted by Info-Tech analysts with your team:
Key Activities
Outcomes
Info-Tech Insight
By failing to prepare, you are preparing to fail – maximize the likelihood of success for EA governance by engaging the relevant stakeholders and communicating the changes.
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion: 1 week
Start with an analyst kick-off call:
Then complete these activities…
With these tools & templates:
Start with an analyst kick-off call:
Then complete these activities…
With these tools & templates:
The changes made to the EA governance components need to be reviewed, approved, and communicated to all of the impacted stakeholders.
Step 1: Hold a meeting with stakeholders to review, refine, and agree on the changes.
Step 2: Obtain an official approval from the stakeholders.
Step 3: Communicate the changes to the impacted stakeholders.
7.1 3 hrs
Hold a working session with the participants to create the EA governance framework as well as the communication plan. Facilitate the activity using the steps below:
Download the EA Governance Communication Plan Template and EA Governance Framework Template for additional instructions and to document your activities in this phase.
Industry Insurance
Source Info-Tech
The EA group followed Info-Tech’s methodology to assess the current state and has identified areas for improvement.
Best practices were adopted to fill the gaps identified.
The team planned to communicate the changes to the technology leadership team and get approvals.
As the EA team tried to roll out changes, they encountered resistance from various IT teams.
The team was not sure of how to communicate the changes to the business stakeholders.
Info-Tech has helped the team conduct a thorough stakeholder analysis to identify all the stakeholders who would be impacted by the changes to the architecture governance framework.
A comprehensive communication plan was developed that leveraged traditional email blasts, town hall meetings, and non-traditional methods such as team blogs.
The team executed the communication plan and was able to manage the change effectively.
The following are sample activities that will be conducted by Info-Tech analysts with your team:
Key Activities
Outcomes
Government of British Columbia. “Architecture and Standards Review Board.” Government of British Columbia. 2015. Web. Jan 2016. < http://www.cio.gov.bc.ca/cio/standards/asrb.page >
Hopkins, Brian. “The Essential EA Toolkit Part 3 – An Architecture Governance Process.” Cio.com. Oct 2010. Web. April 2016. < http://www.cio.com/article/2372450/enterprise-architecture/the-essential-ea-toolkit-part-3---an-architecture-governance-process.html >
Kantor, Bill. “How to Design a Successful RACI Project Plan.” CIO.com. May 2012. Web. Jan 2016. < http://www.cio.com/article/2395825/project-management/how-to-design-a-successful-raci-project-plan.html >
Sapient. “MIT Enterprise Architecture Guide.” Sapient. Sep 2004. Web. Jan 2016. < http://web.mit.edu/itag/eag/FullEnterpriseArchitectureGuide0.1.pdf >
TOGAF. “Chapter 41: Architecture Repository.” The Open Group. 2011. Web. Jan 2016. < http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap41.html >
TOGAF. “Chapter 48: Architecture Compliance.” The Open Group. 2011. Web. Jan 2016. < http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap48.html >
TOGAF. “Version 9.1.” The Open Group. 2011. Web. Jan 2016. http://pubs.opengroup.org/architecture/togaf9-doc/arch/
United States Secret Service. “Enterprise Architecture Review Board.” United States Secret Service. Web. Jan 2016. < http://www.archives.gov/records-mgmt/toolkit/pdf/ID191.pdf >
Virginia Information Technologies Agency. “Enterprise Architecture Policy.” Commonwealth of Virginia. Jul 2006. Web. Jan 2016. < https://www.vita.virginia.gov/uploadedfiles/vita_main_public/library/eapolicy200-00.pdf >
Alan Mitchell, Senior Manager, Global Cities Centre of Excellence, KPMG
Alan Mitchell has held numerous consulting positions before his role in Global Cities Centre of Excellence for KPMG. As a Consultant, he has had over 10 years of experience working with enterprise architecture related engagements. Further, he worked extensively with the public sector and prides himself on his knowledge of governance and how governance can generate value for an organization.
Ian Gilmour, Associate Partner, EA advisory services, KPMG
Ian Gilmour is the global lead for KPMG’s enterprise architecture method and Chief Architect for the KPMG Enterprise Reference Architecture for Health and Human Services. He has over 20 years of business design experience using enterprise architecture techniques. The key service areas that Ian focuses on are business architecture, IT-enabled business transformation, application portfolio rationalization, and the development of an enterprise architecture capability within client organizations.
Djamel Djemaoun Hamidson, Senior Enterprise Architect, CBC/Radio-Canada
Djamel Djemaoun is the Senior Enterprise Architect for CBC/Radio-Canada. He has over 15 years of Enterprise Architecture experience. Djamel’s areas of special include service-oriented architecture, enterprise architecture integration, business process management, business analytics, data modeling and analysis, and security and risk management.
Sterling Bjorndahl, Director of Operations, eHealth Saskatchewan
Sterling Bjorndahl is now the Action CIO for the Sun Country Regional Health Authority, and also assisting eHealth Saskatchewan grow its customer relationship management program. Sterling’s areas of expertise include IT strategy, enterprise architecture, ITIL, and business process management. He serves as the Chair on the Board of Directors for Gardiner Park Child Care.
Huw Morgan, IT Research Executive, Enterprise Architect
Huw Morgan has 10+ years experience as a Vice President or Chief Technology Officer in Canadian internet companies. As well, he possesses 20+ years experience in general IT management. Huw’s areas of expertise include enterprise architecture, integration, e-commerce, and business intelligence.
Serge Parisien, Manager, Enterprise Architecture at Canada Mortgage Housing Corporation
Serge Parisien is a seasoned IT leader with over 25 years of experience in the field of information technology governance and systems development in both the private and public sectors. His areas of expertise include enterprise architecture, strategy, and project management.
Alex Coleman, Chief Information Officer at Saskatchewan Workers’ Compensation Board
Alex Coleman is a strategic, innovative, and results-driven business leader with a proven track record of 20+ years’ experience planning, developing, and implementing global business and technology solutions across multiple industries in the private, public, and not-for-profit sectors. Alex’s expertise includes program management, integration, and project management.
L.C. (Skip) Lumley , Student of Enterprise and Business Architecture
Skip Lumley was formerly a Senior Principle at KPMG Canada. He is now post-career and spends his time helping move enterprise business architecture practices forward. His areas of expertise include enterprise architecture program implementation and public sector enterprise architecture business development.
Gert Taeymans BV wants to inform you about our cookie notice on the Gert Taeymans BV websites via this document. Please also see the privacy policy which you can find here.
This website is owned by Gert Taeymans BV
Contact details:
Gert Taeymans BV
Koning Albertstraat 136
2070 Burcht
Belgium
Company number: 0685974694
Phone: +32 3 289 41 09
email: gtbvba@gerttaeymans.com
The websites in scope of this notice are:
We differentiate 4 types of cookies
| Name | Contents | Expiration | Reason for the cookie |
| Session cookie (displayed as a long series of numbers and letters) | The active session ID | When you close your broser, clear your cookie's cache in your browser or after 60 minutes of inactivity on the site. The cookie may remain in your machine but is no longer valid after the mentioned tile of inactivity |
The browser cookie is simply a random string of characters to identify the visitor. There are no personally identifable details in the cookie and no real data of use at all. The cookie is marked as a 'session' type of cookie, which means it will expire (be deleted automatically) when the browser is closed or cleaned by the browser after a set period of non-use; for instance, you haven't visited a page on the site that has used the cookie for 1 week. This latter case is useful for people that leave their computer running and never close their browser. The use of a cookie is what gives your website a short-term memory. By providing it with each request, Joomla can look up the history of the current viewing session in the database record below. |
| cookieconsent_status | allow | 1 year | This cookie stores that you have consented to the use of cookies on our site. It is there to avoid that you have to give your consent again at every page load. |
| Site | Name | Contents | Expiration | Reason for the cookie |
| gerttaeymans.consulting | None at this stage | N/A | N/A | N/A |
| tymansgroup.com | None at this stage | N/A | N/A | N/A |
| Site | Name | Contents | Expiration | Reason for the cookie |
| All Scope | _ga | Google Analytics type and account identifier | 2 years | This cookie identifies our domain (gerttaeymans.consulting) and sends visit information to Google. information may include, but not limited to: browser identifiable information, page visited, visit duration, etc. This information does not contain user identifiable information |
| All Scope | _gat_gtag_UA_140807308_3 | Google Analytics type and account identifier | 2 years | This cookie also identifies our domain (gerttaeymans.consulting) and sends visit information to Google. information may include, but not limited to: browser identifiable information, page visited, visit duration, etc. This information does not contain user identifiable information |
| All Scope | _gid | Google Analytics type and account identifier | 1 day | This cookie also identifies our domain (gerttaeymans.consulting) and sends visit information to Google. information may include, but not limited to: browser identifiable information, page visited, visit duration, etc. This information does not contain user identifiable information |
| Name | Contents | Expiration | Reason for the cookie |
| None at this stage | N/A | N/A | N/A |
You are not required to accept any cookies . Our cookies toolbar allows you to fine tune which cookies you accespt or want to revoke consent for. The resulting experience may however be affected by your decision not to accept cookies.
Eg. not accepting or revoking consent for the “Necessary” category cookies will result in your inability to log into the site, even if you have previously accepted the cookies and paid for service.
Not accepting or revoking consent for “Preference” category cookies may impede on your ability to watch instructional videos on our site, even if you have previously accepted the cookies and paid for service.
Not accepting or revoking consent for ‘Statistical” category cookies will result in us not seeing where visitors stay longer or shorter on our site. While the immediate experience will not degrade for you, it may impede us in better understanding where we need to improve our service, thereby denying you a potentially improved experience in the future.
Not accepting or revoking consent for “Marketing” category cookies may result in you seeing irrelevant ads, if we make the decision to allow carefully selected partners to offer their services through our site.
You can delete all cookies that are already on your device by clearing the browsing history of your browser. This will remove all cookies from all websites you have visited.
Be aware though that you may also lose some saved information (e.g. saved login details, site preferences).
For more detailed control over site-specific cookies, check the privacy and cookie settings in your preferred browser
You can set most modern browsers to prevent any cookies being placed on your device, but you may then have to manually adjust some preferences every time you visit a site/page. And some services and functionalities may not work properly at all (e.g. profile logging-in).
Define your target cloud operations state first, then plan how to get there. If you begin by trying to reconstruct on-prem operations in the cloud, you will build an operations model that is the worst of both worlds.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This storyboard will help you assess your cloud maturity, understand relevant ways of working, and create a meaningful design of your cloud operations that helps align team members and stakeholders.
Use these templates and tools to assess your current state, design the cloud operations organizing framework, and create a roadmap.
Use these templates and tools to plan how you will communicate changes to key stakeholders and communicate the new cloud operations organizing framework in an executive presentation.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Establish Context
Alignment on target state
1.1 Assess current cloud maturity and areas in need of improvement
1.2 Identify the drivers for organizational redesign
1.3 Review cloud objectives and obstacles
1.4 Develop organization design principles
Cloud maturity assessment
Project drivers
Cloud challenges and objectives
Organization design principles
Establish Context
Understanding of cloud workstreams
2.1 Evaluate new ways of working
2.2 Develop a workstream target statement
2.3 Identify cloud work
Workstream target statement
Cloud operations workflow diagrams
Design the Organization
Visualization of the cloud operations future state
3.1 Design a future-state cloud operations diagram
3.2 Create a current-state cloud operations diagram
3.3 Define success indicators
Future-state cloud operations diagram
Current-state cloud operations diagram
Success indicators
Communicate the Changes
Alignment and buy-in from stakeholders
4.1 Create a roadmap
4.2 Create a communication plan
Roadmap
Communication plan
EXECUTIVE BRIEF
 | Andrew Sharp Research Director Infrastructure & Operations Practice | It’s “day two” in the cloud. Now what? Just because you’re in the cloud doesn’t mean everyone is on the same page about how cloud operations work – or should work. You have an opportunity to implement new ways of working. But if people can’t see the bigger picture – the organizing framework of your cloud operations – it will be harder to get buy-in to realize value from your cloud services. Use Info-Tech’s methodology to build out and visualize a cloud operations organizing framework that defines cloud work and aligns it to the right areas. |
 | Nabeel Sherif Principal Research Director Infrastructure & Operations Practice | |
 | Emily Sugerman Research Analyst Infrastructure & Operations Practice | |
 | Scott Young Principal Research Director Infrastructure & Operations Practice |
Your Challenge | Common Obstacles | Info-Tech’s Approach |
|---|---|---|
Widespread cloud adoption has created new opportunities and challenges:
|
| Clearly communicate the need for operations changes:
|
Define your target cloud operations state first, then plan how to get there. If you begin by trying to reconstruct on-prem operations in the cloud, you will build an operations model that is the worst of both worlds.
Traditional IT capabilities, activities, organizational structures, and culture need to adjust to leverage the value of cloud, optimize spend, and manage risk.
Obstacles, by the numbers:
85% of respondents reported security in the cloud was a serious concern.
73% reported balancing responsibilities between a central cloud team and business units was a top concern.
The average organization spent 13% more than they’d budgeted on cloud – even when budgets were expected to increase by 29% in the next year.
32% of all cloud spend was estimated to be wasted spend.
56% of operations professionals said their primary focus is cloud services.
81% of security professionals thought it was difficult to get developers to prioritize bug fixes.
42% of security professionals felt bugs were being caught too late in the development process.
1. Ensure alignment with the risks and drivers of the business and understand your organization’s strengths and gaps for a cloud operations world.
2. Understand the balance of different types of deliveries you’re responsible for in the cloud.
3. Reduce risk by reinforcing the key operational pillars of cloud operations to your workstreams.
4. Identify “work areas,” decide which area is responsible for what tasks and how work areas should interact in order to best facilitate desired business outcomes.
Start by designing operations around the main workflow you have for cloud services; i.e. If you mostly build or host in cloud, build the diagram to maximize value for that workflow.
Proper design of roles and responsibilities for each cloud workflow category will help reduce risk by reinforcing the key operational pillars of cloud operations.
We base this on a composite of the well-architected frameworks established by the top global cloud providers today.
Workflow Categories
Key Pillars
Risks to Mitigate
Assess Maturity and Ways of Working | Define Cloud Work | Design Cloud Operations | Communicate and Secure Buy-in |
|---|---|---|---|
Assess your key workflows’ maturity for “life in the cloud,” related to Key Operational Pillars. Evaluate your readiness and need for new ways of working. | Identify the work that must be done to deliver value in cloud services. | Define key cloud work areas, the work they do, and how they should share information and interact. | Outline the change you recommend to a range of stakeholders. Gain buy-in for the plan. |
Assess the intensity and cloud maturity of your IT operations for each of the key cloud workstreams: Consume, Host, and Build |  | Identify stakeholders, what’s in it for them, what the impact will be, and how you will communicate over the course of the change. |  |
Cloud Operations Design Sketchbook Capture the diagram as you build it. |  | Build a roadmap to put the design into action. |  |
Cloud Operations Organizing Framework
The Cloud Operations Organizing Framework is a communication tool that introduces the cloud operations diagram and establishes its context and justification.
Phase 1: Establish Context 1.1: Identify challenges, opportunities, and cloud maturity 1.2: Evaluate new ways of working 1.3: Define cloud work | Phase 2: Design the organization and communicate changes 2.1: Design a draft cloud operations diagram 2.2: Communicate changes |
Outputs | |
Cloud Services Objectives and Obstacles Cloud Operations Workflow Diagrams Cloud Maturity Assessment | Draft Cloud Operations Diagram Communication Plan Roadmap Tool Cloud Operations Organizing Framework |
Benefits for IT | Benefits for the business |
|---|---|
|
|
Example Goal | How this blueprint can help | How you might measure success/value |
|---|---|---|
Streamline Responsibilities The operations team is spending too much time fighting applications fires, which is distracting it from needed platform improvements. |
|
|
Improve Cost Visibility The teams responsible for cost management today don’t have the authority, visibility, or time to effectively find wasted spend. The teams responsible for cost management today don’t have the authority, visibility, or time to effectively find wasted spend. |
|
|
Cloud Vision |  | Cloud Strategy |
|---|---|---|
It is difficult to get or maintain buy-in for changes to operations without everyone on the same page about the basic value proposition cloud offers your organization. Do the workload and risk analysis to create a defensible cloud vision statement that boils down into a single statement: “This is how we want to use the cloud.” | Once you have your basic cloud vision, take the next step by documenting a cloud strategy. Establish your steering committee with stakeholders from IT, business, and leadership to work through the essential decisions around vision and alignment, people, governance, and technology. Your cloud operations design should align to a cloud strategy document that provides guidelines on establishing a cloud council, preparing staff for changing skills, mitigating risks through proper governance, and setting a direction for migration, provisioning, and monitoring decisions. |
Focus on the future, not the present | ||
Define your target cloud operations state first, then plan how to get there. If you begin by trying to reconstruct on-prem operations in the cloud, you will build an operations model that is the worst of both worlds. | ||
Responsibilities change in the cloud | Understand what you mean by cloud work | Focus where it matters |
Cloud is a different way of consuming IT resources and applications and it requires a different operational approach than traditional IT. In most cases, cloud operations involves less direct execution and more service validation and monitoring | Work that is invisible to the customer can still be essential to delivering customer value. A lot of operations work is invisible to your organization’s customers but is required to deliver stability, security, efficiency, and more. Cloud work is not just applications that have been approved by IT. Consider how unsanctioned software purchased by the business will be integrated and managed. | Start by designing operations around the main workflow you have for cloud services. If you mostly build or host in the cloud, build the diagram to maximize value for that workflow. Design principles will often change over time as the organization’s strategy evolves. Identify skills requirements and gaps as early as possible to avoid skills gaps later. Whether you plan to acquire skills via training or cross-training, hiring, contracting, or outsourcing, effectively building skills takes time. |
DIY Toolkit | Guided Implementation | Workshop | Consulting |
|---|---|---|---|
| “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” | “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” | “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” | “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.” |
Phase 1 | Phase 2 |
|---|---|
Call #1: Scope requirements, objectives, and your specific challenges Calls #2&3: Assess cloud maturity and drivers for org. redesign Call #4: Review cloud objectives and obstacles Call #5: Evaluate new ways of working and identify cloud work | Calls #6&7: Create your Cloud Operations diagram Call #8: Create your communication plan and build roadmap |
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
|---|---|---|---|---|---|
Establish Context | Design the Organization and Communicate Changes | Next Steps and | |||
Activities | 1.1 Assess current cloud maturity and areas in need of improvement 1.2 Identify the drivers for organizational redesign 1.3 Review cloud objectives and obstacles 1.4 Develop organization design principles | 2.1 Evaluate new ways of working 2.2 Develop a workstream target statement 2.3 Identify cloud work | 3.1 Design a future-state cloud operations diagram 3.2 Create a current state cloud operations diagram 3.3 Define success indicators | 4.1 Create a roadmap 4.2 Create a communication plan | 5.1 Complete in-progress deliverables from previous four days. 5.2 Set up review time for workshop deliverables and to discuss next steps. |
Deliverables |
|
|
|
| Cloud Operations Organizing Framework. |
Phase 1 | Phase 2 |
|---|---|
1.1 Establish operating model design principals by identifying goals & challenges, workstreams, and cloud maturity 1.2 Evaluate new ways of working 1.3 Identify cloud work | 2.1 Draft an operating model 2.2 Communicate proposed changes |
Define current maturity and which workstreams are important to your organization.
Understand new operating approaches and which apply to your workstream balance.
Identify a new target state for IT operations.
1. Identify an operations design working group | 2. Review cloud vision and strategy | 3. Create a working folder |
|---|---|---|
This should be a group with insight into current cloud challenges, and with the authority to drive change. This group is the main audience for the activities in this blueprint. | Review your established planning work and documentation. | Create a repository to house your notes and any work in progress. |
15 minutes
Create a central repository to support transparency and collaboration. It’s an obvious step, but one that’s often forgotten.
“Start small: Begin with a couple services. Then, based on the feedback you receive from Operations and the business, modify your approach and keep increasing your footprint.” – Nenad Begovic
As you adopt cloud services, the operations core mission remains . . .
. . . but operational activities are evolving.
“As operating models shift to the cloud, you still need the same people and processes. However, the shift is focused on a higher level of operations. If your people no longer focus on server uptime, then their success metrics will change. When security is no longer protected by the four walls of a datacenter, your threat profile changes.”
(Microsoft, “Understand Cloud Operating Models,” 2022)
When using a vendor-operated public cloud, IT exists in a shared responsibility model with the cloud service provider, one that is further differentiated by the type of cloud service model in use: broadly, software-as a service (SaaS), platform-as-a-service (PaaS), or infrastructure-as-a-service (IaaS).
Your IT operations organization may still reflect a structure where IT retains control over the entire infrastructure stack from facilities to application and defines their operational roles and processes accordingly.
If the organization chooses a co-location facility, they outsource facility responsibility to a third-party provider, but much of the rest of the traditional IT operating model remains the same. The operations model that worked for an entirely premises-based environment is very different from one that is made up of, for instance, a portfolio of SaaS applications, where your control is limited to the top of the infrastructure stack at the application layer.
Once an organization migrates workloads to the cloud, IT gives up an increasing amount of control to the vendor, and its traditional operational roles & responsibilities necessarily change.
Work that is invisible to the customer can still be essential to delivering customer value. A lot of operations work is invisible to your organization’s customers but required to deliver stability, security, efficiency, and more.
Evolving to cloud-optimal operations also means re-assessing and adapting your team’s approach to achieving cloud maturity, especially with respect to how automation and standardization can be leveraged to best achieve optimization in cloud.
| Traditional IT | Design | Execute | Validate | Support | Monitor |
| Cloud | Design | Execute | Validate | Support | Monitor |
Cloud is a different way of consuming IT resources and applications and requires a different operational approach than traditional IT.
In most cases, cloud operations involves less direct execution and more service validation and monitoring.
Service Model | Example | Function |
|---|---|---|
Software-as-a-Service (SaaS) | Salesforce.com Office 365 Workday | Consume |
Platform-as-a-Service (PaaS) | Azure Stack AWS SageMaker WordPress | Build |
Infrastructure-as-a-Service (IaaS) | Microsoft Azure Amazon EC2 Google Cloud Platform | Host |
Function | Business Need | Service Model | Example Tasks |
|---|---|---|---|
Consume | “I need a commodity, off-the-shelf service that we can configure to our organization’s needs. | Software-as-a-Service (SaaS) | Onboard and add users to a new SaaS offering. Vendor management of SaaS providers. Configure/integrate the SaaS offering to meet business needs. |
Build | “I need to create significantly customized or net-new products and services.” | Platform-as-a-Service (PaaS) & Infrastructure as-a-Service (IaaS) | Create custom applications. Build and maintain a container platform. Manage CI/CD pipelines and tools. Share infrastructure and applications patterns. |
Host | “I need compute, storage, and networking components that reflect key cloud characteristics (on-demand self-service, metered usage, etc.).” | Infrastructure-as-a-Service (IaaS) | Stand up compute, networking, and storage resources to host a COTS application. Plan to increase storage capacity to support future demand. |
“In order to accelerate public cloud adoption, you need to focus on infrastructure-as-code and script everything you can. Unlike traditional operations, CloudOps focuses on creating scripts: a script for task A, a script for task B, etc.”
– Nenad Begovic
Pillars
General Best Practice Capability Areas
2 hours
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
Download theCloud Maturity Assessment Tool
Whiteboard Activity
An absolute must-have in any successful redesign is a shared understanding and commitment to changing the status quo.
Without a clear and urgent call to action, the design changes will be seen as change for the sake of change and therefore entirely safe to ignore.
Take up the following questions as a group:
Record your answers so you can reference and use them in the communication materials you’ll create in Phase 2.
| Input | Output |
|
|
| Materials | Participants |
|
|
“We know, for example, that 70 percent of change programs fail to achieve their goals, largely due to employee resistance and lack of management support. We also know that when people are truly invested in change it is 30 percent more likely to stick.”
– Ewenstein, Smith, Sologar
McKinsey (2015)
Consider what you intend to achieve and the obstacles to overcome to help identify the changes required to achieve your desired future state.
Advantage Perspective | Ideas for Change | Obstacle Perspective |
What advantages do cloud services offer us as an organization? For example:
| What obstacles prevent us from realizing value in cloud services? For example:
|
Whiteboard Activity
1 hour
| Input | Output |
|
|
| Materials | Participants |
|
|
Cloud Advantages/Objectives
| Obstacles Need to speed up provisioning of PaaS/IaaS/data resources to development and project teams. No time to develop and improve platform services and standards due to other responsibilities. We constantly run up unexpected cloud costs. Not enough time for continuous learning and development. The business will buy SaaS apps and only let us know after they’ve been purchased, leading to overlapping functionality; gaps in compliance, security, or data protection requirements; integration challenges; cost inefficiencies; and more. Role descriptions haven’t kept up with tech changes. Obvious opportunities to rationalize costs aren’t surfaced (e.g. failing to make use of existing volume licensing agreements). Skills needed to properly operate cloud solutions aren’t identified until breakdowns happen. |
Design principles are concise, direct statements that describe how you will design your organization to achieve key objectives and address key challenges.
This is a critically important step for several reasons:
Examples of design principles:
Design principles will often change as the organization’s strategy evolves.
Developing design principles starts with your key objectives. What do we absolutely have to get right to deliver value through cloud services?
Once you have your direction set, work through the points in the star model to establish how you will meet your objectives and deliver value. Each point in the star is an important element in your design – taken together, it paints a holistic picture of your future-state organization.
The changes you choose to implement that affect capabilities, structure, processes, rewards, and people should be self-reinforcing. Each point in the star is connected to, and should support, the other points.
“There is no one-size-fits-all organization design that all companies – regardless of their particular strategy needs – should subscribe to.”
– Jay Galbraith, “The Star Model”
Track your findings in the table on the next slide.
| Input | Output |
|
|
| Materials | Participants |
|
|
What is our key objective? |
|
What capabilities or technologies do we need to adopt or leverage differently? |
|
How must our structure change? How will power shift in the new structure? |
|
Will our new structure require changes to processes or information sharing? |
|
How must we change how we motivate or reward employees? |
|
What new skills or knowledge is required, and how will we acquire it? |
|
Participants
Cloud Operations Design Working Group
Outcomes
Shared understanding of the horizon of work possibilities:
Consider the different approaches on the following slides, how they change operational work, and decide which approaches are the right fit for you.
| “DevOps is a set of practices, tools, and a cultural philosophy that automates and integrates the processes between software development and IT teams. It emphasizes team empowerment, cross-team communication and collaboration, and technology automation.” – Atlassian, “DevOps” “ITIL 4 brings ITIL up to date by…embracing new ways of working, such as Lean, Agile, and DevOps.” – ITIL Foundation: ITIL 4 Edition “Over time, left to their own devices, the SRE team should end up with very little operational load and almost entirely engage in development tasks, because the service basically runs and repairs itself.” – Ben Treynor Sloss, “Site Reliability Engineering” |
The more things change, the more they stay the same:
|
Ways to work
Ways to govern and learn
Ways to work | Ways to govern and learn |
1. DevOps 2. Site Reliability Engineering 3. Platform Engineering | 4. Cloud Centre of Excellence 5. Cloud Community of Practice |
What it is NOT | What it IS | Why Use It |
|---|---|---|
| An operational philosophy that seeks to:
|
|
What it is NOT | What it IS | Why Use It |
|---|---|---|
|
|
|
What it is NOT | What it IS | Why Use It |
|---|---|---|
|
|
|
What it is NOT | What it IS | Why Use It |
|---|---|---|
|
|
|
What it is NOT | What it IS | Why Use It |
|---|---|---|
|
|
|
Patterns are . . . | Ways of Working
|
Patterns are also . . . | Ways to Govern and Learn
|
Ways of Working | |
|---|---|
DevOps | Development teams take on operational work to support the services they create after they are launched to production. Some DevOps teams may be aligned around a particular function or product rather than a technology – there are individuals with skills on a number of technologies that are part of the same team. |
Site Reliability Engineering (SRE) | In the beginning, you can start to adopt SRE practices within existing teams. As demand grows for SRE skills and services, you may decide to create focused SRE roles or teams. SRE teams may work across applications or be aligned to just infrastructure services or a particular application, or they may focus on tools that help developers manage reliability. SREs may also be embedded long-term with other teams or take on an internal consulting roles with multiple teams.1 |
Platform Engineering | Platform engineering will often, though not always, be the responsibility of a dedicated team. This team must work very closely with, and tuned into the needs of, its internal customers. There is a constant need to find ways to add value that aren’t already part and parcel of the platform – or its external roadmap. This team will take on responsibility for the platform, in terms of feature development, automation, availability and reliability, security, and more. They may also be internal consultants or advisors on the platform to developers. |
Ways to Govern and Learn | |
|---|---|
Cloud Center of Excellence |
|
Cloud Community of Practice |
|
| Least Adoption | Greatest Adoption |
Initial Adoption | Early Centralization | Scaling Up | Full Steam Ahead |
|
|
|
|
1 hour
Consider if, and how, the approaches to management and governance you’ve just reviewed can offer value to your organization.
Why it’s for us (drivers) | Risks or challenges to adoption | Next steps to build/adopt it | |
|---|---|---|---|
CCoE | |||
DevOps | |||
| Input | Output |
|
|
| Materials | Participants |
|
|
“At first, for many people, the cloud seems vast. But what you actually do is carve out space.”
Before you can identify roles and responsibilities, you have to confirm what work you do as an organization and how that work enables you to meet your goals.
Defining work can be a lot of … work! We recommend you start by identifying work for the workstream you do most – Build, Consume, or Host – to focus your efforts. You can repeat the exercise as needed.
The five Well-Architected Framework pillars. These are principles/directions/guideposts that should inform all cloud work.
The work being done to achieve the workstream target. These are roughly aligned with the three streams on the right.
Workstream Target: A concise statement of the value you aim to achieve through this workstream. All work should help deliver value (directly or indirectly).
Whiteboard Activity
20 minutes
Over the next few exercises, you’ll do a deep dive into the work you do in one specific workstream. In this exercise, we’ll decide on a workstream to focus on first.
| Input | Output |
|
|
| Materials | Participants |
|
|
Whiteboard Activity
30 minutes
In this activity, come up with a short sentence to describe what all this work you do is building toward. The target statement helps align participants on why work is being done and helps focus the activity on work that is most important to achieving the target statement.
Start with this common workstream target statement:
“Deliver valuable, secure, available, reliable, and efficient cloud services.”
Now, review and adjust the target statement by working through the questions below:
| Input | Output |
|
|
| Materials | Participants |
|
|
1-2 hours
Activity instructions continue on the next slide.
Some notes to the facilitator:
| Input | Output |
|
|
| Materials | Participants |
|
|
4. Work together to identify work, documenting one work item per box. This should focus on future state, so record work whether it’s actually done today or not. Your space is limited on the sheet, so focus on work that is indispensable to delivering the value statement. Use the lists on the right as a reminder of key IT practice areas.
5. As much as possible, align the work items to the appropriate row (Govern & Align, Design & Execute, or Validate, Support & Monitor). You can overlap boxes between rows if needed.
ITIL practices, such as:
Security-aligned practices, such as:
Financial practices, such as:
| Data-aligned practices, such as:
Technology-specific tasks, such as:
Other key practices:
|
Cloud work is not just applications that have been approved by IT. Consider how unsanctioned software purchased by the business will be integrated and managed.
6. If you have decided to adopt any of the new ways of working outlined in Step 1.2 (e.g. DevOps, SRE, etc.) review the next slide for examples of the type of work that frequently needs to be done in each of those work models. Add any additional work items as needed.
7. Consolidate boxes and clean up the diagram (e.g. remove duplicate work items, align boxes, clarify language).
8. Do a final review. Is all the work in the diagram truly aligned with the value statement? Is the work identified aligned with the design principles from Step 1.1?
If you used a whiteboard for this exercise, transcribe the output to a copy of the Cloud Operations Design Sketchbook, and repeat the exercise for other key workstreams. You will use this diagram in Phase 2.
Examples of work in the "Consume" workstream:
Phase 1 | Phase 2 |
|---|---|
1.1 Establish operating model design principals by identifying goals & challenges, workstreams, and cloud maturity 1.2 Evaluate new ways of working 1.3 Identify cloud work | 2.1 Draft an operating model 2.2 Communicate proposed changes |
Draft your cloud operations diagram, identify key messages and impacts to communicate to your stakeholders, and build out the Cloud Operations Organizing Framework communication deck.
“No-one ever solved a problem by restructuring.”
Create a visual to help you abstract, analyze, and clarify your vision for the future state of your organization in order to align and instruct stakeholders.
Create a visual, high-level view of your organization to help you answer questions such as:
Specialization & Focus: A group or work unit developing a focused concentration of skills, expertise, and activities aligned with an area of focus (such as the ones at right).
Decentralization: Operational teams that report to a decentralized IT or business function, either directly or via a “dotted line” relationship.
Decentralization and Specialization can:
Examples: Areas of Focus | Business unit |
| |
Region | |
| |
Service | |
| |
Technology | |
| |
Operational process focus | |
|
“The concept of organization design is simple in theory but highly complex in practice. Like any strategic decision, it involves making multiple trade-offs before choosing what is best suited to a business context.”
– Nitin Razdan & Arvind Pandit
Why don’t we just use teams, groups, squads, or departments, or some other more common term for groups of people working together?
That’s not the goal of this exercise. If the conversation gets stuck on what you do today, it can get in the way of thinking about what you need to do in the future.
1-3 hours
Activity instructions continue on the next slide.
| Input | Output |
|
|
| Materials | Participants |
|
|
1-3 hours
4. As a group, move the work boxes from the workstream diagram into the appropriate work area.
5. Use the space between work areas to describe how work areas must interact to achieve organizational goals. For example:
1 -2 hours
This exercise can be done by one person, then reviewed with the working group at a later time.
This current state diagram helps clarify the changes that may need to happen to get to your future state.
| Input | Output |
|
|
| Materials | Participants |
|
|
Biases | What’s the risk? | Mitigation strategies |
|---|---|---|
Is the team making mistakes due to self-interest, love of a single idea, or groupthink? | Important information may be ignored or left unspoken. | Rigorously check for the other biases, below. Tactfully seek dissenting opinions. |
Do recommendations use unreasonable analogies to other successes or failures? | Opportunities or challenges in the current situation may not be sufficiently understood. | Ask for other examples, and check whether the analogies are still valid. |
Is the team blinkered by the weight of past decisions? | Doubling-down on bad decisions (sunk costs) or ignoring new opportunities. | Ask yourself what you'd do if you were new to the position or organization. |
Does the data support the recommendations? | Data used to make the case isn't a good fit for the challenge, is based on faulty assumptions, or is incomplete. | If you had a year to make the decision, what data would you want? How much can you get? |
Are there realistic alternative recommendations? | Alternatives don't exist or are "strawman" options. | Ask for additional options. |
Is the recommendation too risk averse or cautious? | Recommendations that may be too risky are ignored, leading to missed opportunities. | Review options to accept, transfer, distribute, or mitigate the risk of the decision. |
Framework above adapted from Kahneman, Lovallo, and Sibony (2011)
Thinking of ways you could measure success can help uncover what success actually means to you.
Work collectively to generate success indicators for each key cloud initiative. Success indicators are metrics, with targets, aligned to goals, and if you are able to measure them accurately, they should help you report your progress toward your objectives.
For example, if your driver is “faster access to resources” you might consider indicators like developer satisfaction, project completion time, average time to provision, etc.
There are several reasons you may not publicize these metrics. They may be difficult to calculate or misconstrued as targets, warping behavior in unexpected ways. But managed properly, they have value in measuring operational success!
Examples: Operations redesign project metrics | |
Key stakeholder satisfaction scores | |
IT staff engagement scores | |
Support Delivery of New Functionality | Double number of accepted releases per cycle |
80% of key cloud initiatives completed on time, on budget, and in scope | |
Improve Operational Effectiveness | <1% of servers have more than two major versions out of date |
No more than one capacity-related incident per Q | |
Whiteboard Activity
45 minutes
| Input | Output |
|
|
| Materials | Participants |
|
|
45 minutes
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Roadmap Tool
“Words, words, words.”
Decision makers: Who do you ultimately need to convince to proceed with any changes you’ve outlined?
Peers: How will managers of other areas be affected by the changes you’re proposing? If you are you suggesting changes to the way that they, or their teams, do their work, you will have to present a compelling case that there’s value in it for them.
Staff: Are you dictating changes or looking for feedback on the path forward?
Be relevant
| Be clear
| Be consistent
| Be concise
|
“We tend to use a lot of jargon in our discussions, and that is a sure fire way to turn people away. We realized the message wasn’t getting out because the audience wasn’t speaking the same language. You have to take it down to the next level and help them understand where the needs are.”
– Jeremy Clement, Director of Finance, College of Charleston
1 hour
Fill out the table below.
Stakeholder group: Identify key stakeholders who may be impacted by changes to the operations team. This might include IT leadership, management, and staff.
Benefits: What’s in it for them?
Impact: What are we asking in return?
How: What mechanisms or channels will you use to communicate?
When: When (and how often) will you get the message out?
Benefits | Impact | How | When | |
|---|---|---|---|---|
IT Mgrs. |
|
|
|
|
Ops Staff |
|
|
|
|
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Communication Plan Template
Identify skills requirements and gaps as early as possible to avoid skills gaps later. Whether you plan to acquire skills via training or cross-training, hiring, contracting, or outsourcing, effectively building skills takes time. Use Info-Tech’s methodology to address skills gaps in a prioritized and rational way.
Role changes will result in job description changes. |
|
|---|---|
You anticipate changes to the reporting structure. |
|
You anticipate redundancies. |
|
You anticipate new positions. |
|
Training and development budget is required. |
|
Define your cloud vision before it defines you. |
Drive consensus by outlining how your organization will use the cloud. |
Map Technical Skills for a Changing Infrastructure & Operations Organization Be practical and proactive – identify needed technical skills for your future-state environment and the most efficient way to acquire them. |
“2021 GitLab DevSecOps Survey.” Gitlab, 2021.
“2022 State of the Cloud Report.” Flexera, 2022.
“DevOps.” Atlassian, ND. Web. 21 July 2022.
Atwood, Jeff. “The 2030 Self-Driving Car Bet.” Coding Horror, 4 Mar 2022. Web. 5 Aug 2022.
Campbell, Andrew. “What is an operating model?” Operational Excellence Society, 12 May 2016. Web. 13 July 2022.
“DevOps.” Atlassian, ND. Web. 21 July 2022.
Ewenstein, Boris, Wesley Smith, Ashvin Sologar. “Changing change management” McKinsey, 1 July 2015. Web. 8 April 2022.
Franco, Gustavo and Matt Brown. “How SRE teams are organized, and how to get started.” Google Cloud Blog, 26 June 2019. Web. July 13 2022.
“Get started: Build a cloud operations team.” Microsoft, 10 May 2021.
ITIL Foundation: ITIL 4 Edition. Axelos, 2019.
Humble, Jez, Joanne Molesky, and Barry O’Reilly. Lean Enterprise: How High Performance Organizations Innovate at Scale. O’Reilly Media, 2015.
Franco, Gustavo and Matt Brown. “How SRE teams are organized and how to get started.” 26 June 2019. Web. 21 July 2022.
Galbraith, Jay. “The Star Model”. ND. Web. 21 July 2022.
Kahnemanm Daniel, Dan Lovallo, and Olivier Sibony. “Before you make that big decision.” Harv Bus Rev. 2011 Jun; 89(6): 50-60, 137. PMID: 21714386.
Kesler, Greg. “Star Model of Organizational Design.” YouTube, 1 Oct 2018. Web Video. 21 Jul 2022.
Lakhani, Usman. “Site Reliability Engineering: What Is It? Why Is It Important for Online Businesses?” Info-Tech. Web. 25 May 2020.
Mansour, Sherif. “Product Management: The role and best practices for beginners.” Atlassian Agile Coach, n.d.
Murphy, Annie, Jamie Kirwin, Khalid Abdul Razak. “Operating Models: Delivering on strategy and optimizing processes.” EY, 2016.
Shults, Carlos. “What is Platform Engineering? The Concept Behind the Term.” liatrio, 3 Aug 2021. Web. 5 Aug 2022.
Sloss, Benjamin Treynor. Site Reliability Engineering – Part I: Introduction. O’Reilly Media, 2017.
“SRE vs. Platform Engineering.” Ambassador Labs, 8 Feb 2021.
“The Qualities of Leadership: Leading Change.” Cornelius & Associates, n.d. Web.
“Understand cloud operating models.” Microsoft, 02 Sept. 2022.
Velichko, Ivan. “DevOps, SRE, and Platform Engineering.” 15 Mar 2022.
Nenad Begovic Executive Director, Head of IT Operations MUFG Investor Services |
Desmond Durham Manager, ICT Planning & Infrastructure Trinidad & Tobago Unit Trust Corporation |
Virginia Roberts Director, Enterprise IT Denver Water |
Denis Sharp IT/LEAN Consultant |
Three anonymous contributors |
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Identify different responsibilities/functions in your organization and determine which ones can be outsourced. Complete a cost analysis.
Identify a list of features for your third-party provider and analyze.
Understand how to align third-party providers to your organization.
Keep in mind that backups are for recovery while archives are for discovery. Backups and archives are often confused but understanding the differences can result in significant savings of time and money. Backing up and archiving may be considered IT tasks, but recovery and discovery are capabilities the business wants and is willing to pay for.
Archives and backups are not the same, and there is a use case for each. Sometimes minor adjustments may be required to make the use case work. Understanding the basics of backups and archives can lead to significant savings at a monetary and effort level.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
What is the difference between a backup and a data archive? When should I use one over the other? They are not the same and confusing the two concepts could be expensive.
Backups and archives are two very different operations that are quite often confused or misplaced. IT and business leaders are tasked with protecting corporate data from a variety of threats. They also must conform to industry, geographical, and legal compliance regulations. Backup solutions keep the data safe from destruction. If you have a backup, why do you also need an archive? Archive solutions hold data for a long period of time and can be searched. If you have an archive, why do you also need a backup solution? Backups and archives used to be the same. Remember when you would keep the DAT tape in the same room as the argon gas fire suppression system for seven years? Now that's just not feasible. Some situations require a creative approach or a combination of backups and archives.
Understand the difference between archives and backups and you will understand why the two solutions are necessary and beneficial to the business.
P.J. Ryan
Research Director, Infrastructure & Operations
Info-Tech Research Group
Your Challenge
|
Common Obstacles
|
Info-Tech’s Approach
|
Keep in mind that backups are for recovery while archives are for discovery. Backups and archives are often confused but understanding the differences can result in significant savings of time and money. Backing up and archiving may be considered IT tasks but recovery and discovery are capabilities the business wants and is willing to pay for.
| What it IS
A data archive is an alternate location for your older, infrequently accessed production data. It is indexed and searchable based on keywords. Archives are deleted after a specified period based on your retention policy or compliance directives. |
What it IS NOT
Archives are not an emergency copy of your production data. They are not any type of copy of your production data. Archives will not help you if you lose your data or accidentally delete a file. Archives are not multiple copies of production data from various recovery points. |
Why use it
Archives move older data to an alternate location. This frees up storage space for your current data. Archives are indexed and can be searched for historical purposes, compliance reasons, or in the event of a legal matter where specific data must be provided to a legal team. |
| What it IS
A backup is a copy of your data from a specific day and time. It is primarily used for recovery or restoration if something happens to the production copy of data. The restore will return the file or folder to the state it was in at the time of the backup. Backups occur frequently to ensure the most recent version of data is copied to a safe location. A typical backup plan makes a copy of the data every day, once a week, and once a month. The data is stored on tapes, disk, or using cloud storage. |
What it IS NOT
Backups are not designed for searching or discovery. If you backup your email and must go to that backup in search of all email pertaining to a specific topic, you must restore the full backup and then search for that specific topic or sender. If you kept all the monthly backups for seven years, that will mean repeating that process 84 times to have a conclusive search, assuming you have adequate storage space to restore the email database 84 times. Backups do not free up space. |
Why use it
Backups protect your data in the event of disaster, deletion, or accidental damage. A good backup strategy will include multiple backups on different media and offsite storage of at least one copy. |
A leading manufacturing company found themselves in a position where they had to decide between archiving or doing nothing.
The company had completed several acquisitions and ended up with multiple legacy applications that had been merged or migrated into replacement solutions. These legacy applications were very important to the original companies and although the data they held had been migrated to a replacement solution, executives felt they should hold onto these applications for a period of time, just in case.
Some of the larger applications were archived using a modern archiving solution, but when it came to the smaller applications, the cost to add them to the archiving solution greatly exceeded the cost to just keep them running and maintain the associated infrastructure.
A research advisor from Info-Tech Research Group joined a call with the manufacturing company and discussed their situation. The difference between archives and backups was explained and through the course of the conversation it was discovered that the solution was a modified backup. The application data had already been preserved through the migration, so data could be accessed in the production environment. The requirement to keep the legacy application up and running was not necessary but in compliance with the request to keep the information, the data could be exported from the legacy application into a non-sequential database, compressed, and stored in cloud-based cold storage for less than five dollars per terabyte per month. The manufacturing company’s staff realized that they could apply this same approach to several of their legacy applications and save tens of thousands of dollars in the process.
Backups |
Backups are for recovery. A backup is a snapshot copy of production data at a specific point in time. If the production data is lost, destroyed, or somehow compromised, the data can be restored from the backup. |
Archives |
Archives are for discovery. It is production data that is moved to an alternate location to free up storage space, allow the data to be searchable, and still hold onto the data for historical or compliance purposes. |
Archives and backups are not the same, and there is a use case for each. Sometimes minor adjustments may be required to make the use case work. Understanding the basics of backups and archives can lead to significant savings at a monetary and effort level.
| Production data should be backed up.
The specific backup solution is up to the business. |
Production data that is not frequently accessed should be archived.
The specific solution to perform and manage the archiving of the data is up to the business
|
If the app has been replaced and all data transferred, you want a backup not an archive if you want to keep the data.
|
A court case in the United States District Court for the District of Nevada involving Guardiola and Renown Health in 2015 is a good example of why using a backup solution to solve an archiving challenge is a bad idea.
Renown Health used a retention policy that declared any email older than six months of age as inactive and moved that email to a backup tape. Renown Health was ordered by the court to produce emails from a period of time in the past. Renown estimated that it would cost at least $248,000 to produce those emails, based on the effort involved to restore data from each tape and search for the email in question. Renown Health argued that this long and expensive process would result in undue costs.
The court reviewed the situation and ruled against Renown Health and ordered them to comply with the request (Zasio.com).
A proper archiving solution would have provided a quick and low-cost method to retrieve the emails in question.
Backups copy your data. Archives move your data. Backups facilitate recovery. Archives facilitate discovery.
| Archive | Backup | |
| Definition | Move rarely accessed (but still production) data to separate media. | Store a copy of frequently used data on a separate media to ensure timely operational recovery. |
| Use Case | Legal discovery, primary storage reduction, compliance requirements, and audits. | Accidental deletion and/or corruption of data, hardware/software failures. |
| Method | Disk, cloud storage, appliance. | Disk, backup appliance, snapshots, cloud. |
| Data | Older, rarely accessed production data. | Current production data. |
Is it a backup or archive?
1Backup or archive? |
2What are you protecting? |
3Why are you protecting data? |
4Solution |
Backup Backup and/or archive.
Archive |
Device Data Application Operational Environment |
Operational recovery Disaster recovery Just in case Production storage space reduction Retention and preservation Governance, risk & compliance |
Backup Archive |
 |
Establish an Effective Data Protection Plan
Give data the attention it deserves by building a strategy that goes beyond backup. |
 |
Modernize Enterprise Storage
Current and emerging storage technologies are disrupting the status quo – prepare your infrastructure for the exponential rise in data and its storage requirements. |
 |
|
 |
Data Archiving Policy |
“Backup vs. archiving: Know the difference.” Open-E. Accessed 05 Mar 2022.Web.
G, Denis. “How to build retention policy.” MSP360, Jan 3, 2020. Accessed 10 Mar 2022.
Ipsen, Adam. “Archive vs Backup: What’s the Difference? A Definition Guide.” BackupAssist, 28 Mar 2017. Accessed 04 Mar 2022.
Kang, Soo. “Mitigating the expense of E-discovery; Recognizing the difference between back-ups and archived data.” Zasio Enterprises, 08 Oct 2015. Accessed 3 Mar 2022.
Mayer, Alex. “The 3-2-1 Backup Rule – An Efficient Data Protection Strategy.” Naviko. Accessed 12 Mar 2022.
“What is Data-Archiving?” Proofpoint. Accessed 07 Mar 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Learn best practices for creating, maintaining, publishing, and managing effective SOP documentation.
Identify required documentation and prioritize them according to urgency and impact.
Review the wide variety of samples to see what works best for your needs.
"Most organizations struggle to document and maintain SOPs as required, leading to process inconsistencies and inefficiencies. These breakdowns directly impact the performance of IT operations. Effective SOPs streamline training and knowledge transfer, improve transparency and compliance, enable automation, and ultimately decrease costs as processes improve and expensive breakdowns are avoided. Documenting SOPs is not just good practice; it directly impacts IT efficiency and your bottom line."
Frank Trovato, Senior Manager, Infrastructure Research Info-Tech Research Group
This Research Is Designed For:
This Research Will Help You:
This Research Will Also Assist:
This Research Will Help Them:
Situation
Complication
Resolution
Info-Tech Insight
'It isn’t unusual for us to see infrastructure or operations documentation that is wildly out of date. We’re talking months, even years. Often it was produced as one big effort and then not reliably maintained.'
– Gary Patterson, Consultant, Quorum Resources
Organizations are most likely to update documents on an ad hoc basis or via periodic formal reviews. Less than 25% keep SOPs updated as needed.
Source: Info-Tech Research Group; N=104
| Benefits of documented SOPs | Impact of undocumented/undefined SOPs |
|---|---|
| Improved training and knowledge transfer: Routine tasks can be delegated to junior staff (freeing senior staff to work on higher priority tasks). | Without documented SOPs: Tasks will be difficult to delegate, key staff become a bottleneck, knowledge transfer is inconsistent, and there is a longer onboarding process for new staff. |
| IT automation, process optimization, and consistent operations: Defining, documenting, and then optimizing processes enables IT automation to be built on sound processes, so consistent positive results can be achieved. | Without documented SOPs: IT automation built on poorly defined, unoptimized processes leads to inconsistent results. |
| Compliance: Compliance audits are more manageable because the documentation is already in place. | Without documented SOPs: Documenting SOPs to prepare for an audit becomes a major time-intensive project. |
| Transparency: Visually documented processes answer the common business question of “why does that take so long?” | Without documented SOPs: Other areas of the organization may not understand how IT operates, which can lead to confusion and unrealistic expectations. |
| Cost savings: Work can be assigned to the lowest level of support cost, IT operations achieve greater efficiency, and expensive breakdowns are avoided. | Without documented SOPs: Work may be distributed uneconomically, money may be wasted through inefficient processes, and the organization is vulnerable to costly disruptions. |
"Being ITIL and ISO compliant hasn’t solved our documentation problem. We’re still struggling."
– Vendor Relationship Manager, Financial Services Industry
Situation
Incident
Impact
| Hard dollar recovery costs | |
|---|---|
| Backup specialist (vendor) to assist with restoring data from tape | $12,000 |
| Temps to re-enter 1 month of data | $5,000 |
| Weekend OT for 4 people (approximately 24 hours per person) | $5,538 |
| Productivity cost for affected employees for 1 day of downtime | $76,923 |
| Total | $99,462 |
Intangible costs
High “goodwill” impact for internal staff and customers.
"The data loss pointed out a glaring hole in our processes – the lack of an escalation procedure. If I knew backups weren’t being completed, I would have done something about that immediately."
– Senior Division Manager, Information Technology Division
Lean and SOPs
Atrion’s approach
Outcomes
When we initiated a formal process efficiency program a little over a year ago and began striving towards a culture of continuous improvement, documenting our SOPs became key. We capture how we do things today and how to make that process more efficient. We call it current state and future state mapping of any process.
– Michelle Pope, COO, Atrion Networking Corp.
| Common documentation challenges | Info-Tech’s methodology |
|---|---|
| Where to start. For organizations with very few (if any) documented SOPs, the challenge is where to start. | Apply a client focus to prioritize SOPs. Start with mission-critical operations, service management, and disaster recovery. |
| Lack of time. Writing SOPs is viewed as an onerous task, and IT staff typically do not like to write documentation or lack the time. | Use flowcharts, checklists, and diagrams over traditional dense manuals. Flowcharts, checklists, and diagrams take less time to create and maintain, and the output is far more usable than traditional manuals. |
| Inconsistent document management. Documents are unorganized, e.g. hard to find documents, or you don’t know if you have the correct, latest version. | Keep it simple. You don’t need a full-time SOP librarian if you stick to a simple, but consistent approach to documentation management. Simple is easier to follow (therefore, be consistent). |
| Documentation is not maintained. More urgent tasks displace documentation efforts. There is little real motivation for staff to keep documents current. | Ensure accountability at the individual and project level. Incorporate documentation requirements into performance evaluations, project planning, and change control procedures. |
Understand business requirements, clarify capabilities, and close gaps.
Improve reporting and management of incidents and build service request workflows.
Define appropriate objectives for DR, build a roadmap to close gaps, and document your incident response plan.
Position IT as an innovator.
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
| 1. Prioritize, optimize, and document critical SOPs | 2. Establish a sustainable documentation process | 3. Identify a content management solution | |
| Best-Practice Toolkit |
1.1 Identify and prioritize undocumented/outdated critical processes 1.2 Reduce effort and improve usability with visual documentation 1.3 Optimize and document critical processes |
2.1 Establish guidelines for identifying and organizing SOPs 2.2 Write an SOP for creating and maintaining SOPs 2.3 Plan SOP working sessions to put a dent into your documentation backlog |
3.1 Understand the options when it comes to content management solutions 3.2 Use Info-Tech’s evaluation tool to determine the right approach for you |
| Guided Implementations |
|
|
|
| Onsite Workshop | Module 1:
Identify undocumented critical processes and review the SOP mapping process. |
Module 2:
Review and improve your documentation process and address your documentation backlog. |
Module 3:
Evaluate strategies for publishing and managing SOP documentation. |
Phase 1 Outcome:
|
Phase 2 Outcome:
|
Phase 3 Outcome:
|
| Workshop Prep | Workshop Day 1 | Workshop Day 2 | Workshop Day 3 | Workshop Day 4 | |
|---|---|---|---|---|---|
| Activities | Scope the SOP pilot and secure resources
|
Prioritize SOPs and review methodology
1.1 Prioritize undocumented SOPs. 1.2 Review the visual approach to SOP planning. 1.3 Conduct a tabletop planning exercise. |
Review SOPs and identify process gaps
2.1 Continue the tabletop planning exercise with other critical processes. 2.2 Conduct a gap analysis to identify solutions to issues discovered during SOP mapping. |
Identify projects to meet process gaps
3.1 Develop a prioritized project roadmap to address gaps. 3.2 Define a process for documenting and maintaining SOPs. 3.3 Identify and assign actions to improve SOP management and maintenance. |
Set next steps and put a dent in your backlog
4.1 Run an SOP working session with experts and process owners to put a dent in the documentation backlog. 4.2 Identify an appropriate content management solution. |
| Deliverables |
|
|
|
|
|
| GI | Measured Value |
|---|---|
| Phase 1: Prioritize, optimize, and document critical SOPs |
|
| Phase 2: Establish a sustainable documentation process |
|
| Phase 3: Identify a content management solution |
|
| Total Savings | $14,720 |
Note: Documenting SOPs provides additional benefits that are more difficult to quantify: reducing the time spent by staff to find or execute processes, improving transparency and accountability, presenting opportunities for automation, etc.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Start with an analyst kick off call:
Then complete these activities…
With this template:
Standard Operating Procedures Workbook
Review findings with analyst:
Then complete these activities…
With these templates:
Finalize phase deliverable:
Then complete these activities…
With this tool:
SOP Project Roadmap Tool
Identify opportunities to deploy visual documentation, and follow Info-Tech’s process to capture steps, gaps, and opportunities to improve IT processes.
| Topic | Description |
|---|---|
| Mission-critical operations |
|
| Service management |
|
| Disaster recovery procedures |
|
| Criteria | Description |
|---|---|
| Is there a hard-dollar impact from downtime? |
|
| Impact on goodwill/customer trust? |
|
| Is regulatory compliance a factor? |
|
| Is there a health or safety risk? |
|
"Email and other Windows-based applications are important for our day-to-day operations, but they aren’t critical. We can still manufacture and ship clothing without them. However, our manufacturing systems, those are absolutely critical"
– Bob James, Technical Architect, Carhartt, Inc.
1.1a
15 minutes
Define criteria for high, medium, and low risks and benefits, as shown in the example below. These criteria will be used in the upcoming exercises to rank SOPs.
Note: The goal in this section is to provide high-level indicators of which SOPs should be documented first, so a high-level set of criteria is used. To conduct a detailed business impact analysis, see Info-Tech’s Create a Right-Sized Disaster Recovery Plan.
Materials
Participants
| Risk to the business | Score |
|---|---|
| Low: Affects ad hoc activities or non-critical data. | 1 |
| Moderate: Impacts productivity and internal goodwill. | 2 |
| High: Impacts revenue, safety, and external goodwill. | 3 |
| Benefit (e.g. productivity improvement) | Score |
|---|---|
| Low: Minimal impact. | 1 |
| Moderate: Items with short-term or occasional applicability, so limited benefit. | 2 |
| High: Save time for common or ongoing processes, and extensive improvement to training/knowledge transfer. | 3 |
1.1b
15 minutes
OUTPUT
Materials
Participants
| Application | SOPs | Status | Risk | Benefit |
|---|---|---|---|---|
| Enterprise Resource Planning (ERP) |
|
Red | 1 | 2 |
|
Red | 2 | 2 | |
|
Green | n/a | n/a | |
| Network services |
|
Yellow | 3 | 2 |
|
Red | 2 | 1 | |
|
Yellow | 3 | 1 |
1.1c
15 minutes
OUTPUT
Materials
Participants
| Service Type | SOPs | Status | Risk | Benefit |
|---|---|---|---|---|
| Service Request |
|
Red | 3 | 1 |
|
Yellow | 3 | 1 | |
|
Green | n/a | n/a | |
| Incident Management |
|
Yellow | 3 | 2 |
|
Red | 2 | 1 | |
|
Yellow | 3 | 1 |
1.1d
20 minutes
OUTPUT
Materials
Participants
| DR Phase | SOPs | Status | Risk | Benefit |
|---|---|---|---|---|
| Discovery and Declaration |
|
Red | 3 | 1 |
|
Yellow | 3 | 1 | |
|
Green | n/a | n/a | |
| Recover Gold Systems |
|
Red | 2 | 2 |
|
Yellow | 3 | 2 | |
| Recover Silver Systems |
|
Red | 2 | 1 |
1.1e
20 minutes
INPUT
OUTPUT
Materials
Participants
| Category | Area | SOPs | Status | Risk | Benefit |
|---|---|---|---|---|---|
| Disaster Recovery Procedures | Discovery and Declaration |
| Red | 3 | 1 |
| Yellow | 3 | 1 | ||
| Mission-Critical Operations | Network Services |
| Yellow | 3 | 2 |
| Service Management Procedures | Incident Management |
| Yellow | 3 | 2 |
"The end result for most SOPs is a 100-page document that makes anyone but the author want to stab themselves rather than read it. Even worse is when you finally decide to waste an hour of your life reading it only to be told afterwards that it might not be quite right because Bob or Stan needed to make some changes last year but never got around to it."
– Peter Church, Solutions Architect
"Without question, 300-page DRPs are not effective. I mean, auditors love them because of the detail, but give me a 10-page DRP with contact lists, process flows, diagrams, and recovery checklists that are easy to follow."
– Bernard Jones, MBCI, CBCP, CORP, Manager Disaster Recovery/BCP, ActiveHealth Management
SOPs, including those that support your disaster recovery plan (DRP), are often created to meet certification requirements. However, this often leads to lengthy overly detailed documentation that is geared to auditors and business leaders, not IT staff trying to execute a procedure in a high-pressure, time-sensitive scenario.
Staff don’t have time to flip through a 300-page manual, let alone read lengthy instructions, so organizations are transforming monster manuals into shorter, visual-based documentation. Benefits include:
Example: DRPs that include visual SOPs are easier to use — that leads to shorter recovery times and fewer mistakes.
See Info-Tech’s Incident and Service Management Procedures – Service Desk Example.
"Flowcharts are more effective when you have to explain status and next steps to upper management."
– Assistant Director-IT Operations, Healthcare Industry
Example: SOP in flowchart format
Many organizations look for an option that easily integrates with the MS Office suite. The default option is often Microsoft Visio.
Pros:
Cons:
Consider the options below if you’re looking for an alternative to Microsoft Visio:
Desktop Solutions
Note: No preference or recommendation is implied from the ordering of the options above.
This list is not intended to be comprehensive.
| Criteria | Description |
|---|---|
| Platform | What platform(s) can run the software? |
| Description | What use cases are identified by the vendor – and do these cover your needs for documenting your SOPs? Is the software open source? |
| Features | What are the noteworthy features and characteristics? |
| Usability | How easy is the program to use? What’s the learning curve like? How intuitive is the design? |
| Templates and Stencils | Availability of templates and stencils. |
| Portability | Can the solution integrate with other pieces of software? Consider whether other tools can view, open, and/or edit documents; what file formats can be published, etc. |
| Cost | Cost of the software to purchase or license. |
For two different examples of a checklist template, see:
"Our network engineers came to me and said our standard SOP template didn't work for them. They're now using a lot of diagrams and flowcharts, and that has worked out better for them."
"When contractors come onboard, they usually don't have a lot of time to learn about the organization, and we have a lot of unique requirements. Creating SOP documents with screenshots has made the process quicker and more accurate."
– Susan Bellamore, Business Analyst, Public Guardian and Trustee of British Columbia
Review Info-Tech’s Incident Response and Recovery Process Flows – DRP Example.
Example: DRP flowchart with links to supporting documents
Start, End, and Connector. Traditional flowcharting standards reserve this shape for connectors to other flowcharts or other points in the existing flowchart. Unified Modeling Language (UML) also uses the circle for start and end points.
Start, End. Traditional flowcharting standards use this for start and end. However, Info-Tech recommends using the circle shape to reduce the number of shapes and avoid confusion with other similar shapes.
Process Step. Individual process steps or activities (e.g. create ticket or escalate ticket). If it’s a series of steps, then use the sub-process symbol and flowchart the sub-process separately.
Sub-Process. A series of steps. For example, a critical incident SOP might reference a recovery process as one of the possible actions. Marking it as a sub-process, rather than listing each step within the critical incident SOP, streamlines the flowchart and avoids overlap with other flowcharts (e.g. the recovery process).
Decision. Represents decision points, typically with Yes/No branches, but you could have other branches depending on the question (e.g. a “Priority?” question could branch into separate streams for Priority 1, 2, 3, 4, and 5 issues).
Document/Report Output. For example, the output from a backup process might include an error log.
1.3a
20 minutes
OUTPUT
Materials
Participants
Info-Tech Insight
Don’t get weighed down by tools. Relying on software or other technological tools can detract from the exercise. Use simple tools such as cue cards to record steps so that you can easily rearrange steps or insert steps based on input from the group.
1.3b
20 minutes
Review the tabletop exercise. What gaps exist in current processes?
How can the process be made better? What are the outputs and checkpoints?
OUTPUT
Materials
Participants
A note on colors: Use white cards to record steps. Record gaps on yellow cards (e.g. a process step not documented) and risks on red cards (e.g. only one person knows how to execute a step) to highlight your gaps/to-dos and risks to be mitigated or accepted.
If it’s necessary to clarify complex process flows during the exercise, also use green cards for decision diamonds, purple for document/report outputs, and blue for sub-processes.
1.3
| Industry | Government (700+ FTEs) |
| Source | Info-Tech Workshop |
1.3c
20 minutes
OUTPUT
Materials
Participants
As a reminder, the steps are:
Info-Tech Insight
If you plan to document more than two or three SOPs at once, consider making it an SOP “party” to add momentum and levity to an otherwise dry process. Review section 2.3 to find out how.
Get started by prioritizing SOPs
Ensure the SOP project remains business focused, and kick off the project by analyzing critical business services. Identify key IT services that support the relevant business services. Conduct a benefit/risk analysis to prioritize which SOPs should become the focus of the workshop.
Document the SOPs from the tabletop exercise
Leverage a tabletop planning exercise to walk the team through the SOP. During the exercise, focus on identifying timelines, current gaps, and potential risks. Document the steps via que cards first and transpose the hard copies to an electronic version.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion (in weeks): 4 weeks
Start with an analyst call:
Then complete these activities…
With these tools & templates:
Review findings with analyst:
Then complete these activities…
With these tools & templates:
Finalize phase deliverable:
Then complete these activities…
With these tools & templates:
Improve the process for documenting and maintaining your SOPs, while putting a dent in your documentation backlog and gaining buy-in with staff.
What is the current state of your content management practices?
Are you using a content management system? If not, where are documents kept?
Are your organizational or departmental SOPs easy to find?
Is version control a problem? What about file naming standards?
Get everyone on the same page on the current state of your SOP document management system, using the questions above as the starting point.
Whether you store SOPs in a sophisticated content management system (CMS) or on a shared network drive, keep it simple and focus on these primary goals:
Include a document information block on the first page of every document to identify key attributes. This strategy is as much about minimizing resistance as it is ensuring key attributes are captured.
Note: The Info-Tech templates in this blueprint include a copy of the document information block shown in this example. Add more fields if necessary for your organization’s needs.
For an example of a completed document information block, see Network Backup for Atlanta Data Center – Backups Example
Info-Tech Insight
For organizations with more advanced document management requirements, consider more sophisticated strategies (e.g. using metadata) as described in Info-Tech’s Use SharePoint for Enterprise Content Management and Reintroduce the Information Lifecycle to the Content Management Strategy. However, the basic concepts above still apply: establish standard attributes you need to capture and do so in a consistent manner.
2.1a
15 minutes
OUTPUT
Materials
Participants
Use the following filename format to create consistent, searchable, and descriptive filenames:
Topic – Document Title – Document Type – Version Date
| Filename Component | Purpose |
|---|---|
| Topic |
|
| Document Title |
|
| Document Type | Further distinguishes similar files (e.g. Maintenance SOP vs. a Maintenance Checklist). |
| Version Date (for local files or if not using a CMS) |
|
For example:
2.1b
15 minutes
INPUT
OUTPUT
Materials
Participants
Always keep one master version of a document:
Ideally, staff would never keep local copies of files. However, there are times when it is practical or preferable to work from a local copy: for example, when creating or updating an SOP, or when working remotely if the CMS is not easily accessible.
Implement the following policies to govern these circumstances:
Reduce the need for version updates by isolating volatile information in a separate, linked document. For example:
2.1c
15 minutes
OUTPUT
Materials
Participants
See Info-Tech’s Document Management Checklist.
The following best practices were measured in this chart, and will be discussed further in this section:
Info-Tech Insight
Audits for compliance requirements have little impact on getting SOPs done in a timely manner or the actual usefulness of those SOPs, because the focus is on passing the audit instead of creating SOPs that improve operations. The frantic annual push to complete SOPs in time for an audit is also typically a much greater effort than maintaining documents as part of ongoing change management.
When are documentation requirements captured, including required changes to SOPs?
Make documentation requirements a clearly defined deliverable. As with any other task, this should include:
Info-Tech Insight
Realistically, documentation will typically be a far less urgent task than the actual application or system changes. However, if you want the necessary documentation to be ultimately completed, even if it’s done after more urgent tasks, it must be tracked.
How do you currently review and validate SOP documents?
Require a manager or supervisor to review and approve SOPs.
Check documentation status as part of change management.
"Our directors and our CIO have tied SOP work to performance evaluations and SOP status is reviewed during management meetings. People have now found time to get this work done."
– Assistant Director-IT Operations, Healthcare Industry
Industry
Public service organization
Source
Info-Tech client engagement
The bottom line: ensure that there’s one approver per process to drive process efficiency and accountability and avoid problems down the road.
Are SOP updates treated as optional or “when I have time” work?
Hold staff directly accountable for SOP work.
Holding staff accountable is really about emphasizing the importance of ensuring SOPs stay current. If management doesn’t treat SOPs as a priority, then neither will your staff. Strategies include:
Info-Tech Insight
Holding staff accountable does not by itself make a significant impact on SOP quality (and therefore the typical benefits of SOPs), but it minimizes procrastination, so the work is ultimately done in a more timely manner. This ensures SOPs are current and usable, so they can drive benefits such as consistent operations, improved training, and so on.
2.2
| Challenge | Action Items | Action Item Owner |
|---|---|---|
| Documentation requirements are identified at the end of a project. |
|
Bob Ryan |
| SOPs are not reviewed. |
|
Susan Jones |
2.3
| SOP or Task | Action Items | Action Item Owner |
|---|---|---|
| Ticket escalation SOP |
|
Jeff Sutter |
| SOP party |
|
Bob Smith |
Identify current content management practices
As a group, identify current pain points and opportunities for improvement in your current content management practices.
Assign action items to address documentation process challenges
Develop a list of action items to address gaps in the SOP documentation and maintenance process.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion (in weeks): 1 week
Start with an analyst kick off call:
Then complete these activities…
Review findings with analyst:
Then complete these activities…
With these tools & templates:
Choose an approach to content management that will best support your organization’s SOP documentation and maintenance process.
This section reviews the following approaches, their pros and cons, and how they meet publishing and document management requirements:
Source: Info-Tech Research Group; N=118
Note: Percentages total more than 100% due to respondents using more than one portability strategy.
Segment
Mid-market company
Source
Info-Tech Interview
| Role | How myPolicies helps you | |
|---|---|---|
| Policy Sponsors |
|
Reduced Corporate Risk Avoid being issued a regulatory fine or sanction that could jeopardize operations or hurt brand image. |
| Policy Reviewers |
|
A Culture of Compliance Adherence with regulatory requirements as well as documented audit trail of all critical policy activities. |
| Policy Owners |
|
Less Administrative Burden Automation and simplification of policy creation, distribution, and tracking. |
| Policy Users |
|
Policy Clarity Well-written policies are stored in one reliable, easy to navigate location. |
myPolicies is a web-based solution to create, distribute, and manage corporate policies, procedures, and forms, built around best practices identified by our research.
Contact your Account Manager today to find out if myPolicies is right for you.
SOP tools such as Princeton Center’s SOP ExpressTM and SOP Tracks or MasterControl’s SOP Management and eSOP allow organizations to create, manage, and access SOPs. These programs typically offer a range of SOP templates and formats, electronic signatures, version control, and review options and training features such as quizzes and monitoring.
Similarly, DR planning solutions (e.g. eBRP, Recovery Planner, LDRPS, etc.) provide templates, tools, and document management to create DR documentation including SOPs.
For more information on SharePoint as a content management solution, see Info-Tech’s Use SharePoint for Enterprise Content Management.
Most SOP documents start as MS Office documents, even if there is an SOP tool available (some SOP tools actually run within MS Office on the desktop). For organizations that decide to bypass a formal SOP tool, the biggest gap they have to overcome is document management.
Many organizations are turning to SharePoint to meet this need. For those that already have SharePoint in place, it makes sense to further leverage SharePoint for SOP documentation.
For SharePoint to be a practical solution, the documentation must still be accessible if the primary data center is down, e.g. by having redundant SharePoint instance at multiple in-house locations or using a cloud-based SharePoint solution.
As an alternative to SharePoint, SaaS tools such as Power DMS, NetDocuments, Xythos on Demand, Knowledge Tree, Spring CM, and Zoho Docs offer cloud-based document management, authoring, and distribution services that can work well for SOPs. Some of these, such as Power DMS and Spring CM, are geared specifically toward workflows.
Wiki sites are websites where users collaborate to create and edit the content. Wikipedia is an example.
While wiki sites are typically used for collaboration and dynamic content development, the traditional collaborative authoring model can be restricted to provide structure and an approval process.
Several tools are available to create and manage wiki sites (and other collaboration solutions), as outlined in the following research:
An approach that I’ve seen work well is to consult the wiki for any task, activity, job, etc. Is it documented? If not, then document it there and then. Sure, this led to 6-8 weeks of huge effort, but the documentation grew in terms of volume and quality at an alarming but pleasantly surprising rate. Providing an environment to create the documentation is important and a wiki is ideal. Fast, lightweight, in-browser editing leads to little resistance in creating documents.
- Lee Blackwell, Global IT Operation Services Manager, Avid Technology
With this strategy, SOP documents are stored and managed locally on a shared network drive. Only process owners and administrators have read-write permissions on documents on the shared drive.
The administrator grants access and manages security permissions.
Info-Tech Insight
For small organizations, the shared network drive approach can work, but this is ultimately a short-term solution. Move to an online library by creating a wiki site. Start slow by beginning with a particular department or project, then evaluate how well your staff adapt to this technology as well as its potential effectiveness in your organization. Refer to the Info-Tech collaboration strategy research cited on the previous slide for additional guidance.
Traditionally, SOPs were printed and kept somewhere in a large binder (or several large binders). This isn’t adequate to the needs of most organizations and typically results in documents that aren’t up to date or effective.
All organizations have existing document management methodologies, even if it’s simply storing documents on a network drive.
Use Info-Tech’s solution evaluation tool to decide whether your existing solution meets the portability/external access, maintainability/usability, and cost/effort criteria, or whether you need to explore a different option.
Note: This tool was originally built to evaluate DRP publishing options, so the tool name and terminology refers to DR. However, the same tool can be used to evaluate general SOP publishing and document management solutions.
Info-Tech Insight
There is no absolute ranking for possible solutions. The right choice will depend on factors such as current in-house tools, maturity around document management, the size of your IT department, and so on. For example, a small shop may do very well with the USB drive strategy, whereas a multi-national company will need a more formal strategy to ensure consistent application of corporate guidelines.
Decide on a publishing and document management strategy
Review the pros and cons of different strategies for publishing and document management. Identify needs, priorities, and limitations of your environment. Create a shortlist of options that can meet your organization’s needs and priorities.
Complete the solution evaluation tool
Evaluate solutions on the shortlist to identify the strongest option for your organization, based on the criteria of maintainability, affordability, effort to implement, and accessibility/portability.
SOPs may not be exciting, but they’re very important to organizational consistency, efficiency, and improvement.
This blueprint outlined how to:
As part of completing this project, the following deliverables were completed:
Client Project: Create and maintain visual SOP documentation.
Info-Tech Insight
This project has the ability to fit the following formats:
Anderson, Chris. “What is a Standard Operating Procedure (SOP)?” Bizmanualz, Inc. No date. Web. 25 Jan. 2016. https://www.bizmanualz.com/save-time-writing-procedures/what-are-policies-and-procedures-sop.html
Grusenmeyer, David. “Developing Effective Standard Operating Procedures.” Dairy Business Management. 1 Feb. 2003. Web. 25 Jan. 2016. https://ecommons.cornell.edu/handle/1813/36910
Mosaic. “The Value of Standard Operating Procedures.” 22 Oct. 2012. Web. 25 Jan. 2016. ttp://www.mosaicprojects.com.au/WhitePapers/WP1086_Standard_Operating_Procedures.pdf
Sinn, John W. “Lean, Six Sigma, Quality Transformation Toolkit (LSSQTT) Tool #17 Courseware Content – Standard Operating Procedures (SOP) For Lean and Six Sigma: Infrastructure for Understanding Process.” Summer 2006. Web. 25 Jan. 2016. https://www.bgsu.edu/content/dam/BGSU/college-of-technology/documents/LSSQTT/LSSQTT%20Toolkit/toolkit3/LSSQTT-Tool-17.pdf
United States Environmental Protection Agency. “Guidance for Preparing Standard Operating Procedures (SOPs).” April 2007. Web. 25 Jan. 2016. http://www.epa.gov/sites/production/files/2015-06/documents/g6-final.pdf
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Determine your organization’s rationale for cloud adoption and what that means for your security obligations.
Use the Cloud Security CAGI Tool to perform four unique assessments that will be used to identify secure cloud vendors.
Learn how to assess and communicate with cloud vendors with security in mind.
Turn your security requirements into specific tasks and develop your implementation roadmap.
Build the organizational structure of your cloud security governance program.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand the benefits of data valuation.
Learn about the data value chain framework and preview the step-by-step guide to start collecting data sources.
Mature your data valuation by putting in the valuation dimensions and metrics. Establish documented results that can be leveraged to demonstrate value in your data assets.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Explain data valuation approach and value proposition.
A clear understanding and case for data valuation.
1.1 Review common business data sources and how the organization will benefit from data valuation assessment.
1.2 Understand Info-Tech’s data valuation framework.
Organization data valuation priorities
Capture data sources and data collection methods.
A clear understanding of the data value chain.
2.1 Assess data sources and data collection methods.
2.2 Understand key insights and value proposition.
2.3 Capture data value chain.
Data Valuation Tool
Leverage the data valuation framework.
Capture key data valuation dimensions and align with data value chain.
3.1 Introduce data valuation framework.
3.2 Discuss key data valuation dimensions.
3.3 Align data value dimension to data value chain.
Data Valuation Tool
Improve organization’s data value.
Continue to improve data value.
4.1 Capture data valuation metrics.
4.2 Define data valuation for continuous monitoring.
4.3 Create a communication plan.
4.4 Define a plan for continuous improvements.
Data valuation metrics
Data Valuation Communication Plan
CIOs are facing these challenges in 2023:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand the five priorities that will help navigate the opportunities and risks of the year ahead.
In our Tech Trends 2023 report, we called on CIOs to think of themselves as chess grandmasters. To view strategy as playing both sides of the board, simultaneously attacking the opponent's king while defending your own. In our CIO Priorities 2023 report, we'll continue with that metaphor as we reflect on IT's capability to respond to trends.
If the trends report is a study of the board state that CIOs are playing with, the priorities report is about what move they should make next. We must consider all the pieces we have at our disposal and determine which ones we can afford to use to seize on opportunity. Other pieces are best used by staying put to defend their position.
In examining the different capabilities that CIOs will require to succeed in the year ahead, it's apparent that a siloed view of IT isn't going to work. Just like a chess player in a competitive match would never limit themselves to only using their knights or their rooks, a CIO's responsibility is to deploy each of their pieces to win the day. While functional leaders may only see their next move, as head of the organization with a complete view of all the pieces, the CIO has full awareness of the board state.
It's up to them to assess their gaps, consider the present scenario, and then make their next move.
Brian Jackson
Principal Research Director, Research – CIO
Info-Tech Research Group
Info-Tech's Tech Trends 2023 report and State of Hybrid Work in IT: A Trend Report inform the externalities faced by organizations in the year ahead. They imply opportunities and risks that organizations face. Leadership must determine if they will respond and how to do so. CIOs then determine how to support those responses by creating or improving their IT capabilities. The priorities are the initiatives that will deliver the most value across the capabilities that are most in demand. The CIO Priorities 2023 report draws on data from several different Info-Tech surveys and diagnostic benchmarks.
2023 Tech Trends and Priorities Survey; N=813 (partial), n=521 (completed)
Info-Tech's Trends and Priorities 2023 Survey was conducted between August 9 and September 9, 2022. We received 813 total responses with 521 completed surveys. More than 90% of respondents work in IT departments. More than 84% of respondents are at a manager level of seniority or higher.
2023 The State of Hybrid Work in IT Survey; N=518
The State of Hybrid Work in IT Survey was conducted between July 11 and July 29 and received 518 responses. Nine in ten respondents were at a manager level of seniority or higher.
Every organization will have its own custom list of priorities based on its internal context. Organizational goals, IT maturity level, and effectiveness of capabilities are some of the important factors to consider. To provide CIOs with a starting point for their list of priorities for 2023, we used aggregate data collected in our diagnostic benchmark tools between August 1, 2021, and October 31, 2022.
Info-Tech's CEO-CIO Alignment Program is intended to be completed by CIOs and their supervisors (CEO or other executive position [CxO]) and will provide the average maturity level and budget expectations (N=107). The IT Management and Governance Diagnostic will provide the average capability effectiveness and importance ranking to CIOs (N=271). The CIO Business Vision Diagnostic will provide stakeholder satisfaction feedback (N=259).
The 2023 CIO priorities are based on that data, internal collaboration sessions at Info-Tech, and external interviews with CIOs and subject matter experts.
Slightly more than half of CIOs using Info-Tech's CEO-CIO Alignment Program rated themselves at a Support level of maturity in 2022. That aligns with IT professionals' view of their organizations from our Tech Trends and Priorities Survey, where organizations are rated at the Support level on average. At this level, IT departments can provide reliable infrastructure and support a responsive IT service desk that reasonably satisfies stakeholders.
In the future, CIOs aspire to attain the Transform level of maturity. Nearly half of CIOs select this future state in our diagnostic, indicating a desire to deliver reliable innovation and lead the organization to become a technology-driven firm. However, we see that fewer CxOs aspire for that level of maturity from IT. CxOs are more likely than CIOs to say that IT should aim for the Optimize level of maturity. At this level, IT will help other departments become more efficient and lower costs across the organization.
Whether a CIO is aiming for the top of the maturity scale in the future or not, IT maturity is achieved one step at a time. Aiming for outcomes at the Optimize level will be a realistic goal for most CIOs in 2023 and will satisfy many stakeholders.
Trends imply new opportunities and risks that an organization must decide on. Organizational leadership determines if action will be taken to respond to the new external context based on its importance compared to current internal context. To support their organizations, IT must use its capabilities to deliver on initiatives. But if a capability's effectiveness is poor, it could hamper the effort.
To determine what capabilities IT departments may need to improve or create to support their organizations in 2023, we conducted an analysis of our trends data. Using the opportunities and risks implied by the Tech Trends 2023 report and the State of Hybrid Work in IT: A Trend Report, we've determined the top capabilities IT will need to respond. Capabilities are defined by Info-Tech's IT Management and Governance Framework.
|
Enterprise Application Selection & Implementation Manage the selection and implementation of enterprise applications, off-the-shelf software, and software as a service to ensure that IT provides the business with the most appropriate applications at an acceptable cost. |
 |
|
Leadership, Culture, and Values Ensure that the IT department reflects the values of your organization. Improve the leadership skills of your team to generate top performance. |
 |
|
Data Architecture Manage the business' databases, including the technology, the governance processes, and the people that manage them. Establish the principles, policies, and guidelines relevant to the effective use of data within the organization. |
 |
|
Organizational Change Management Implement or optimize the organization's capabilities for managing the impact of new business processes, new IT systems, and changes in organizational structure or culture. |
 |
|
External Compliance Ensure that IT processes and IT-supported business processes are compliant with laws, regulations, and contractual requirements. |
 |
Info-Tech's Management and Diagnostic Benchmark
Ten more capabilities surfaced as important compared to others but not as important as the capabilities in tier 1.
|
Asset Management Track IT assets through their lifecycle to make sure that they deliver value at optimal cost, remain operational, and are accounted for and physically protected. Ensure that the assets are reliable and available as needed. |
 |
|
Business Intelligence and Reporting Develop a set of capabilities, including people, processes, and technology, to enable the transformation of raw data into meaningful and useful information for the purpose of business analysis. |
 |
|
Business Value Secure optimal value from IT-enabled initiatives, services, and assets by delivering cost-efficient solutions and services and by providing a reliable and accurate picture of costs and benefits. |
 |
|
Cost and Budget Management Manage the IT-related financial activities and prioritize spending through the use of formal budgeting practices. Provide transparency and accountability for the cost and business value of IT solutions and services. |
 |
|
Data Quality Put policies, processes, and capabilities in place to ensure that appropriate targets for data quality are set and achieved to match the needs of the business. |
 |
|
Enterprise Architecture Establish a management practice to create and maintain a coherent set of principles, methods, and models that are used in the design and implementation of the enterprise's business processes, information systems, and infrastructure. |
 |
|
IT Organizational Design Set up the structure of IT's people, processes, and technology as well as roles and responsibilities to ensure that it's best meeting the needs of the business. |
 |
|
Performance Measurement Manage IT and process goals and metrics. Monitor and communicate that processes are performing against expectations and provide transparency for performance and conformance. |
 |
|
Stakeholder Relations Manage the relationship between the business and IT to ensure that the stakeholders are satisfied with the services they need from IT and have visibility into IT processes. |
 |
|
Vendor Management Manage IT-related services provided by all suppliers, including selecting suppliers, managing relationships and contracts, and reviewing and monitoring supplier performance. |
 |
Understand the CIO priorities by analyzing both how CIOs respond to trends in general and how a specific CIO responded in the context of their organization.
Recognize the relative impact of higher inflation on IT's spending power and adjust accordingly.
Two-thirds of IT professionals are expecting their budgets to increase in 2023, according to our survey. But not every increase is keeping up with the pace of inflation. The International Monetary Fund forecasts that global inflation rose to 8.8% in 2022. It projects it will decline to 6.5% in 2023 and 4.1% by 2024 (IMF, 2022).
CIOs must account for the impact of inflation on their IT budgets and realize that what looks like an increase on paper is effectively a flat budget or worse. Applied to our survey takers, an IT budget increase of more than 6.5% would be required to keep pace with inflation in 2023. Only 40% of survey takers are expecting that level of increase. For the 27% expecting an increase between 1-5%, they are facing an effective decrease in budget after the impact of inflation. Those expecting no change in budget or a decrease will be even worse off.
| 2022 | 8.8% |
| 2023 | 6.5% |
| 2024 | 4.1% |
International Monetary Fund, 2022
Data from Info-Tech's CEO-CIO Alignment Diagnostic benchmark also shows that CIOs and their supervisors are planning for increases to the budget. This diagnostic is designed for a CIO to use with their direct supervisor, whether it's the CEO or otherwise (CxO). Results show that on average, CIOs are more optimistic than their supervisors that they will receive budget increases and headcount increases in the years ahead.
While 14% of CxOs estimated the IT budget would see no change or a decrease in the next three to five years, only 3% of CIOs said the same. A larger discrepancy is seen in headcount, where nearly one-quarter of CXOs estimated no change or decrease in the years ahead, versus only 10% of CIOs estimating the same.
When we account for the impact of inflation in 2023, this misalignment between CIOs and their supervisors increases. When adjusting for inflation, we need to view the responses projecting an increase of between 1-5% as an effective decrease. With the inflation adjustment, 26% of CXOs are predicting IT budgets to stay flat or see a decrease compared to only 10% of CIOs.
CIOs should consider how inflation has affected their projected spending power over the past year and take into account projected inflation rates over the next couple of years. Given that the past decade has seen inflation rates between 2-3%, the higher rates projected will have more of an impact on organizational budgets than usual.
Expect headcount to stay flat or decline over 3-5 years
IT budget expectations to stay flat or decrease before inflation
IT budget expectations to stay flat or decrease adjusted for inflation
Info-Tech's CEO-CIO Alignment Program
Organizations that migrated from on-premises data centers to infrastructure as a service shifted their capital expenditures on server racks to operational expenditures on paying the monthly service bill. Managing that monthly bill so that it is in line with desired performance levels now becomes crucial. The expected benefit of the cloud is that an organization can turn the dial up to meet higher demand and turn it down when demand slows. In practice this is sometimes more difficult to execute than anticipated. Some IT departments realize their cloud-based data flows aren't always connected to the revenue-generating activity seen in the business. As a result, a "cloud economist" is needed to closely monitor cloud usage and adjust it to financial expectations. Especially during any recessionary period, IT departments will want to avoid a "bill shock" incident.
Keep your friends close and your vendors closer. Look for opportunities to create leverage with your strategic vendors to unlock new opportunities. Identify if a vendor you work with is not entrenched in your industry and offer them the credibility of working with you in exchange for a favorable contract. Offering up your logo for a website listing clients or giving your own time to speak in a customer session at a conference can go a long way to building up some goodwill with your vendors. That's goodwill you'll need when you ask for a new multi-year contract on your software license without annual increases built into the structure.
An IT department that operates at the Optimize level of Info-Tech's maturity scale can deliver outcomes that lower costs for other departments. IT can defend its own budget if it's able to demonstrate that its initiatives will automate or augment business activities in a way that improves margins. The argument becomes even more compelling if IT can demonstrate it is supporting a revenue-generating initiative or customer-facing experience. CIOs will need to find business champions to vouch for the important contributions IT is making to their area.
In some jurisdictions, the largest companies will be required to start collecting information on carbon emissions emitted as a result of business activities by the end of next year. Smaller sized organizations will be next on the list to determine how to meet new requirements issued by various regulators. Risks of failure include facing fines or being shunned by investors. CIOs will need to support their financial reporting teams in collecting the new required data accurately. This will incur new costs as well.
Acquiring IT equipment is becoming more expensive due to overall inflation and specific pressures around semiconductor supply chains. As a result, more CIOs are extending their device refresh policies to last another year or two. Still, demands for new devices to support new hybrid work models could put pressure on budgets as IT teams are asked to modernize conferencing rooms. For organizations adopting mixed reality headsets, cutting-edge capabilities will come at a premium. Operating costs of devices may also increase as inflation increases costs of the electricity and bandwidth they depend on.
Denise Cornish, Associate VP of IT and Deputy COO,
Western University of Health Sciences
Since taking on the lead IT role at Western University in 2020, Denise Cornish has approached vendor management like an auditable activity. She evaluates the value she gets from each vendor relationship and creates a list of critical vendors that she relies upon to deliver core business services. "The trick is to send a message to the vendor that they also need us as a customer that's willing to act as a reference," she says. Cornish has managed to renegotiate a contract with her ERP vendor, locking in a multi-year contract with a very small escalator in exchange for presenting as a customer at conferences. She's also working with them on developing a new integration to another piece of software popular in the education space.
Western University even negotiated a partnership approach with Apple for a program run with its College of Osteopathic Medicine of the Pacific (COMP) called the Digital Doctor Bag. The partnership saw Apple agree to pre-package a customer application developed by Western that delivered the curriculum to students and facilitated communications across students and faculty. Apple recognized Western as an Apple Distinguished School, a program that recognizes innovative schools that use Apple products.
"I like when negotiations are difficult.
I don't necessarily expect a zero-sum game. We each need to get something out of this and having the conversation and really digging into what's in it for you and what's in it for me, I enjoy that. So usually when I negotiate a vendor contract, it's rare that it doesn't work out."
As an online publisher and a digital marketing platform for technology products and services companies, IT World Canada (ITWC) has observed that there are differences in how small and large companies adopt the cloud as their computing infrastructure. For smaller companies, even though adoption is accelerating, there may still be some reluctance to fully embrace cloud platforms and services. While larger companies often have a multi-cloud approach, this might not be practical for smaller IT shops that may struggle to master the skills necessary to effectively manage one cloud platform. While Love acknowledges that the cloud is the future of corporate computing, he also notes that not all applications or workloads may be well suited to run in the cloud. As well, moving data into the cloud is cheap but moving it back out can be more expensive. That is why it is critical to understand your applications and the data you're working with to control costs and have a successful cloud implementation.
"Standardization is the friend of IT. So, if you can standardize on one platform, you're going to do better in terms of costs."
Go deeper on pursuing your priorities by improving the associated capabilities.
Take control of your cloud costs by providing central financial oversight on the infrastructure-as-a-service provider your organization uses. Create visibility into your operational costs and define policies to control them. Right-size the use of cloud services to stay within organizational budget expectations.
Take Control of Cloud Costs on AWS
Take Control of Cloud Costs on Microsoft Azure
Reduce the funds allocated to ongoing support and impose tougher discipline around change requests to lighten your maintenance burden and make room for investment in net-new initiatives to support the business.
Free up funds for new initiatives
Lay the foundation for a vendor management process with long-term benefits. Position yourself as a valuable client with your strategic vendors and leverage your position to improve your contract terms.
Keep pace as the market adopts AI capabilities, and be ready to create competitive advantage.
During 2022, some compelling examples of generative-AI-based products took the world by storm. Images from AI-generating bots Midjourney and Stable Diffusion went viral, flooding social media and artistic communities with images generated from text prompts. Exchanges with OpenAI's ChatGPT bot also caught attention, as the bot was able to do everything from write poetry, to provide directions on a cooking recipe and then create a shopping list for it, to generate working code in a variety of languages. The foundation models are trained with AI techniques that include generative adversarial networks, transformers, and variational autoencoders. The end result is an algorithm that can produce content that's meaningful to people based on some simple direction. The industry is only beginning to come to grips with how this sort of capability will disrupt the enterprise.
Slightly more than one-third of IT professionals say their organization has already invested in AI or machine learning. It's the sixth-most popular technology to have already invested in after cloud computing (82%), application programming interfaces (64%), workforce management solutions (44%), data lakes (36%), and next-gen cybersecurity (36%). It's ahead of 12 other technologies that IT is already invested in.
When we asked what technologies organizations planned to invest in for next year, AI rocketed up the list to second place, as it's selected by 44% of IT professionals. It falls behind only cloud computing. This jump up the list makes AI the fastest growing technology for new investment from organizations.
Many AI capabilities seem cutting edge now, but organizations are prioritizing it as a technology investment. In a couple of years, access to foundational models that produce images, text, or code will become easy to access with a commercial license and an API integration. AI will become embedded in off-the-shelf software and drive many new features that will quickly become commonplace.
To stay even with the competition and meet customer expectations, organizations will have to work to at least adopt these AI-enhanced products and services. For those that want to create a competitive advantage, they will have to build a data pipeline that is capable of training their own custom AI models based on their unique data sets.
Tech Trends 2023 Survey
Data collection and analysis are on the minds of both CIOs and their supervisors. When asked what technologies the business should adopt in the next three to five years, big data (analytics) ranked as most critical to adopt among CIOs and their supervisors. Big data (collection) ranked fourth out of 11 options.
Organizations that want to drive a competitive advantage from generative AI will need to train these large, versatile models on their own data sets. But at the same time, IT organizations are struggling to provide clean data. The second-most critical gap for IT organizations on average is data quality, behind only organizational change management. Organizations know that data quality is important to support analytics goals, as algorithms can suffer in their integrity if they don't have reliable data to work with. As they say, garbage in, garbage out.
Another challenge to overcome is the gap seen in IT governance, the sixth largest gap on average. Using data toward training custom generative models will hold new compliance and ethical implications for IT departments to contend with. How user data can be leveraged is already the subject of privacy legislation in many different jurisdictions, and new AI legislation is being developed in various places around the world that could create further demands. In some cases, users are reacting negatively to AI-generated content.
IT Management and Governance Diagnostic
CEO-CIO Alignment Program
Many organizations still cobble together knowledgebases in SharePoint or some other shared corporate drive, full of resources that no one quite knows how to find. A generative AI chatbot holds potential to be trained on an organization's content and produce content based on an employee's queries. Trained properly, it could point employees to the right resource they need to answer their question or just provide the answer directly.
After Hurricane Ian shut down a Walmart distribution hub, the retailer used AI to simulate the effects on its supply chain. It rerouted deliveries from other hubs based on the predictions and planned for how to respond to demand for goods and services after the storm. Such forecasts would typically take a team of analysts days to compose, but thanks to AI, Walmart had it done in a matter of hours (The Economist, 2022).
New generative AI models of sufficient scale offer advantages over previous AI models in their versatility. Just as ChatGPT can write poetry or dialogue for a play or perhaps a section of a research report (not this one, this human author promises), large models can be deployed for multiple use cases in the enterprise. One AI researcher says this could reduce the costs of an AI project by 20-30% (The Economist, 2022).
Multiple jurisdictions around the world are pursuing new legislation that imposes requirements on organizations that use AI, including the US, Europe, and Canada. Some uses of AI will be banned outright, such as the real-time use of facial recognition in public spaces, while in other situations people can opt out of using AI and work with a human instead. Regulations will take the risk of the possible outcomes created by AI into consideration, and organizations will often be required to disclose when and how AI is used to reach decisions (Science | Business, 2022). Questions around whether creators can prevent their content from being used for training AI are being raised, with some efforts already underway to collect a list of those who want to opt out. Organizations that adopt a generative AI model today may find it needs to be amended for copyright reasons in the future.
Organizations using a large AI model trained by a third party to complete their tasks or as a foundation to further customize it with their own data will have to contend with the inherent bias of the algorithm. This can lead to unintended negative experiences for users, as it did for MIT Technology Review journalist Melissa Heikkilä when she uploaded her images to AI avatar app Lensa, only to have it render a collection of sexualized portraits. Heikkilä contends that her Asian heritage overly influenced the algorithm to associate her with video-game characters, anime, and adult content (MIT Technology Review, 2022).
Many of the generative AI bots released so far often create very good responses to user queries but sometimes create nonsense that at first glance might seem to be accurate. One example is Meta's Galactica bot – intended to streamline scientific research discovery and aid in text generation – which was taken down only three days after being made available. Scientists found that it generated fake research that sounded convincing or failed to do math correctly (Spiceworks, 2022).
At the Toronto Raptors practice facility, the OVO Athletic Centre, a new 120-foot custom LG video screen towers over the court. The video board is used to playback game clips so coaches can use them to teach players, but it also displays analytics from algorithmic models that are custom-made for each player. Data on shot-making or defensive deflections are just a couple examples of what might inform the players.
Vice President of Digital Technology Christian Magsisi leads a functional Digital Labs technical group at MLSE. The in-house team builds the specific data models that support the Raptors in their ongoing efforts to improve. The analytics are fed by Noah Analytics, which uses cognitive vision to provide real-time feedback on shot accuracy. SportsVU is a motion capture system that represents how players are positioned on the court, with detail down to which way they are facing and whether their arms are up or down. The third-party vendors provide the solutions to generate the analytics, but it's up to MLSE's internal team to shape them to be actionable for players during a practice.
"All the way from making sure that a specific player is achieving the results that they're looking for and showing that through data, or finding opportunities for the coaching staff. This is the manifestation of it in real life. Our ultimate goal with the coaches was to be able to take what was on emails or in a report and sometimes even in text message and actually implement it into practice."
MLSE's Digital Labs team architects its data insights pipeline on top of cloud services. Amazon Web Services Rekognition provides cognitive vision analysis from video and Amazon Kinesis provides the video processing capabilities. Beyond the court, MLSE uses data to enhance the fan experience, explains CTO Humza Teherany. It begins with having meaningful business goals about where technology can provide the most value. He starts by engaging the leadership of the organization and considering the "art of the possible" when it comes to using technology to unlock their goals.
Humza Teherany (left) and Christian Magsisi lead MLSE's digital efforts for the pro sports teams owned by the group, including the Toronto Raptors, Toronto Maple Leafs, and Toronto Argonauts. (Photo by Brian Jackson).
Read the full story on Spiceworks Insights.
"Our first goal in the entire buildup of the Digital Labs organization has been to support MLSE and all of our teams. We like to do things first. We leverage our own technology to make things better for our fans and for our teams to complete and find incremental advantages where possible."
Humza Teherany,
Chief Technology Officer, MLSE
The performance of AI-assisted tools depends on mature IT operations processes and reliable data sets. Standardize service management processes and build a knowledgebase of structured content to prepare for AI-assisted IT operations.
Prepare for Cognitive Service Management
Explore the enterprise chatbots that are available to not only assist with customer interactions but also help your employees find the resources they need to do their jobs and retrieve data in real time.
Explore the best chatbots software
Understand if you are ready to embark on the AI journey and what business use cases are appropriate for AI. Plan around the organization's maturity in people, tools, and operations for delivering the correct data, model development, and model deployment and managing the models in the operational areas.
Adopt zero-trust architecture as the new security paradigm across your IT stack and from an organizational risk management perspective.
The push toward a zero-trust security framework is becoming necessary for organizations for several different reasons over the past couple of years. As the pandemic forced workers away from offices and into their homes, perimeter-based approaches to security were challenged by much wider network footprints and the need to identify users external to the firewall. Supply-chain security became more of a concern with notable attacks affecting many thousands of firms, some with severe consequences. Finally, the regulatory pressure to implement zero trust is rising following President Joe Biden's 2021 Executive Order on Improving the Nation's Cybersecurity. It directs federal agencies to implement zero trust. That will impact any company doing business with the federal government, and it's likely that zero trust will propagate through other government agencies in the years ahead. Zero-trust architecture can also help maintain compliance around privacy-focused regulations concerned about personal data (CSO Online, 2022).
IT professionals are modestly confident that they can meet new government legislation regarding cybersecurity requirements. When asked to rank their confidence on a scale of one to five, the most common answer was 3 out of 5 (38.5%). The next most common answer was 4 out of 5 (33.3%).
Out of a list of challenges, IT professionals are most concerned with talent shortages leading to capacity constraints in cybersecurity. Fifty-four per cent say they are concerned or very concerned with this issue. Implementing a new zero-trust framework for security will be difficult if capacity only allows for security teams to respond to incidents.
The next most pressing concern is that cyber risks are not on the radar of executive leaders or the board of directors, with 46% of IT pros saying they are concerned or very concerned. Since zero-trust requires that organizations take an enterprise risk management approach to cybersecurity and involve top decision makers, this reveals another area where organizations may fall short of achieving a zero-trust environment.
| How confident are you that your organization is prepared to meet current and future government legislation regarding cybersecurity requirements? |  |
 |
|
| 54% |
of IT professionals are concerned with talent shortages leading to capacity constraints in cybersecurity. |
|---|---|
| 46% |
of IT professionals are concerned that cyber risks are not on the radar of executive leaders or the board of directors. |
A zero-trust approach to security requires organizations to view cybersecurity risk as part of its overall risk framework. Both CIOs and their supervisors agree that IT-related risks are a pain point. When asked to rate the severity of pain points, 58% of CIOs rated IT-related business risk incidents as a minor pain or major pain. Their supervisors were more concerned, with 61% rating it similarly. Enterprises can mitigate this pain point by involving top levels of leadership in cybersecurity planning.
Organizations can be wary about implementing new security measures out of concern it will put barriers between employees and what they need to work. Through a zero-trust approach that focuses on identity verification, friction can be avoided. Overall, IT organizations did well to provide security without friction for stakeholders over the past 18 months. Results from Info-Tech's CIO Business Vision Diagnostic shows that stakeholders almost all agree friction due to security practices are acceptable. The one area that stands to be improved is remote/mobile device access, where 78.3% of stakeholders view the friction as acceptable.
A zero-trust approach treats user identity the same regardless of device and whether it is inside or outside of the corporate network. This can remove friction when workers are looking to connect remotely from a mobile device.
| CXO | 61% |
|---|---|
| CIO | 58% |
CIO Business Vision Diagnostic, N=259
Today's approach to access control on the network is to allow every device to exchange data with every other device. User endpoints and servers talk to each other directly without any central governance. In a zero-trust environment, a centralized zero-trust network access broker provides one-to-one connectivity. This allows servers to rest offline until needed by a user with the right access permissions. Users verify their identity more often as they move throughout the network. The user can access the resources and data they need with minimal friction while protecting servers from unauthorized access. Log files are generated for analysis to raise alerts about when an authorized identity has been compromised.
Many organizations put process in place to make sure data at rest is encrypted, but often when users copy that data to their own devices, it becomes unencrypted, allowing attackers opportunities to exfiltrate sensitive data from user endpoints. Moving to a zero-trust environment where each data access is brokered by a central broker allows for encryption to be preserved. Parties accessing a document must exchange keys to gain access, locking out unauthorized users that don't have both sets of keys to decrypt the data (MIT Lincoln Laboratory, 2022).
IT teams may not be seeing a budget infusion to invest in a new approach to security. By making use of the many free and open-source tools available, they can bootstrap their strategy into reality. Here's a list to get started:
PingCastle Wrangle your Active Directory and find all the domains that you've long since forgotten about and manage the situation appropriately. Also builds a spoke-and-hub map of your Active Directory.
OpenZiti Create an overlay network to enable programmable networking that supports zero trust.
Snyk Developers can automatically find and fix vulnerabilities before they commit their code. This vendor offers a free tier but users that scale up will need to pay.
sigstore Open-source users and maintainers can use this solution to verify the code they are running is the code the developer intended. Works by stitching together free services to facilitate software signing, verify against a transparent ledger, and provide auditable logs.
Microsoft's SBOM generation tool A software bill of materials is a requirement in President Biden's Executive Order, intended to provide organizations with more transparency into their software components by providing a comprehensive list. Microsoft's tool will work with Windows, Linux, and Mac and auto-detect a longlist of software components, and it generates a list organized into four sections that will help organizations comprehend their software footprint.
Zero trust requires that top decision makers get involved in cybersecurity by treating it as an equal consideration of overall enterprise risk. Not all boards will have the cybersecurity expertise required, and some executives may not prioritize cybersecurity despite the warnings. Organizations that don't appoint a chief information security officer (CISO) role to drive the cybersecurity agenda from the top will be at risk of cybersecurity remaining an afterthought.
No matter what industry you're in or what type of organization you run, you need cybersecurity. The demand for talent is very high and organizations are finding it difficult to hire in this area. Without the talent needed to mature cybersecurity approaches to a zero-trust model, the focus will remain on foundational principles of patch management to eliminate vulnerabilities and intrusion prevention. Smaller organizations may want to consider a "virtual CISO" that helps shape the organizational strategy on a part-time basis.
Many enterprise security postures remain vulnerable to an attack that commandeers an employee's identity to infiltrate the network. Hosted single sign-on models provide low friction and continuity of identity across applications but also offer a single point of failure that hackers can exploit. Phishing scams that are designed to trick an employee into providing their credentials to a fake website or to just click on a link that delivers a malware payload are the most common inroads that criminals take into the corporate network. Being aware of how user behavior influences security is crucial.
Brosnan provides private security services to high-profile clients and is staffed by security experts with professional backgrounds in intelligence services and major law enforcement agencies. Safe to say that security is taken seriously in this culture and CIO Serge Suponitskiy makes sure that extends to all back-office staff that support the firm's activities. He's aware that people are often the weakest link in a cybersecurity posture and are prone to being fooled by a phishing email or even a fraudulent phone call. So cybersecurity training is an ongoing activity that takes many forms. He sends out a weekly cybersecurity bulletin that features a threat report and a story about the "scam of the week." He also uses KnowBe4, a tool that simulates phishing attacks and trains employees in security awareness. Suponitskiy advises reaching out to Marketing or HR for help with engaging employees and finding the right learning opportunities.
"What is financially the best solution to protect yourself? It's to train your employees. … You can buy all of the tools and it's expensive. Some of the prices are going up for no reason. Some by 20%, some by 50%, it's ridiculous. So, the best way is to keep training, to keep educating, and to reimagine the training. It's not just sending this video that no one clicks on or posting a poster no one looks at. … Given the fact we're moving into this recession world, and everyone is questioning why we need to spend more, it's time to reimagine the training approach."
David Senf, National Cybersecurity Strategist, Bell
As a cybersecurity analyst and advisor that works with Bell's clients, David Senf sees zero-trust security as an opportunity for organizations to put a strong set of mitigating controls in place to defend against the thorny challenge of reducing vulnerabilities in their software supply chain. With major breaches being linked to widely used software in the past couple of years, security teams might find it effective to focus on a different layer of security to prevent certain breaches. With security policy being enforced at a narrow point/perimeter, attacks are in essence blocked from exploiting application vulnerabilities (e.g. you can't exploit what you can see). Organizations must still ensure there is a solid vulnerability management program in place, but surrounding applications with other controls is critical. One aspect of zero trust, micro-segmentation, which is an approach to network management, can limit the damage caused by a breach. The solutions help to map out and protect the different connections between applications that could otherwise be abused for discovery or lateral movement. Senf advises that knowing your inventory of software and the interdependencies between applications is the first step on a zero-trust journey, before putting protection and detection in place.
"Next year will be a year of a lot more ZTNA, zero-trust network access, being deployed. So, I think that will give organizations more of an understanding of what zero trust is as well, from a really basic perspective. If I can just limit what applications you can see and no one can even see that application, it's undiscoverable because I've got that ZTNA solution in place. … I would see that as a leading area of deployment and coming to understand what zero trust is in 2023."
Enable reduced friction in the remote user experience by underpinning it with a hardware asset management program. Creating an inventory of devices and effectively tracking them will aid in maintaining compliance, result in stronger policy enforcement, and reduce the harm of a lost or stolen device.
Implement Hardware Asset Management
Communicate the transition from a perimeter-based security approach to an "Always Verify" approach with a clear roadmap toward implementation. Map key protect surfaces to business goals to demonstrate the importance of zero-trust security in helping the organization succeed. Help the organization's top leadership build awareness of cybersecurity risk.
Manage the challenge of meeting new government requirements to implement zero-trust security and other data protection and cybersecurity regulations with a compliance program. Create a control environment that aligns multiple compliance regimes, and be prepared for IT audits.
Lead a strong culture through digital means to succeed in engaging the hybrid workforce.
The pandemic's disruption for non-essential workers looks to have a long-lasting, if not permanent, effect on the relationship between employer and employee. The new bargain for almost all organizations is a hybrid work reality, with employees splitting time between the office and working remotely, if not working remotely full-time. IT is in a unique position in the organization as it must not only contend with the shift to this new deal with its own employees but facilitate it for the entire organization.
With 90% of organizations embracing some form of hybrid work, IT leaders have an opportunity to shift from coping with the new work reality to finding opportunities to improve productivity. Organizations that embrace a hybrid model for their IT departments see a more effective IT department. Organizations that offered no remote work for IT rated their IT effectiveness on average 6.2 out of 10, while organizations with at least 10% of IT roles in a hybrid model saw significantly higher effectiveness. At minimum, organizations with between 50%-70% of IT roles in a hybrid model rated their effectiveness at 6.9 out of 10.
IT achieved this increase in effectiveness during a disruptive time that often saw IT take on a heavier burden. Remote work required IT to support more users and be involved in facilitating more work processes. Thriving through this challenging time is a win that's worth sharing with the rest of the organization.
| 90% | of organizations are embracing some form of hybrid work. |
Despite IT's success with hybrid work, CIOs are more concerned about their staff sufficiency, skill, and engagement than their supervisors. Among clients using our CEO-CIO Alignment Diagnostic, 49% of CIOs considered this issue a major pain point compared to only 32% of CXOs. While IT staff are more effective than ever, even while carrying more of a burden in the digital age, CIOs are still looking to improve staff engagement.
Info-Tech's State of Hybrid Work Survey illuminates further details about where IT leaders are concerned for their employee engagement. About four in ten IT leaders say they are concerned for employee wellbeing, and almost the same amount say they are concerned they are not able to see signs that employees are demotivated (N=518).
Boosting IT employees' engagement levels to match their effectiveness will require IT leaders to harness all the tools at their disposal. Communicating culture and effectively managing organizational change in the digital age is a real test of leadership.
| CXO | 32% |
|---|---|
| CIO | 49% |
CEO-CIO Alignment Diagnostic
IT leaders concerned about the erosion of culture and connectedness due to hybrid work can mitigate those effects with increased and improved communication. Among highly effective IT departments, 55% of IT leaders made themselves highly available through instant messaging chat. Another 54% of highly effective leaders increased team meetings (State of Hybrid Work Survey, n=213). The ability to adapt to the team's needs and use a number of tactics to respond is the most important factor. The greater the number of tactics used to overcome communication barriers, the more effective the IT department (State of Hybrid Work Survey, N=518).
A hybrid work approach emphasizes the importance of not only the technology in the office conference room but the process around how meetings are conducted. Creating an equal footing for all participants regardless of how they join is the goal. In pursuit of that, 63% of organizations say they have made changes or upgrades to their conference room technology (n=496). The conferencing experience can influence employee engagement and work culture and enhance collaboration. IT should determine if the business case exists for upgrades and work to decrease the pain of using legacy solutions where possible (State of Hybrid Work in IT: A Trend Report).
Map out the value chain from the customer perspective and then determine the organizational capabilities involved in delivering on that experience. It is a useful tool for helping IT staff understand how they're connected to the customer experience and organizational mission. It's crucial to identify opportunities to resolve pain points and create more efficiency throughout the organization.
Many employees that experienced hybrid work over the past couple of years are finding it's a positive development for work/life balance and aren't interested in a full-time return to the office. Organizations that insist on returning all employees to the office all the time may find that employees choose to leave the organization. Similarly, it could be hard to hire IT talent in a competitive market if the position is required to be onsite every day. Most organizations are providing flexible options to employees and finding ways to manage work in the new digital age.
Organizations may choose to keep their physical office only to later realize that no one is going to work there. While providing an office space can help foster positive culture through valuable face time, it has to be used intentionally. Managers should plan for specific days that their teams will meet in the office and make sure that work activities take advantage of everyone being in the same place at the same time. Asking everyone to come in so that they can be on a videoconference meeting in their cubicle isn't the point.
Studies on a remote work environment show it has an impact on how many connections each employee maintains within the company. Employees still interact well within their own teams but have fewer interactions across departments. Overall, workers are likely to collaborate just as often as they did when working in the office but with fewer other individuals at the company. Keep the isolating effect of remote work in mind and foster collaboration and networking opportunities across different departments (BBC News, 2022).
Working in the legislature of the Ontario provincial government, CIO Roberto Eberhardt's staff went from a fully onsite model to a fully remote model at the outset of the pandemic. Today he's navigating his path to a hybrid model that's somewhere in the middle. His approach is to allow his business colleagues to determine the work model that's needed but to support a technology environment that allows employees to work from home or in the office equally. Every new process that's introduced must meet that paradigm, ensuring it will work in a hybrid environment. For his IT staff, he sees a culture of accountability and commitment to metrics to drive performance measurement as key to the success of this new reality.
"While it's good in a way, the challenge for us is it became a little more complex because you have to account for all those things in the office environment and in the remote work approach. Everything you do now, you have to say OK well how is this going to work in this world and how will it work in the other world?"
At the Virginia Community College System (VCCS), CIO Mike Russell's IT team supports an organization that governs and delivers services to all community colleges in the state. Russell sees his IT team's purpose as being driven by the organization's mission to ensure success throughout the entire student journey, from enrolment to becoming employed after graduation. That customer-focused mindset starts from the top-level leadership, the chancellor, and the state governor. The VCCS maintains a six-year business plan that informs IT's strategic plan and aligns IT with the mission, and both plans are living documents that get refreshed every two years. Updating the plans provides opportunities for the chancellor to engage the organization and remind everyone of the purpose of their work.
"The outcome isn't the degree. The outcome we're trying to measure is the job. Did you get the job that you wanted? Whether it's being re-employed or first-time employment, did you get what you were after?"
Help leaders manage their teams effectively in a hybrid environment by providing them with the right tools and tactics to manage the challenges of hybrid work. Focus on promoting teamwork and fostering connection.
Prepare People Leaders for the Hybrid Work Environment
Assign accountability for managing the changes that the organization is experiencing in the digital age. Make a people-centric approach that takes human behavior into account and plans to address different needs in different ways. Be proactive about change.
Master Organizational Change Management Practices
Develop a foundation for aligning IT's activities with business value by creating a right-sized enterprise architecture approach that isn't heavy on bureaucracy. Drive IT's purpose by illustrating how their work contributes to the overall mission and the customer experience.
Create a Right-Sized Enterprise Architecture Governance Framework
Tightly align the IT organization with the organization's value chain from a customer perspective.
The pandemic motivated organizations to accelerate their digital transformation efforts, digitalizing more of their tasks and organizing the company's value chain around satisfying the customer experience. Now we see organizations taking their foot off the gas pedal of digitalization and shifting their focus to extracting the value from their investments. They want to execute on the digital transformation in their operations and realize the vision they set out to achieve.
In our Trends Report we compared the emphasis organizations are putting on digitalization to last year. Overall, we see that most organizations shifted fewer of their processes to digital in the past year.
We also asked organizations what motivated their push toward automation. The most common drivers are to improve efficiency, with almost seven out of ten organizations looking to increase staff on high-level tasks by automating repetitive tasks, 67% also wanting to increase productivity without increasing headcount, and 59% wanting to reduce errors being made by people. In addition, more than half of organizations pursued automation to improve customer satisfaction.
Tech Trends 2023 Survey
With the shift in focus from implementing new applications to support digital transformation to operating in the new environment, IT must shift its own focus to help realize the value from these systems. At the same time, IT must reorganize itself around the new value chain that's defined by a customer perspective.
Many current IT departments are structured around legacy processes that hinder their ability to deliver business value. CIOs are trying to grapple with the misalignment between the modern business structure and keep up with the demands for innovation and agility.
Almost nine in ten CIOs say that business frustration with IT's failure to deliver value is a pain point. Their supervisors have a slightly more favorable opinion, with 76% agreeing that it is a pain point.
Similarly, nine in ten CIOs say that IT limits affecting business innovation and agility is a pain point, while 81% of their supervisors say the same.
Supervisors say that IT should "ensure benefits delivery" as the most important process (CEO-CIO Alignment Program). This underlines the need to achieve alignment, optimize service delivery, and facilitate innovation. The pain points identified here will need to be resolved to make this possible.
IT departments will need to contend with a tight labor market and economic volatility in the year ahead. If this drives down resource capacity, it will be even more critical to tightly align with the organization.
| CXO | 76% |
|---|---|
| CIO | 88% |
| CXO | 81% |
|---|---|
| CIO |
90% |
CEO-CIO Alignment Program
Communicate the performance of IT to stakeholders by attributing positive changes in enterprise value to IT initiatives. For example, if a digital channel helped increase sales in one area, then IT can claim some portion of that revenue. If optimization of another process resulted in cost savings, then IT can claim that as a contribution toward the bottom line. CIOs should develop their handle on how KPIs influence revenues and costs. Keeping tabs on normalized year-over-year revenue comparisons can help demonstrate that IT contributions are making an impact on driving profitability.
Most back-office functions common to operating a company can be provided by cloud-based applications accessed through a web browser. There's no value in having IT spend time maintaining on-premises applications that require hosting and ongoing maintenance. Organizations that are still accruing technical debt and are unable to modernize will increasingly find it is negatively impacting employee experience, as users expect their working experience to be similar to their experience with consumer applications. In addition, IT will continue to have capacity challenges as resources will be consumed by maintenance. As they seek to outsource some applications, IT will need to consider the geopolitical risk of certain jurisdictions in selecting a provider.
The concept of "clocking in" for a shift and spending eight hours a day on the job doesn't help guide IT toward its objectives or create any higher sense of purpose. Leaders must work to create a true sense of accountability by reaching consensus on what key performance indicators are important and tasking staff to improve them. Metrics should clearly link back to business outcomes and IT should understand the role they play in delivering a good customer experience.
CIOs are finding it difficult to hire the talent needed to create the capacity they need as digital demands of their organizations increase. This could slow the pace of change as new positions created in IT go unfilled. CIOs may need to consider reskilling and rebalancing workloads of existing staff in the short term and tap outsourcing providers to help make up shortfalls.
New processes may have been given the official rubber stamp, but that doesn't mean staff are adhering to them. Organizations that reorganize themselves must take steps to audit their processes to ensure they're executed the way they intend. Some employees may feel they are being made obsolete or pushed out of their jobs and become disengaged.
Restructuring the organization can come with the need for new tools and more training. It may be necessary to operate with redundant staff for the transitional period. Some additional expenses might be incurred for a brief period as the new structure is being put in place.
As the new CIO to McDonald's Germany, Salman Ali came on board with an early mandate to reorganize the IT department. The challenge is to merge two organizations together: one that delivers core technology services of infrastructure, security, service desk, and compliance and one that delivers customer-facing technology such as in-store touchscreen kiosks and the mobile app for food delivery. He is looking to organize this new-look department around the technology in the hands of both McDonald's staff and its customers. In conversations with his stakeholders, Ali emphasizes the value that IT is driving rather than discussing the costs that go into it. For example, there was a huge cost in integrating third-party meal delivery apps into the point-of-sales system, but the seamless experience it delivers to customers looking to place an order helps to drive a large volume of sales. He plans to reorganize his department around this value-driven approach. The organization model will be executed with clear accountability in place and key performance indicators to measure success.
"Technology is no longer just an enabler. It's now a strategic business function. When they talk about digital, they are really talking about what's in the customers' hands and what do they use to interact with the business directly? Digital transformation has given technology a new front seat that's really driving the business."
LAWPRO is a provider of professional liability insurance and title insurance in Canada. The firm is moving its back-office applications from a build approach to a buy approach and focusing its build efforts on customer-facing systems tied to revenue generation. CIO Ernest Solomon says his team has been developing on a legacy platform for two decades, but it's time to modernize. The firm is replacing its legacy platform and moving to a cloud-based system to address technical debt and improve the experience for staff and customers. The claims and policy management platform, the "heartbeat" of the organization, is moving to a software-as-a-service model. At the same time, the firm's customer-facing Title Plus application is being moved to a cloud-native, serverless architecture. Solomon doesn't see the need for IT to spend time building services for the back office, as that doesn't align with the mission of the organization. Instead, he focuses his build efforts on creating a competitive advantage.
"We're redefining the customer experience, which is how do we move the needle in a positive direction for all the lawyers that interact with us? How do we generate that value-based proposition and improve their interactions with our organization?"
Go deeper on pursuing your priorities by improving the associated capabilities.
Help leaders manage their teams effectively in a hybrid environment by providing them with the right tools and tactics to manage the challenges of hybrid work. Focus on promoting teamwork and fostering connection.
Embrace Business-Managed Applications
Drive the most important IT process in the eyes of supervisors by defining business value and linking IT spend to it. Make benefits realization part of your IT governance.
Maximize Business Value From IT Through Benefits Realization
Showcase IT's value to the business by aligning IT spending and staffing to business functions. Provide transparency into business consumption of IT and compare your spending to your peers'.
Denise Cornish, Associate VP of IT and Deputy COO, Western University of Health Sciences
Jim Love, CIO, IT World Canada
Christian Magsisi, Vice President of Venue and Digital Technology, MLSE
Humza Teherany, Chief Technology Officer, MLSE
Serge Suponitskiy, CIO, Brosnan Risk Consultants
David Senf, National Cybersecurity Strategist, Bell
Roberto Eberhardt, CIO, Ontario Legislative Assembly
Mike Russell, Virginia Community College System
Salman Ali, CIO, McDonald's Germany
Ernest Solomon, Former CIO, LAWPRO
Anderson, Brad, and Seth Patton. "In a Hybrid World, Your Tech Defines Employee Experience." Harvard Business Review, 18 Feb. 2022. Accessed 12 Dec. 2022.
"Artificial Intelligence Is Permeating Business at Last." The Economist, 6 Dec. 2022. Accessed 12 Dec. 2022.
Badlani, Danesh Kumar, and Adrian Diglio. "Microsoft Open Sources Its Software Bill
of Materials (SBOM) Generation Tool." Engineering@Microsoft, 12 July 2022. Accessed
12 Dec. 2022.
Birch, Martin. "Council Post: Equipping Employees To Succeed In Digital Transformation." Forbes, 9 Aug. 2022. Accessed 7 Dec. 2022.
Bishop, Katie. "Is Remote Work Worse for Wellbeing than People Think?" BBC News,
17 June 2022. Accessed 7 Dec. 2022.
Carlson, Brian. "Top 5 Priorities, Challenges For CIOs To Recession-Proof Their Business." The Customer Data Platform Resource, 19 July 2022. Accessed 7 Dec. 2022.
"CIO Priorities: 2020 vs 2023." IT PRO, 23 Sept. 2022. Accessed 2 Nov. 2022.
cyberinsiders. "Frictionless Zero Trust Security - How Minimizing Friction Can Lower Risks and Boost ROI." Cybersecurity Insiders, 9 Sept. 2021. Accessed 7 Dec. 2022.
Garg, Sampak P. "Top 5 Regulatory Reasons for Implementing Zero Trust."
CSO Online, 27 Oct. 2022. Accessed 7 Dec. 2022.
Heikkilä, Melissa. "The Viral AI Avatar App Lensa Undressed Me—without My Consent." MIT Technology Review, 12 Dec. 2022. Accessed 12 Dec. 2022.
Jackson, Brian. "How the Toronto Raptors Operate as the NBA's Most Data-Driven Team." Spiceworks, 1 Dec. 2022. Accessed 12 Dec. 2022.
Kiss, Michelle. "How the Digital Age Has Transformed Employee Engagement." Spiceworks,16 Dec. 2021. Accessed 7 Dec. 2022.
Matthews, David. "EU Hopes to Build Aligned Guidelines on Artificial Intelligence with US." Science|Business, 22 Nov. 2022. Accessed 12 Dec. 2022.
Maxim, Merritt. "New Security & Risk Planning Guide Helps CISOs Set 2023 Priorities." Forrester, 23 Aug. 2022. Accessed 7 Dec. 2022.
Miller, Michael J. "Gartner Surveys Show Changing CEO and Board Concerns Are Driving a Different CIO Agenda for 2023." PCMag, 20 Oct. 2022. Accessed 2 Nov. 2022.
MIT Lincoln Laboratory. "Overview of Zero Trust Architectures." YouTube,
2 March 2022. Accessed 7 Dec. 2022.
MIT Technology Review Insights. "CIO Vision 2025: Bridging the Gap between BI and AI." MIT Technology Review, 20 Sept. 2022. Accessed 1 Nov. 2022.
Paramita, Ghosh. "Data Architecture Trends in 2022." DATAVERSITY, 22 Feb. 2022. Accessed 7 Dec. 2022.
Rosenbush, Steven. "Cybersecurity Tops the CIO Agenda as Threats Continue to Escalate - WSJ." The Wall Street Journal, 17 Oct. 2022. Accessed 2 Nov. 2022.
Sacolick, Isaac. "What's in the Budget? 7 Investments for CIOs to Prioritize." StarCIO,
22 Aug. 2022. Accessed 2 Nov. 2022.
Singh, Yuvika. "Digital Culture-A Hurdle or A Catalyst in Employee Engagement." International Journal of Management Studies, vol. 6, Jan. 2019, pp. 54–60. ResearchGate, https://doi.org/10.18843/ijms/v6i1(8)/08.
"Talent War Set to Become Top Priority for CIOs in 2023, Study Reveals." CEO.digital,
8 Sept. 2022. Accessed 7 Dec. 2022.
Tanaka, Rodney. "WesternU COMP and COMP-Northwest Named Apple Distinguished School." WesternU News. 10 Feb. 2022. Accessed 12 Dec. 2022.
Wadhwani, Sumeet. "Meta's New Large Language Model Galactica Pulled Down Three Days After Launch." Spiceworks, 22 Nov. 2022. Accessed 12 Dec. 2022.
"World Economic Outlook." International Monetary Fund (IMF), 11 Oct. 2022. Accessed
14 Dec. 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Ensure the purchase is the lowest cost with fewest future headaches.
Select the most appropriate offering for business needs at a competitive price point.
Get the lowest priced feature set for the selected product.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Complete a cultural assessment and select focus values to form core culture efforts.
Enable executives to gather feedback on behavioral perceptions and support behavioral change.
Review all areas of the department to understand where the links to culture exist and create a communication plan.
Customize a process to infuse behaviors aligned with focus values in work practices and complete the first wave of meetings.
Our pricing options will be available soon for simple download,
In the meantime, please book a free discovery call. No cost, no sales pitch.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Gain insight on the various factors that influence software satisfaction.
Reduce the size of your RFPs or skip them entirely to limit time spent watching vendor dog and pony shows.
Narrow the field to four contenders prior to in-depth comparison and engage in accelerated enterprise architecture oversight.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Analyze your project history to identify and fill gaps in your estimation practices.
Allocate time across project phases to validate and refine estimates and estimate assumptions.
Implement a lessons learned process to provide transparency to your sponsors and confidence to your teams.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Track key performance indicators on past projects to inform goals for future projects.
Developed Project History List.
Refined starting estimates that can be adjusted accurately from project to project.
1.1 Build project history.
1.2 Analyze estimation capabilities.
1.3 Identify estimation goals.
Project History List
T-Shirt Sizing Health Check
Estimate Tracking Plan
Outline the common attributes required to complete projects.
Identify the commonly forgotten attributes to ensure comprehensive scoping early on.
Refined initial estimate based on high-level insights into work required and resources available.
2.1 Develop a list of in-scope project attributes.
2.2 Identify leadership priorities for deliverables and attributes.
2.3 Track team and skill responsibilities for attributes.
Identified list or store of past project attributes and costs
Attribute List and Estimated Cost
Required Skills List
Set clear processes for tracking the health of your estimate to ensure it is always as accurate as possible.
Define check-in points to evaluate risks and challenges to the project and identify trigger conditions.
An estimation process rooted in organizational memory and lessons learned.
Project estimates that are consistently reevaluated to predict and correct challenges before they can drastically affect your projects.
3.1 Determine Milestone Check-In Points.
3.2 Develop Lessons Learned Meeting Agendas.
3.3 Identify common risks and past lessons learned.
3.4 Develop contingency tracking capabilities.
Project Lessons Learned Template
Historic Risks and Lessons Learned Master Template
Contingency Reserve and Risk Registers
Bridge the gap between death march projects and bloated and uncertain estimates by communicating expectations and assumptions clearly to your sponsors.
Clear estimation criteria and assumptions aligned with business priorities.
Post-mortem discussion items crucial to improving project history knowledge for next time.
4.1 Identify leadership risk priorities.
4.2 Develop IT business alignment.
4.3 Develop hand-off procedures and milestone approval methods.
4.4 Create a list of post-mortem priorities.
Estimation Quotation
Risk Priority Rankings
Hand-Off Procedures
Post-mortem agenda planning
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Level-set the expectations for your business-managed applications.
Identify and define your application managers and owners and build a fit-for-purpose governance model.
Build a roadmap that illustrates the key initiatives to implement your BMA and governance models.
[infographic]
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Define business-managed applications in your context.
Identify your business-managed application objectives.
State the value opportunities with business-managed applications.
A consensus definition and list of business-managed applications goals
Understanding of the business value business-managed applications can deliver
1.1 Define business-managed applications.
1.2 List your objectives and metrics.
1.3 State the value opportunities.
Grounded definition of a business-managed application
Goals and objectives of your business-managed applications
Business value opportunity with business-managed applications
Develop your application management framework.
Tailor your application delivery and ownership structure to fit business-managed applications.
Discuss the value of an applications committee.
Discuss technologies to enable business-managed applications.
Fit-for-purpose and repeatable application management selection framework
Enhanced application governance model
Applications committee design that meets your organization’s needs
Shortlist of solutions to enable business-managed applications
2.1 Develop your management framework.
2.2 Tune your delivery and ownership accountabilities.
2.3 Design your applications committee.
2.4 Uncover your solution needs.
Tailored application management selection framework
Roles definitions of application owners and managers
Applications committee design
List of business-managed application solution features and services
Build your roadmap to implement busines-managed applications and build the foundations of your optimized governance model.
Implementation initiatives
Adoption roadmap
3.1 Build your roadmap.
Business-managed application adoption roadmap
Well, your clients demand it. And it makes business sense; it is much cheaper to retain a client than to acquire new ones. By all means, always expand your client base; just don't make it a zero-sum game by losing clients because you cannot provide decent service.
Although the term has existed since the 17th century, it has only received legal attention since 2020. Now, several years later, the EU and the US require companies to prove their resilience.
To understand what resilience is, please read our article on resilience.
IT resilience is a mindset, a collection of techniques, and people management focused on providing consistent service to clients, all rolled into one discipline. While we discuss IT resilience, it takes more than IT staff or IT processes to become a truly resilient business.
Here are 10 themes relevant to the (IT) resilient organization:
A transparent company culture empowers its people to act confidently, respond swiftly to challenges, and continuously learn and improve. This builds a strong foundation for resilience, enabling the organization to navigate disruption or adversity much more easily.
At its core, transparency is about open communication, sharing information, and fostering a culture of honesty and trust. These traits directly influence the various aspects of resilience.
A client service focus isn't just about customer satisfaction; it's an integral part of a company's resilience strategy. Service stability and continuous value delivery are the elements that retain existing clients and attract new ones through reputation. System outages, slowdowns, and errors lead to client frustration and erode confidence. In other words, client service focuses on making sure you are available. Once you have that, then you can look at enhancing and expanding services and products.
Resilient systems and processes often also include tools and capabilities for proactive communication with clients. This can include automated notifications during system maintenance or updates, providing transparency and minimizing inconvenience. A proactive approach to communication creates a sense of partnership, and it demonstrates that you value your clients' time and business.
Adaptable systems and processes give you the flexibility for rapid incident response and easy workarounds, bringing your service back to the level it is supposed to be at.
In the bigger picture, when you design your systems for flexibility and modification, you can rapidly adjust to new market conditions, evolving customer demands, and technological advancements. This agility allows you to pivot swiftly, seizing opportunities while mitigating risks.
In the same vein, adaptable processes, fostered by a culture of continuous improvement and open communication, empower teams to innovate and refine workflows in response to challenges. This constant evolution ensures the company remains competitive and aligned with its ever-changing environment.
When you establish standardized procedures for planning, testing, and implementing changes, IT change management ensures that every modification, no matter how seemingly small, is carefully considered and assessed for its impact on the broader IT ecosystem. This structured approach significantly reduces the risk of unexpected side effects, unforeseen conflicts, and costly downtime, protecting the company's operations and its reputation.
It does not have to be a burdensome bureaucratic process. Modern processes and tools take the sting out of these controls. Many actions within change management can be automated without losing oversight by both the IT custodians and the business process owners.
By having duplicates of essential components or systems in place, you ensure that even if one part fails, another is ready to take over. This helps you minimize the impact of unexpected events like hardware issues, software glitches, or other unforeseen problems. This might mean replicating critical policy data across multiple servers or data centers in different locations.
Fault tolerance is all about your systems and processes being able to keep working even when facing challenges. By designing your software and systems architecture with fault tolerance in mind, you are sure it can gracefully handle errors and failures, preventing those small problems from causing bigger issues, outages, and unhappy clients.
Clients entrust you with valuable information. Demonstrating a commitment to data security through resilient systems builds trust and provides reassurance that their data is safeguarded against breaches and unauthorized access.
Trusting that all working is good. making sure is better. When you observe your systems and receive timely notifications when something seems off, you'll be able to address issues before they snowball into real problems.
In any industry, monitoring helps you keep an eye on crucial performance metrics, resource usage, and system health. You'll get insights into how your systems behave, allowing you to identify bottlenecks or potential points of failure before they cause serious problems. And with a well-tuned alerting system, you'll get those critical notifications when something requires immediate attention. This gives you the chance to respond quickly, minimize downtime, and keep things running smoothly for your customers.
Monitoring is also all about business metrics. Keep your service chains running smoothly and understand the ebb and flow of when clients access your services. Then update and enhance in line with what you see happening.
Well-thought-out plans and processes are key. Work with your incident managers, developers, suppliers, business staff and product owners and build an embedded method for reacting to incidents.
The key is to limit the time of the service interruption. Not everything needs to be handled immediately, so your plan must be clear on how to react to important vs lower-priority incidents. Making the plan and process well-known in the company helps everybody and keeps the calm.
Business continuity planning anticipates and prepares for various scenarios, allowing your company to adapt and maintain essential functions even in the face of unexpected disruptions.
When you proactively address these non-IT aspects of recovery, you build resilience that goes beyond simply restoring technology. It enables you to maintain customer relationships, meet contractual obligations, and safeguard your reputation, even in the face of significant challenges.
Business continuity is not about prevention; it is about knowing what to do when bad things happen that may threaten your company in a more existential way or when you face issues like a power outage in your building, a pandemic, major road works rendering your business unreachable and such events.
Disaster recovery is your lifeline when the worst happens. Whether it's a major cyberattack, a natural disaster, or a catastrophic hardware failure, a solid disaster recovery plan ensures your business doesn't sink. It's your strategy to get those critical systems back online and your data restored as quickly as possible.
Think of it this way: disaster recovery, just like business continuity, isn't about preventing bad things from happening; it's about being prepared to bounce back when they do. It's like having a spare tire in your car, you hope you never need it, but if you get a flat, you're not stranded. With a well-tested disaster recovery plan, you can minimize downtime, reduce data loss, and keep your operations running even in the face of the unexpected. That translates to happier customers, protected revenue, and a reputation for reliability even amidst chaos.
Resilience is the result of a well-conducted orchestra. Many disciplines come together to help you service your clients in a consistent way.
The operational lifeline of your company and the reason it exists in the first place is to provide your clients with what they need, when they need it, and be able to command a good price for it. And that will keep your shareholders happy as well.
IT and OT are both very different complex systems. However, significant benefits have driven OT to be converged to IT. This results in IT security leaders, OT leaders and their teams' facing challenges in:
Info-Tech’s approach in preparing for IT/OT convergence in the planning phase is coordination and collaboration of IT and OT to
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Info-Tech provides a three-phase framework of secure IT/OT convergence, namely Plan, Enhance, and Monitor & Optimize. The essential steps in Plan are to:
This tool serves as a repository for information about the organization, compliance, and other factors that will influence your IT/OT convergence.
A critical step in secure IT/OT convergence is populating a RACI (Responsible, Accountable, Consulted, and Informed) chart. The chart assists you in organizing roles for carrying out convergence steps and ensures that there are definite roles that different individuals in the organization must have. Complete this tool to assign tasks to suitable roles.
IT/OT convergence is less of a convergence and more of a migration. The previously entirely separate OT ecosystem is migrating into the IT ecosystem, primarily to improve access via connectivity and to leverage other standard IT capabilities for economic benefit.
In the past, OT systems were engineered to be air gapped, relying on physical protection and with little or no security in design, (e.g. OT protocols without confidentiality properties). However, now, OT has become dependent on the IT capabilities of the organization, thus OT inherits IT’s security issues, that is, OT is becoming more vulnerable to attack from outside the system. IT/OT convergence is complex because the culture, policies, and rules of IT are quite foreign to OT processes such as change management, and the culture, policies, and rules of OT are likewise foreign to IT processes.
A secure IT/OT convergence can be conceived of as a negotiation of a strong treaty between two systems: IT and OT. The essential initial step is to begin with communication between IT and OT, followed by necessary components such as governing and managing OT security priorities and accountabilities, converging security controls between IT and OT environments, assuring compliance with regulations and standards, and establishing metrics for OT security.
|
Ida Siahaan
Research Director, Security and Privacy Practice Info-Tech Research Group |
| Your Challenge
IT and OT are both very different complex systems. However, significant benefits have driven OT to converge with IT. This results in IT security leaders, OT leaders, and their teams facing challenges with:
|
Common Obstacles
|
Info-Tech’s Approach
Info-Tech’s approach in preparing for IT/OT convergence (i.e. the Plan phase) is coordination and collaboration of IT and OT to:
|
Returning to isolated OT is not beneficial for the organization, so IT and OT need to learn to collaborate, starting with communication to build trust and to overcome their differences. Next, negotiation is needed on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and establishing metrics for OT security.
| OT systems were built with no or little security design
90% of organizations that use OT experienced a security incident. (Fortinet, 2021. Ponemon, 2019.) |
 (Source: Fortinet, 2021.) |
Lack of visibility
86% of OT security-related service engagements lack complete visibility of OT network in 2021 (90% in 2020, 81% in 2019). (Source: “Cybersecurity Year In Review” Dragos, 2022.) |
| 2000 Target: Australian sewage plant. Method: Insider attack. Impact: 265,000 gallons of untreated sewage released. |
2012 Target: Middle East energy companies. Method: Shamoon. Impact: Overwritten Windows-based systems files. |
2014 Target: German Steel Mill. Method: Spear-phishing. Impact: Blast furnace failed to shut down. |
2017 Target: Middle East safety instrumented system (SIS). Method: TRISIS/TRITON. Impact: Modified SIS ladder logic. |
2022 Target: Viasat’s KA-SAT network. Method: AcidRain. Impact: Significant loss of communication for the Ukrainian military, which relied on Viasat’s services. |
|
||||
| 1903 Target: Marconi wireless telegraph presentation. Method: Morse code. Impact: Fake message sent “Rats, rats, rats, rats. There was a young fellow of Italy, Who diddled the public quite prettily.” |
2010 Target: Iranian uranium enrichment plant. Method: Stuxnet. Impact: Compromised programmable logic controllers (PLCs). |
2013 Target: ICS supply chain. Method: Havex. Impact: Remote Access Trojan (RAT) collected information and uploaded data to command-and-control (C&C) servers |
2016 Target: Ukrainian power grid. Method: BlackEnergy. Impact: For 1-6 hours, power outages for 230,000 consumers. |
2021 Target: Colonial Pipeline. Method: DarkSide ransomware. Impact: Compromised billing infrastructure halted the pipeline operation. |
(Source: US Department of Energy, 2018.
”Significant Cyber Incidents,” CSIS, 2022
MIT Technology Review, 2022.)
Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.
Case StudyHorizon Power |
|
INDUSTRY
|
SOURCE
|
|
Horizon Power is the regional power provider in Western Australia and stands out as a leader not only in the innovative delivery of sustainable power, but also in digital transformation. Horizon Power is quite mature in distributed energy resource management; moving away from centralized generation to decentralized, community-led generation, which reflects in its maturity in converging IT and OT. Horizon Power’s IT/OT convergence journey started over six years ago when advanced metering infrastructure (AMI) was installed across its entire service area – an area covering more than one quarter of the Australian continent. In these early days of the journey, the focus was on leveraging matured IT approaches such as adoption of cloud services to the OT environment, rather than converging the two. Many years later, Horizon Power has enabled OT data to be more accessible to derive business benefits such as customer usage data using data analytics with the objective of improving the collection and management of the OT data to improve business performance and decision making. The IT/OT convergence meets legislation such as the Australian Energy Sector Cyber Security Framework (AESCSF), which has impacts on the architectural layer of cybersecurity that support delivery of the site services. |
Results
The lessons learned in converging IT and OT from Horizon Power were:
|
Convergence Elements
|
Target Groups
|
Security Components
|
Plan |
|
Governance Compliance |
Enhance |
|
Security strategy Risk management Security policies and procedures IR, DR, and BCP |
Monitor &
|
|
Awareness and cross-training Architecture and controls |
|
Plan Outcomes
|
Plan Benefits
|
||||
To initiate communication between the IT and OT teams, it is important to understand how the two groups are different and to build trust to find a holistic approach which overcomes those differences.
| Info-Tech InsightOT interfaces with the physical world while IT system concerns more on cyber world. Thus, the two systems have different properties. The challenge is how to create strategic collaboration between IT and OT based on negotiation, and this needs top-down support. Identifying organization goals is the first step in aligning your secure IT/OT convergence with your organization’s vision.
|
Input: Corporate, IT, and OT strategies
Output: Your goals for the security strategy
Materials: Secure IT/OT Convergence Requirements Gathering Tool
Participants: Executive leadership, OT leader, IT leader, Security leader, Compliance, Legal, Risk management
Download the Secure IT/OT Convergence Requirements Gathering Tool
Refer to the Secure IT/OT Convergence Framework when filling in the following elements.
It is important to know at the outset of the strategy: What are we trying to secure in IT/OT convergence ?
This includes physical areas we are responsible for, types of data we care about, and departments or IT/OT systems we are responsible for.
Physical Scope and Boundaries
|
IT Systems Scope and Boundaries
|
Organizational Scope and Boundaries
|
OT Systems Scope and Boundaries
|
|
Refer to the Secure IT/OT Convergence Framework when filling in the following elements:
|
Input: List of relevant stakeholders
Output: Roles and responsibilities for the secure IT/OT convergence program
Materials: Secure IT/OT Convergence RACI Chart Tool
Participants: Executive leadership, OT leader, IT leader, Security leader
There are many factors that impact an organization’s level of effectiveness as it relates to IT/OT convergence. How the two groups interact, what skill sets exist, the level of clarity around roles and responsibilities, and the degree of executive support and alignment are only a few. Thus, it is imperative in the planning phase to identify stakeholders who are:
Download the Secure IT/OT Convergence RACI Chart Tool
Define responsible, accountable, consulted, and informed (RACI) stakeholders.
|
Info-Tech Insight
The roles and responsibilities should be clearly defined. For example, IT network should be responsible for the communication and configuration of all access points and devices from the remote client to the control system DMZ, and controls engineering should be responsible from the control system DMZ to the control system. |
To establish governance and build an IT/OT cross-functional team, it is important to understand the operation of OT systems and their interactions with IT within the organization, e.g. ad hoc, centralized, decentralized.
To determine IT/OT convergence maturity level, Info-Tech provides the IT/OT Convergence Self-Evaluation Tool.
To switch the focus from confidentiality and integrity to safety and availability for OT system, it is important to have a common language such as the Purdue model for technical communication.
|
Level 5: Enterprise Network Level 4: Site Business Level 3.5: DMZ Level 3: Site Operations Level 2: Area Supervisory Control Level 1: Basic Control Level 0: Process |
|
Source:
|
|
 (Source: Cooksley, 2021) |
|
Refer to the “Goals Cascade” tab of the Secure IT/OT Convergence Requirements Gathering Tool.
|
|
Readiness checklist for secure IT/OT convergence
People
|
Process
|
Technology
|
(Source: “Grid Modernization: Optimize Opportunities And Minimize Risks,” Info-Tech)
To update security strategy, it is important to actively encourage visible sponsorship across management and to provide regular updates.
 (Source: NIST SP 800-82 Rev.3, “Guide to Operational Technology (OT) Security,” NIST, 2022.) |
|
The need for asset and threat taxonomy
|
 (Source: ENISA, 2018.) |
|
The White House released an Executive Order on Improving the Nation’s Cybersecurity (EO 14028) in 2021 that establishes new requirements on the scope of protection and security policy such that it must include both IT and OT. |
This example of a policy hierarchy features templates from Info-Tech’s Develop and Deploy Security Policies and Identify the Best Framework for Your Security Policies research.
A proactive approach to security is important, so actions such as updating and testing the incident response plan for OT are a must. (“Cybersecurity Year In Review” Dragos, 2022.)
|
“Cybersecurity staff are feeling burnout and stressed to the extent that many are considering leaving their jobs.” (Danny Palmer, ZDNET News, 2022) |
|
“One area regularly observed by Dragos is a weakness in overall cyber readiness and training tailored specific to the OT environment.” (“Assessing Operational Technology,” Dragos, 2022.) |
Specific cybersecurity certification of ICS/SCADA
Other relevant certification schemes
Safety Certifications
|
 (Source: ENISA, 2015.)
|
|
 (Source: “Purdue Enterprise Reference Architecture (PERA) model,” ISA-99.)
|
|
|
Role of security metrics in a cybersecurity program (EPRI, 2017.)
|
OT interfaces with the physical world. Thus, metrics based on risks related with life, health, and safety are crucial. These metrics motivate personnel by making clear why they should care about security. (EPRI, 2017.)
|
The impact of security on the business can be measured in various metrics such as operational metrics, service level agreements (SLAs), and financial metrics. (BMC, 2022.)
|
Early detection will lead to faster remediation and less damage. Therefore, metrics such as maximum tolerable downtime (MTD) and mean time to recovery (MTR) indicate system reliability. (Dark Reading, 2022)
|
The metrics for the overall quality of security culture with indicators such as compliance and audit, vulnerability management, and training and awareness.
|
Build an Information Security StrategyInfo-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations. This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building a security roadmap. |
Preparing for Technology Convergence in ManufacturingInformation technology (IT) and operational technology (OT) teams have a long history of misalignment and poor communication. Stakeholder expectations and technology convergence create the need to leave the past behind and build a culture of collaboration. |
Implement a Security Governance and Management ProgramYour security governance and management program needs to be aligned with business goals to be effective. This approach also helps provide a starting point to develop a realistic governance and management program. This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security while keeping costs to a minimum. |
|
Assante, Michael J. and Robert M. Lee. “The Industrial Control System Cyber Kill Chain.” SANS Institute, 2015. “Certification of Cyber Security Skills of ICS/SCADA Professionals.” European Union Agency for Cybersecurity (ENISA), 2015. Web. Cooksley, Mark. “The IEC 62443 Series of Standards: A Product Manufacturer‘s Perspective.” YouTube, uploaded by Plainly Explained, 27 Apr. 2021. Accessed 26 Aug. 2022. “Cyber Security Metrics for the Electric Sector: Volume 3.” Electric Power Research Institute (EPRI), 2017. “Cybersecurity and Physical Security Convergence.” Cybersecurity and Infrastructure Security Agency (CISA). Accessed 19 May 2022. “Cybersecurity in Operational Technology: 7 Insights You Need to Know,” Ponemon, 2019. Web. “Developing an Operational Technology and Information Technology Incident Response Plan.” Public Safety Canada, 2020. Accessed 6 Sep. 2022. |
Gilsinn, Jim. “Assessing Operational Technology (OT) Cybersecurity Maturity.” Dragos, 2021. Accessed 02 Sep. 2022. “Good Practices for Security of Internet of Things.” European Union Agency for Cybersecurity (ENISA), 2018. Web. Greenfield, David. “Is the Purdue Model Still Relevant?” AutomationWorld. Accessed 1 Sep. 2022 Hemsley, Kevin E., and Dr. Robert E. Fisher. “History of Industrial Control System Cyber Incidents.” US Department of Energy (DOE), 2018. Accessed 29 Aug. 2022. “ICS Security Related Working Groups, Standards and Initiatives.” European Union Agency for Cybersecurity (ENISA), 2013. Killcrece, Georgia, et al. “Organizational Models for Computer Security Incident Response Teams (CSIRTs).” Software Engineering Institute, CMU, 2003. Liebig, Edward. “Security Culture: An OT Survival Story.” Dark Reading, 30 Aug. 2022. Accessed 29 Aug. 2022. |
|
O'Neill, Patrick. “Russia Hacked an American Satellite Company One Hour Before the Ukraine Invasion.” MIT Technology Review, 10 May 2022. Accessed 26 Aug. 2022. Palmer, Danny. “Your Cybersecurity Staff Are Burned Out – And Many Have Thought About Quitting.” Zdnet, 08 Aug. 2022. Accessed 19 Aug. 2022. Pathak, Parag. “What Is Threat Management? Common Challenges and Best Practices.” SecurityIntelligence, 23 Jan. 2020. Web. Raza, Muhammad. “Introduction To IT Metrics & KPIs.” BMC, 5 May 2022. Accessed 12 Sep. 2022. “Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability.” Department of Homeland Security (DHS), Oct. 2009. Web. Sharma, Ax. “Sigma Rules Explained: When and How to Use Them to Log Events.” CSO Online, 16 Jun. 2018. Accessed 15 Aug. 2022. |
“Significant Cyber Incidents.” Center for Strategic and International Studies (CSIS). Accessed 1 Sep. 2022. Tom, Steven, et al. “Recommended Practice for Patch Management of Control Systems.” Department of Homeland Security (DHS), 2008. Web. “2021 ICS/OT Cybersecurity Year In Review.” Dragos, 2022. Accessed 6 Sep. 2022. “2021 State of Operational Technology and Cybersecurity Report,” Fortinet, 2021. Web. Zetter, Kim. “Pre-Stuxnet, Post-Stuxnet: Everything Has Changed, Nothing Has Changed.” Black Hat USA, 08 Aug. 2022. Accessed 19 Aug. 2022. |
|
Jeff Campbell
Manager, Technology Shared Services Horizon Power, AU Jeff Campbell has more than 20 years' experience in information security, having worked in both private and government organizations in education, finance, and utilities sectors. Having focused on developing and implementing information security programs and controls, Jeff is tasked with enabling Horizon Power to capitalize on IoT opportunities while maintaining the core security basics of confidentiality, integrity and availability. As Horizon Power leads the energy transition and moves to become a digital utility, Jeff ensures the security architecture that supports these services provides safer and more reliable automation infrastructures. |
Christopher Harrington
Chief Technology Officer (CTO) Carolinas Telco Federal Credit Union Frank DePaola
Kwasi Boakye-Boateng
|
Agile and Service Management are not necessarily at odds; find the integration points to solve specific problems.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand how service management integrates with Agile software development practices, and how to solve the most common challenges to work efficiently and deliver business value.
Use this tool to identify your stakeholders to engage when working on the service management integration.
Use this tool to identify which of your current practices might already be aligned with Agile mindset and which might need adjustment. Identify integration challenges with the current service management practices.
Many organizations believe that once they have implemented Agile that they no longer need any service management framework, like ITIL. They see service management as "old" and a roadblock to deliver products and services quickly. The culture clash is obvious, and it is the most common challenge people face when trying to integrate Agile and service management. However, it is not the only challenge. Agile methodologies are focused on optimized delivery. However, what happens after delivery is often overlooked. Operations may not receive proper communication or documentation, and processes are cumbersome or non-existent. This is a huge paradox if an organization is trying to become nimbler. You need to find ways to integrate your Agile practices with your existing Service Management processes.
Renata Lopes
Senior Research Analyst
Organizational Transformation Practice
Info-Tech Research Group
Agile and Service Management are not necessarily at odds Find the integration points to solve specific problems.
46% of respondents identified inconsistent processes and practices across teams as a challenge.
Source: Digital.ai, 2021
43% of respondents identified Culture clashes as a challenge.
Source: Digital.ai, 2021
Agile development is an umbrella term for several iterative and incremental development methodologies to develop products.
In order to achieve Agile development, organizations will adopt frameworks and methodologies like Scaled Agile Framework (SAFe), Scrum, Large Scaled Scrum (LeSS), DevOps, Spotify Way of Working (WoW), etc.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Assess the maturity of your existing change management practice and define the scope of change management for your organization.
Build your change management team and standardized process workflows for each change type.
Bookend your change management practice by standardizing change intake, implementation, and post-implementation activities.
Form an implementation plan for the project, including a metrics evaluation, change calendar inputs, communications plan, and roadmap.
[infographic]
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Discuss the existing challenges and maturity of your change management practice.
Build definitions of change categories and the scope of change management.
Understand the starting point and scope of change management.
Understand the context of change request versus other requests such as service requests, projects, and operational tasks.
1.1 Outline strengths and challenges
1.2 Conduct a maturity assessment
1.3 Build a categorization scheme
1.4 Build a risk assessment matrix
Change Management Maturity Assessment Tool
Change Management Risk Assessment Tool
Define roles and responsibilities for the change management team.
Develop a standardized change management practice for approved changes, including process workflows.
Built the team to support your new change management practice.
Develop a formalized and right-sized change management practice for each change category. This will ensure all changes follow the correct process and core activities to confirm changes are completed successfully.
2.1 Define the change manager role
2.2 Outline the membership and protocol for the Change Advisory Board (CAB)
2.3 Build workflows for normal, emergency, and pre-approved changes
Change Manager Job Description
Change Management Standard Operating Procedure (SOP)
Change Management Process Library
Create a new change intake process, including a new request for change (RFC) form.
Develop post-implementation review activities to be completed for every IT change.
Bookend your change management practice by standardizing change intake, implementation, and post-implementation activities.
3.1 Define the RFC template
3.2 Determine post-implementation activities
3.3 Build your change calendar protocol
Request for Change Form Template
Change Management Post-Implementation Checklist
Project Summary Template
Develop a plan and project roadmap for reaching your target for your change management program maturity.
Develop a communications plan to ensure the successful adoption of the new program.
A plan and project roadmap for reaching target change management program maturity.
A communications plan ready for implementation.
4.1 Identify metrics and reports
4.2 Build a communications plan
4.3 Build your implementation roadmap
Change Management Metrics Tool
Change Management Communications Plan
Change Management Roadmap Tool
Right-size IT change management practice to protect the live environment.
Change management (change enablement, change control) is a balance of efficiency and risk. That is, pushing changes out in a timely manner while minimizing the risk of deployment. On the one hand, organizations can attempt to avoid all risk and drown the process in rubber stamps, red tape, and bureaucracy. On the other hand, organizations can ignore process and push out changes as quickly as possible, which will likely lead to change related incidents and debilitating outages.
Right-sizing the process does not mean adopting every recommendation from best-practice frameworks. It means balancing the efficiency of change request fulfillment with minimizing risk to your organization. Furthermore, creating a process that encourages adherence is key to avoid change implementers from skirting your process altogether.
Benedict Chang, Research Analyst, Infrastructure and Operations, Info-Tech Research Group
Infrastructure and application change occurs constantly and is driven by changing business needs, requests for new functionality, operational releases and patches, and resolution of incidents or problems detected by the service desk.
IT managers need to follow a standard change management process to ensure that rogue changes are never deployed while the organization remains responsive to demand.
IT system owners often resist change management because they see it as slow and bureaucratic.
At the same time, an increasingly interlinked technical environment may cause issues to appear in unexpected places. Configuration management systems are often not kept up-to-date and do not catch the potential linkages.
Infrastructure changes are often seen as “different” from application changes and two (or more) processes may exist.
Info-Tech’s approach will help you:
Two goals of change management are to protect the live environment and deploying changes in a timely manner. These two may seem to sometimes be at odds against each other, but assessing risk at multiple points of a change’s lifecycle can help you achieve both.
Having a right-sized process is not enough. You need to build and communicate the process to gather adherence. The process is useless if stakeholders are not aware of it or do not follow it.
Of the eight infrastructure & operations processes measured in Info-Tech’s IT Management and Governance Diagnostic (MGD) program, change management has the second largest gap between importance and effectiveness of these processes.
Source: Info-Tech 2020; n=5,108 IT professionals from 620 organizations
“Why should I fill out an RFC when it only takes five minutes to push through my change?”
“We’ve been doing this for years. Why do we need more bureaucracy?”
“We don’t need change management if we’re Agile.”
“We don’t have the right tools to even start change management.”
“Why do I have to attend a CAB meeting when I don’t care what other departments are doing?”
“The scope of change management is defined by each organization…the purpose of change management is to maximize the number of successful service and product changes by ensuring that the risk have been properly assessed, authorizing changes to process, and managing the change schedule.” – ALEXOS Limited, ITIL 4
Building a unified process that oversees all changes to the technical environment doesn’t have to be burdensome to be effective. However, the process is a necessary starting point to identifying cross dependencies and avoiding change collisions and change-related incidents.
Simply asking, “What is the risk?” will result in subjective responses that will likely minimize the perceived risk. The level of due diligence should align to the criticality of the systems or departments potentially impacted by the proposed changes.
Change management in isolation will provide some stability, but maturing the process through service integrations will enable data-driven decisions, decrease bureaucracy, and enable faster and more stable throughput.
Change and DevOps tend to be at odds, but the framework does not have to change. Lower risk changes in DevOps are prime candidates for the pre-approved category. Much of the responsibility traditionally assigned to the CAB can be diffused throughout the software development lifecycle.
Look for these DevOps callouts throughout this storyboard to guide you along the implementation.
Business Benefits
IT satisfaction with change management will drive business satisfaction with IT. Once the process is working efficiently, staff will be more motivated to adhere to the process, reducing the number of unauthorized changes. As fewer changes bypass proper evaluation and testing, service disruptions will decrease and business satisfaction will increase.
Change management brings daily control over the IT environment, allowing you to review every relatively new change, eliminate changes that would have likely failed, and review all changes to improve the IT environment.
Change management planning brings increased communication and collaboration across groups by coordinating changes with business activities. The CAB brings a more formalized and centralized communication method for IT.
Request for change templates and a structured process result in implementation, test, and backout plans being more consistent. Implementing processes for pre-approved changes also ensures these frequent changes are executed consistently and efficiently.
Change management processes will give your organization more confidence through more accurate planning, improved execution of changes, less failure, and more control over the IT environment. This also leads to greater protection against audits.
Source: Info-Tech 2020; n=5,108 IT Professionals from 620 organizations
Of the eight infrastructure and operations processes measured in Info-Tech’s IT Management and Governance Diagnostic (MGD) program, change management consistently has the second largest gap between importance and effectiveness of these processes.
Info-Tech’s IT Management and Governance Diagnostic (MGD) program assesses the importance and effectiveness of core IT processes. Since its inception, the MGD has consistently identified change management as an area for immediate improvement.
Source: Info-Tech 2020; n=5,108 IT Professionals from 620 organizations
No importance: 1.0-6.9
Limited importance: 7.0-7.9
Significant importance: 8.0-8.9
Critical importance: 9.0-10.0
Not in place: n/a
Not effective: 0.0-4.9
Somewhat Ineffective: 5.0-5.9
Somewhat effective: 6.0-6.9
Very effective: 7.0-10.0
Which of these have you heard in your organization?
| Reality | |
|---|---|
| “It’s just a small change; this will only take five minutes to do.” | Even a small change can cause a business outage. That small fix could impact a large system connected to the one being fixed. |
| “Ad hoc is faster; too many processes slow things down.” | Ad hoc might be faster in some cases, but it carries far greater risk. Following defined processes keeps systems stable and risk-averse. |
| “Change management is all about speed.” | Change management is about managing risk. It gives the illusion of speed by reducing downtime and unplanned work. |
| “Change management will limit our capacity to change.” | Change management allows for a better alignment of process (release management) with governance (change management). |
Change Prioritization
Change Deployment
| 1. Define Change Management | 2. Establish Roles and Workflows | 3. Define the RFC and Post-Implementation Activities | 4. Measure, Manage, and Maintain | |
|---|---|---|---|---|
| Phase Steps |
1.1 Assess Maturity 1.2 Categorize Changes and Build Your Risk Assessment |
2.1 Determine Roles and Responsibilities 2.2 Build Core Workflows |
3.1 Design the RFC 3.2 Establish Post-Implementation Activities |
4.1 Identify Metrics and Build the Change Calendar 4.2 Implement the Project |
| Change Management Standard Operating Procedure (SOP) Change Management Project Summary Template | ||||
| Phase Deliverables |
|
|
|
|
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Document your normal, pre-approved, and emergency change lifecycles with the core process workflows .
Test Drive your impact and likelihood assessment questionnaires with the Change Management Risk Assessment Tool.
Summarize your efforts in the Optimize IT Change Management Improvement Initiative: Project Summary Template.
Record your action items and roadmap your steps to a mature change management process.
Document and formalize your process starting with the change management standard operating procedure (SOP).
Define Change Management
Establish Roles and Workflows
Define RFC and Post-Implementation Activities
Measure, Manage, and Maintain
A major technology company implemented change management to improve productivity by 40%. This case study illustrates the full scope of the project.
A large technology firm experienced a critical outage due to poor change management practices. This case study illustrates the scope of change management definition and strategy.
Ignorance of change management process led to a technology giant experiencing a critical cloud outage. This case study illustrates the scope of the process phase.
A manufacturing company created a makeshift CMDB in the absence of a CMDB to implement change management. This case study illustrates the scope of change intake.
A financial institution tracked and recorded metrics to aid in the success of their change management program. This case study illustrates the scope of the implementation phase.
| Guided Implementation | Measured Vale |
|---|---|
| Phase 1: Define Change Management |
|
|
Phase 2: Establish Roles and Workflows |
|
| Phase 3: Define the RFC and Post-Implementation Activities |
|
|
Phase 4: Measure, Manage, and Maintain |
|
| Total Savings | $10,800 |
Industry: Technology
Source: Daniel Grove, Intel
Founded in 1968, the world’s largest microchip and semiconductor company employs over 100,000 people. Intel manufactures processors for major players in the PC market including Apple, Lenovo, HP, and Dell.
With close to 4,000 changes occurring each week, managing Intel’s environment is a formidable task. Before implementing change management within the organization, over 35% of all unscheduled downtime was due to errors resulting from change and release management. Processes were ad hoc or scattered across the organization and no standards were in place.
After a robust implementation of change management, Intel experienced a number of improvements including automated approvals, the implementation of a formal change calendar, and an automated RFC form. As a result, Intel improved change productivity by 40% within the first year of the program’s implementation.
Define Change Management
↓
Establish Roles and Workflows
↓
Define RFC and Post-Implementation Activities
↓
Measure, Manage, and Maintain
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
Diagnostics and consistent frameworks are used throughout all four options.
A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 8 to 12 calls over the course of 4 to 6 months.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
| Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
|---|---|---|---|---|---|
| Activities |
Define Change Management 1.1 Outline Strengths and Challenges 1.2 Conduct a Maturity Assessment 1.3 Build a Change Categorization Scheme 1.4 Build Your Risk Assessment |
Establish Roles and Workflows 2.1 Define the Change Manager Role 2.2 Outline CAB Protocol and membership 2.3 Build Normal Change Process 2.4 Build Emergency Change Process 2.5 Build Pre-Approved Change Process |
Define the RFC and Post-Implementation Activities 3.1 Create an RFC Template 3.2 Determine Post-Implementation Activities 3.3 Build a Change Calendar Protocol |
Measure, Manage, and Maintain 4.1 Identify Metrics and Reports 4.2 Create Communications Plan 4.3 Build an Implementation Roadmap |
Next Steps and Wrap-Up (offsite) 5.1 Complete in-progress deliverables from previous four days 5.2 Set up review time for workshop deliverables and to discuss next steps |
| Deliverables |
|
|
|
|
|
1.1 Assess Maturity
1.2 Categorize Changes and Build Your Risk Assessment
Establish Roles and Workflows
2.1 Determine Roles and Responsibilities
2.2 Build Core Workflows
Define the RFC and Post-Implementation Activities
3.1 Design the RFC
3.2 Establish Post-Implementation Activities
Measure, Manage, and Maintain
4.1 Identify Metrics and Build the Change Calendar
4.2 Implement the Project
This phase will guide you through the following steps:
This phase involves the following participants:
1.1.1 Outline the Organization’s Strengths and Challenges
1.1.2 Complete a Maturity Assessment
Step 1.1: Assess Maturity → Step 1.2: Categorize Changes and Build Your Risk Assessment
Ensure the Release Manager is present as part of your CAB. They can explain any change content or dependencies, communicate business approval, and advise the service desk of any defects.
As seen in the context diagram, change management interacts closely with many other IT processes including release management and configuration management (seen below). Ensure you delineate when these interactions occur (e.g. RFC updates and CMDB queries) and which process owns each task.
“With no controls in place, IT gets the blame for embarrassing outages. Too much control, and IT is seen as a roadblock to innovation.” – Anonymous, VP IT of a federal credit union
Download the Optimize IT Change Management Improvement Initiative: Project Summary Template
| Chaos | Reactive | Controlled |
Proactive | Optimized | |
|---|---|---|---|---|---|
| Change Requests | No defined processes for submitting changes | Low process adherence and no RFC form | RFC form is centralized and a point of contact for changes exists | RFCs are reviewed for scope and completion | RFCs trend analysis and proactive change exists |
| Change Review | Little to no change risk assessment | Risk assessment exists for each RFC | RFC form is centralized and a point of contact for changes exists | Change calendar exists and is maintained | System and component dependencies exist (CMDB) |
| Change Approval | No formal approval process exists | Approval process exists but is not widely followed | Unauthorized changes are minimal or nonexistent | Change advisory board (CAB) is established and formalized | Trend analysis exists increasing pre-approved changes |
| Post-Deployment | No post-deployment change review exists | Process exists but is not widely followed | Reduction of change-related incidents | Stakeholder satisfaction is gathered and reviewed | Lessons learned are propagated and actioned |
| Process Governance | Roles & responsibilities are ad hoc | Roles, policies & procedures are defined & documented | Roles, policies & procedures are defined & documented | KPIs are tracked, reported on, and reviewed | KPIs are proactively managed for improvement |
Reaching an optimized level is not feasible for every organization. You may be able to run a very good change management process at the Proactive or even Controlled stage. Pay special attention to keeping your goals attainable.
Download the Change Management Maturity Assessment Tool
Even Google isn’t immune to change-related outages. Plan ahead and communicate to help avoid change-related incidents
Industry: Technology
Source: The Register
As part of a routine maintenance procedure, Google engineers moved App Engine applications between data centers in the Central US to balance out traffic.
Unfortunately, at the same time that applications were being rerouted, a software update was in progress on the traffic routers, which triggered a restart. This temporarily diminished router capacity, knocking out a sizeable portion of Google Cloud.
The server drain resulted in a huge spike in startup requests, and the routers simply couldn’t handle the traffic.
As a result, 21% of Google App Engine applications hosted in the Central US experienced error rates in excess of 10%, while an additional 16% of applications experienced latency, albeit at a lower rate.
Thankfully, engineers were actively monitoring the implementation of the change and were able to spring into action to halt the problem.
The change was rolled back after 11 minutes, but the configuration error still needed to be fixed. After about two hours, the change failure was resolved and the Google Cloud was fully functional.
One takeaway for the engineering team was to closely monitor how changes are scheduled. Ultimately, this was the result of miscommunication and a lack of transparency between change teams.
1.2.1 Define What Constitutes a Change
1.2.2 Build a Change Categorization Scheme
1.2.3 Build a Classification Scheme to Assess Impact
1.2.4 Build a Classification Scheme to Define Likelihood
1.2.5 Evaluate and Adjust Your Risk Assessment Scheme
Step 1.1: Assess Maturity → Step 1.2: Categorize Changes and Build Your Risk Assessment
Successfully managed changes will optimize risk exposure, severity of impact, and disruption. This will result in the bottom-line business benefits of removal of risk, early realization of benefits, and savings of money and time.
80%
In organizations without formal change management processes, about 80% (The Visible Ops Handbook) of IT service outage problems are caused by updates and changes to systems, applications, and infrastructure. It’s crucial to track and systematically manage change to fully understand and predict the risks and potential impact of the change.
The core business of the enterprise or supporting functions may be affected.
If it’s for a local application, it’s a service request
It should usually impact more than a single user (in most cases).
Any impact on a business process is a change; adding a user or a recipient to a report or mailing list is not a change.
If it’s a new service, then it’s better described as a project.
It needs to be within the scope of IT for the change management process to apply.
As a general rule, if it takes longer than 40 hours of work to complete, it’s likely a project.
| Change | Service Request (User) | Operational Task (Backend) |
|---|---|---|
|
|
|
| Change | Project | Service Request (User) | Operational Task (Backend) | Release |
|---|---|---|---|---|
| Changing Configuration | ERP upgrade | Add new user | Delete temp files | Software release |
Download the Change Management Standard Operating Procedure (SOP).
In addition to assigning a category to each RFC based on risk assessment, each RFC should also be assigned a priority based on the impact of the change on the IT organization, in terms of the resources needed to effect the change.
Normal
Emergency
Pre-Approved
The majority of changes will be pre-approved or normal changes. Definitions of each category are provided on the next slide.
Info-Tech uses the term pre-approved rather than the ITIL terminology of standard to more accurately define the type of change represented by this category.
A potential fourth change category of expedited may be employed if you are having issues with process adherence or if you experience changes driven from outside change management’s control (e.g. from the CIO, director, judiciary, etc.) See Appendix I for more details.
Do not rush to designate changes as pre-approved. You may have a good idea of which changes may be considered pre-approved, but make sure they are in fact low-risk and well-documented before moving them over from the normal category.
| Pre-Approved | Normal | Emergency | |
|---|---|---|---|
| Definition |
|
|
|
| Trigger |
|
|
|
| Workflow |
|
|
|
| Approval |
|
|
|
Pay close attention to defining your pre-approved changes. They are going to be critical for running a smooth change management practice in a DevOps Environment
| Pre-Approved (AKA Standard) | Normal | Emergency |
|---|---|---|
|
Major
Medium
Minor
|
|
The following slides guide you through the steps of formalizing a risk assessment according to impact and likelihood:
Info-Tech Insight
All changes entail an additional level of risk. Risk is a function of impact and likelihood. Risk may be reduced, accepted, or neutralized through following best practices around training, testing, backout planning, redundancy, timing and sequencing of changes, etc.
How is risk rating determined?
Who determines priority?
How is risk rating used?
RFCs need to clearly identify the risk level of the proposed change. This can be done through statement of impact and likelihood (low/medium/high) or through pertinent questions linked with business rules to assess the risk.
Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.
| Impact | ||||
|---|---|---|---|---|
| Weight | Question | High | Medium | Low |
| 15% | # of people affected | 36+ | 11-35 | <10 |
| 20% | # of sites affected | 4+ | 2-3 | 1 |
| 15% | Duration of recovery (minutes of business time) | 180+ | 30-18 | <3 |
| 20% | Systems affected | Mission critical | Important | Informational |
| 30% | External customer impact | Loss of customer | Service interruption | None |
| LIKELIHOOD | ||||
|---|---|---|---|---|
| Weight | Question | High | Medium | Low |
| 25% | Has this change been tested? | No | Yes | |
| 10% | Have all the relevant groups (companies, departments, executives) vetted the change? | No | Partial | Yes |
| 5% | Has this change been documented? | No | Yes | |
| 15% | How long is the change window? When can we implement? | Specified day/time | Partial | Per IT choice |
| 20% | Do we have trained and experienced staff available to implement this change? If only external consultants are available, the rating will be “medium” at best. | No | Yes | |
| 25% | Has an implementation plan been developed? | No | Yes | |
Download the Change Management Rick Assessment Tool.
| # |
Change Example |
Impact |
Likelihood |
Risk |
|
1 |
ERP change |
High |
Medium |
Major |
|
2 |
Ticket system go-live |
Medium |
Low |
Minor |
|
3 |
UPS replacement |
Medium |
Low |
Minor |
|
4 |
Network upgrade |
Medium |
Medium |
Medium |
|
5 |
AD upgrade |
Medium |
Low |
Minor |
|
6 |
High availability implementation |
Low |
Medium |
Minor |
|
7 |
Key-card implementation |
Low |
High |
Medium |
|
8 |
Anti-virus update |
Low |
Low |
Minor |
|
9 |
Website |
Low |
Medium |
Minor |
The company was planning to implement a CMDB; however, full implementation was still one year away and subject to budget constraints.
Without a CMDB, it would be difficult to understand the interdependencies between systems and therefore be able to provide notifications to potentially affected user groups prior to implementing technical changes.
This could have derailed the change management project.
An Excel template was set up as a stopgap measure until the full implementation of the CMDB. The template included all identified dependencies between systems, along with a “dependency tier” for each IT service.
Tier 1: The dependent system would not operate if the upstream system change resulted in an outage.
Tier 2: The dependent system would suffer severe degradation of performance and/or features.
Tier 3: The dependent system would see minor performance degradation or minor feature unavailability.
As a stopgap measure, the solution worked well. When changes ran the risk of degrading downstream dependent systems, the impacted business system owner’s authorization was sought and end users were informed in advance.
The primary takeaway was that a system to manage configuration linkages and system dependencies was key.
While a CMDB is ideal for this use case, IT organizations shouldn’t let the lack of such a system stop progress on change management.
Founded in 1968, the world’s largest microchip and semiconductor company employs over 100,000 people. Intel manufactures processors for major players in the PC market including Apple, Lenovo, HP, and Dell.
Intel IT supports over 65,000 servers, 3.2 petabytes of data, over 70,000 PCs, and 2.6 million emails per day.
Intel’s change management program is responsible for over 4,000 changes each week.
Due to the sheer volume of change management activities present at Intel, over 35% of unscheduled outages were the result of changes.
Ineffective change management was identified as the top contributor of incidents with unscheduled downtime.
One of the major issues highlighted was a lack of process ownership. The change management process at Intel was very fragmented, and that needed to change.
Daniel Grove, Senior Release & Change Manager at Intel, identified that clarifying tasks for the Change Manager and the CAB would improve process efficiency by reducing decision lag time. Roles and responsibilities were reworked and clarified.
Intel conducted a maturity assessment of the overall change management process to identify key areas for improvement.
For running change management in DevOps environment, see Appendix II.
Define Change Management
1.1 Assess Maturity
1.2 Categorize Changes and Build Your Risk Assessment
Establish Roles and Workflows
2.1 Determine Roles and Responsibilities
2.2 Build Core Workflows
Define RFC and Post-Implementation Activities
3.1 Design the RFC
3.2 Establish Post-Implementation Activities
Measure, Manage, and Maintain
4.1 Identify Metrics and Build the Change Calendar
4.2 Implement the Project
This phase will guide you through the following steps:
This phase involves the following participants:
2.1.1 Capture Roles and Responsibilities Using a RACI Chart
2.1.2 Determine Your Change Manager’s Responsibilities
2.1.3 Define the Authority and Responsibilities of Your CAB
2.1.4 Determine an E-CAB Protocol for Your Organization
Step 2.1: Determine Roles and Responsibilities → Step 2.2: Build Core Workflows
This step involves the following participants:
| Change Management Tasks | Originator | System Owner | Change Manager | CAB Member | Technical SME | Service Desk | CIO/ VP IT | E-CAB Member |
|---|---|---|---|---|---|---|---|---|
| Review the RFC | C | C | A | C | R | C | R | |
| Validate changes | C | C | A | C | R | C | R | |
| Assess test plan | A | C | R | R | C | I | ||
| Approve the RFC | I | C | A | R | C | I | ||
| Create communications plan | R | I | A | I | I | |||
| Deploy communications plan | I | I | A | I | R | |||
| Review metrics | C | A | R | C | I | |||
| Perform a post implementation review | C | R | A | I | ||||
| Review lessons learned from PIR activities | R | A | C |
Info-Tech Best Practice
Some organizations will not be able to assign a dedicated Change Manager, but they must still task an individual with change review authority and with ownership of the risk assessment and other key parts of the process.
1.Using the previous slide, Info-Tech’s Change Manager Job Description, and the examples below, brainstorm responsibilities for the Change Manager.
2.Record the responsibilities in Section 3.2 of your Change Management SOP.
Change Manager: James Corey
Responsibilities
Download the Change Manager Job Description
See what responsibilities in the CAB’s process are already performed by the DevOps lifecycle (e.g. authorization, deconfliction etc.). Do not duplicate efforts.
Based on the core responsibilities you have defined, the CAB needs to be composed of a diverse set of individuals who provide quality:
| CAB Representation | Value Added | |
|---|---|---|
| Business Members |
|
|
| IT Operations Members |
|
|
| CAB Attendees |
|
|
Info-Tech Best Practice
Form a core CAB (members attend every week) and an optional CAB (members who attend only when a change impacts them or when they can provide value in discussions about a change). This way, members can have their voice heard without spending every week in a meeting where they do not contribute.
1.Using the previous slide and the examples below, list the authorities and responsibilities of your CAB.
2.Record the responsibilities in section 3.3.2 of your Change Management SOP and the Project Summary Template.
| CAP Authority | CAP Responsibilities |
|---|---|
|
|
Change owner conferences with E-CAB (best efforts to reach them) through email or messaging.
E-CAB members and business system owners are provided with change details. No decision is made without feedback from at least one E-CAB member.
If business continuity is being affected, the Change Manager has authority to approve change.
Full documentation of the change (a retroactive RFC) is done after the change and is then reviewed by the CAB.
Info-Tech Best Practice
Members of the E-CAB should be a subset of the CAB who are typically quick to respond to their messages, even at odd hours of the night.
Assemble E-CAB
Assess Change
Test (if Applicable)
Deploy Change
Create Retroactive RFC
Review With CAB
2.2.1 Build a CMDB-lite as a Reference for Requested Changes
2.2.2 Create a Normal Change Process
2.2.3 Create a Pre-Approved Change Process
2.2.4 Create an Emergency Change Process
Step 2.1: Determine Roles and Responsibilities → Step 2.2: Build Core Workflows
This step involves the following participants:
Supplier
Input
Process
Output
Customer
Metrics
Controls
Dependencies
RACI
Identify all components of the change.
Ask how changes will affect:
Frame the change from a business point of view to identify potential disruptions to business activities.
Your assessment should cover:
Each new change can impact the level of service available.
Examine the impact on:
Once risk has been assessed, resources need to be identified to ensure the change can be executed.
These include:
| System | Primary Users | SME | Backup SME(s) | Business System Owner | Tier 1 Dependency (system functionality is down) | Tier 2 (impaired functionality/ workaround available) | Tier 3 Dependency (nice to have) |
|---|---|---|---|---|---|---|---|
| Enterprise | Naomi | Amos | James |
|
|
||
| Conferencing Tool | Enterprise | Alex | Shed | James |
|
|
|
| ITSM (Service Now) | Enterprise (Intl.) | Anderson | TBD | Mike |
|
|
|
| ITSM (Manage Engine) | North America | Bobbie | Joseph | Mike |
|
|
Info-Tech Best Practice
Define a list pre-approved changes and automate them (if possible) using your ITSM solution. This will save valuable time for more important changes in the queue.
Example:
| Change Category | Change Authority |
|---|---|
| Pre-approved change | Department head/manager |
| Emergency change | E-CAB |
| Normal change – low and medium risk | CAB |
| Normal change – high risk | CAB and CIO (for visibility) |
Change initiation allows for assurance that the request is in scope for change management and acts as a filter for out-of-scope changes to be redirected to the proper workflow. Initiation also assesses who may be assigned to the change and the proper category of the change, and results in an RFC to be populated before the change reaches the build and test phase.
The change trigger assessment is critical in the DevOps lifecycle. This can take a more formal role of a technical review board (TRB) or, with enough maturity, may be automated. Responsibilities such as deconfliction, dependency identification, calendar query, and authorization identification can be done early in the lifecycle to decrease or eliminate the burden on CAB.
For the full process, refer to the Change Management Process Library.
For the full process, refer to the Change Management Process Library.
For the full process, refer to the Change Management Process Library.
For the full process, refer to the Change Management Process Library.
Download the Change Management Process Library.
Info-Tech Best Practice
At the beginning of a change management process, there should be few active pre-approved changes. However, prior to launch, you may have IT flag changes for conversion.
For the full process, refer to the Change Management Process Library.
Info-Tech Best Practice
Other reasons for moving a pre-approved change back to the normal category is if the change led to an incident during implementation or if there was an issue during implementation.
Seek new pre-approved change submissions. → Re-evaluate the pre-approved change list every 4-6 months.
For the full process, refer to the Change Management Process Library.
| Sample Change | Quick Check | Emergency? |
|---|---|---|
| Install the latest critical patches from the vendor. | Are the patches required to resolve or prevent an imminent critical incident? | No |
| A virus or worm invades the network and a patch is needed to eliminate the threat. | Is the patch required to resolve or prevent an imminent critical incident? | Yes |
Info-Tech Best Practice
Change requesters should be made aware that senior management will be informed if an emergency RFC is submitted inappropriately. Emergency requests trigger urgent CAB meetings, are riskier to deploy, and delay other changes waiting in the queue.
When building your emergency change process, have your E-CAB protocol from activity 2.1.4 handy.
For the full process, refer to the Change Management Process Library.
Industry: Technology
Source: Daniel Grove, Intel
Founded in 1968, the world’s largest microchip and semiconductor company employs over 100,000 people. Intel manufactures processors for major players in the PC market including Apple, Lenovo, HP, and Dell.
Intel IT supports over 65,000 servers, 3.2 petabytes of data, over 70,000 PCs, and 2.6 million emails per day.
Intel’s change management program is responsible for over 4,000 changes each week.
Intel identified 37 different change processes and 25 change management systems of record with little integration.
Software and infrastructure groups were also very siloed, and this no doubt contributed to the high number of changes that caused outages.
The task was simple: standards needed to be put in place and communication had to improve.
Once process ownership was assigned and the role of the Change Manager and CAB clarified, it was a simple task to streamline and simplify processes among groups.
Intel designed a new, unified change management workflow that all groups would adopt.
Automation was also brought into play to improve how RFCs were generated and submitted.
Define Change Management
1.1 Assess Maturity
1.2 Categorize Changes and Build Your Risk Assessment
Establish Roles and Workflows
2.1 Determine Roles and Responsibilities
2.2 Build Core Workflows
Define the RFC and Post-Implementation Activities
3.1 Design the RFC
3.2 Establish Post-Implementation Activities
Measure, Manage, and Maintain
4.1 Identify Metrics and Build the Change Calendar
4.2 Implement the Project
This phase will guide you through the following activities:
This phase involves the following participants:
3.1.1 Evaluate Your Existing RFC Process
3.1.2 Build the RFC Form
Step 3.1: Design the RFC
Step 3.2: Establish Post-Implementation Activities
This step involves the following participants:
Info-Tech Insight
Keep the RFC form simple, especially when first implementing change management, to encourage the adoption of and compliance with the process.
Download the Request for Change Form Template.
Draft:
Technical Build:
CAB:
Complete:
Use the RFC to point to documentation already gathered in the DevOps lifecycle to cut down on unnecessary manual work while maintaining compliance.
Info-Tech Best Practice
Technical and SME contacts should be noted in each RFC so they can be easily consulted during the RFC review.
Industry: Technology
Source: Daniel Grove, Intel
Founded in 1968, the world’s largest microchip and semiconductor company employs over 100,000 people. Intel manufactures processors for major players in the PC market including Apple, Lenovo, HP, and Dell.
Intel IT supports over 65,000 servers, 3.2 petabytes of data, over 70,000 PCs, and 2.6 million emails per day.
Intel’s change management program is responsible for over 4,000 changes each week.
One of the crucial factors that was impacting Intel’s change management efficiency was a cumbersome RFC process.
A lack of RFC usage was contributing to increased ad hoc changes being put through the CAB, and rescheduled changes were quite high.
Additionally, ad hoc changes were also contributing heavily to unscheduled downtime within the organization.
Intel designed and implemented an automated RFC form generator to encourage end users to increase RFC usage.
As we’ve seen with RFC form design, the UX/UI of the form needs to be top notch, otherwise end users will simply circumvent the process. This will contribute to the problems you are seeking to correct.
Thanks to increased RFC usage, Intel decreased emergency changes by 50% and reduced change-caused unscheduled downtime by 82%.
3.2.1 Determine When the CAB Would Reject Tested Changes
3.2.2 Create a Post-Implementation Activity Checklist
Step 3.1: Design RFC
Step 3.2: Establish Post-Implementation Activities
This step involves the following participants:
Possible reasons the CAB would reject a change include:
Info-Tech Best Practice
Many reasons for rejection (listed above) can be caught early on in the process during the technical review or change build portion of the change. The earlier you catch these reasons for rejection, the less wasted effort there will be per change.
| Sample RFC | Reason for CAP Rejection |
|---|---|
| There was a request for an update to a system that a legacy application depends on and only a specific area of the business was aware of the dependency. | The CAB rejects it due to the downstream impact. |
| There was a request for an update to a non-supported application, and the vendor was asking for a premium support contract that is very costly. | It’s too expensive to implement, despite the need for it. The CAB will wait for an upgrade to a new application. |
| There was a request to update application functionality to a beta release. | The risk outweighs the business benefits. |
The implementation phase is the final checkpoint before releasing the new change into your live environment. Once the final checks have been made to the change, it’s paramount that teams work together to transition the change effectively rather than doing an abrupt hand-off. This could cause a potential outage.
1.
Implement change →
2.
A backout plan needs to contain a record of the steps that need to be taken to restore the live environment back to its previous state and maintain business continuity. A good backout plan asks the following questions:
Notify the Service Desk
Disable Access
Conduct Checks
Enable User Access
Notify the Service Desk
Info-Tech Best Practice
As part of the backout plan, consider the turnback point in the change window. That is, the point within the change window where you still have time to fully back out of the change.
Update the service catalog with new information as a result of the implemented change.
Update new dependencies present as a result of the new change.
Add notes about any assets newly affected by changes.
Update your map based on the new change.
Update your technical documentation to reflect the changes present because of the new change.
Update your training documentation to reflect any information about how users interact with the change.
Info-Tech Best Practice
Review PIR reports at CAB meetings to highlight the root causes of issues, action items to close identified gaps, and back-up documentation required. Attach the PIR report to the relevant RFC to prevent similar changes from facing the same issues in the future.
| Frequency | Part of weekly review (IT team meeting) |
| Participants |
|
|
Categories under review |
Current deviations and action items from previous PIR:
|
| Output |
|
| Controls |
|
Download the Change Management Post-Implementation Checklist
Industry: Technology
Source: Jason Zander, Microsoft
In November 2014, Microsoft deployed a change intended to improve Azure storage performance by reducing CPU footprint of the Azure Table Front-Ends.
The deployment method was an incremental approach called “flighting,” where software and configuration deployments are deployed incrementally to Azure infrastructure in small batches.
Unfortunately, this software deployment caused a service interruption in multiple regions.
Before the software was deployed, Microsoft engineers followed proper protocol by testing the proposed update. All test results pointed to a successful implementation.
Unfortunately, engineers pushed the change out to the entire infrastructure instead of adhering to the traditional flighting protocol.
Additionally, the configuration switch was incorrectly enabled for the Azure Blob storage Front-Ends.
A combination of the two mistakes exposed a bug that caused the outage.
Thankfully, Microsoft had a backout plan. Within 30 minutes, the change was rolled back on a global scale.
It was determined that policy enforcement was not integrated across the deployment system. An update to the system shifted the process of policy enforcement from human-based decisions and protocol to automation via the deployment platform.
Defined PIR activities enabled Microsoft to take swift action against the outage and mitigate the risk of a serious outage.
Define Change Management
1.1 Assess Maturity
1.2 Categorize Changes and Build Risk Assessment
Establish Roles and Workflows
2.1 Determine Roles and Responsibilities
2.2 Build Core Workflows
Define RFC and Post-Implementation Activities
3.1 Design RFC
3.2 Establish post-implementation activities
Measure, Manage, and Maintain
4.1 Identify Metrics and Build the Change Calendar
4.2 Implement the Project
This phase will guide you through the following activities:
This phase involves the following participants:
4.1.1 Create an Outline for Your Change Calendar
4.1.2 Determine Metrics, Key Performance Indicators (KPIs), and Critical Success Factors (CSFs)
4.1.3 Track and Record Metrics Using the Change Management Metrics Tool
Step 4.1: Identify Metrics and Build the Change Calendar
Step 4.2: Implement the Project
This step involves the following participants:
“The one who has more clout or authority is usually the one who gets changes scheduled in the time frame they desire, but you should really be evaluating the impact to the organization. We looked at the risk to the business of not doing the change, and that’s a good way of determining the criticality and urgency of that change.” – Joseph Sgandurra, Director, Service Delivery, Navantis
Info-Tech Insight
Avoid a culture where powerful stakeholders are able to push change deployment on an ad hoc basis. Give the CAB the full authority to make approval decisions based on urgency, impact, cost, and availability of resources.
“Our mantra is to put it on the calendar. Even if it’s a preapproved change and doesn’t need a vote, having it on the calendar helps with visibility. The calendar is the one-stop shop for scheduling and identifying change dependencies.“ – Wil Clark, Director of Service and Performance Management, University of North Texas Systems
The change calendar is a critical pre-requisite to change management in DevOps. Use the calendar to be proactive with proposed implementation dates and deconfliction before the change is finished.
Info-Tech Insight
Start simple. Metrics can be difficult to tackle if you’re starting from scratch. While implementing your change management practice, use these three metrics as a starting point, since they correlate well with the success of change management overall. The following few slides provide more insight into creating metrics for your change process.
Purposely use SDLC and change lifecycle metrics to find bottlenecks and automation candidates.
Metrics are easily measured datapoints that can be pulled from your change management tool. Examples: Number of changes implemented, number of changes without incident.
Key Performance Indicators are metrics presented in a way that is easily digestible by stakeholders in IT. Examples: Change efficiency, quality of changes.
Critical Success Factors are measures of the business success of change management taken by correlating the CSF with multiple KPIs. Examples: consistent and efficient change management process, a change process mapped to business needs
| Metric/Report (by team) | Benefit |
|---|---|
| Total number of RFCs and percentages by category (pre-approved, normal, emergency, escalated support, expedited) |
|
| Pre-approved change list (and additions/removals from the list) | Workload and process streamlining (i.e. reduce “red tape” wherever possible) |
| Average time between RFC lifecycle stages (by service/application) | Advance planning for proposed changes |
| Number of changes by service/application/hardware class |
|
| Change triggers | Business- vs. IT-initiated change |
| Number of RFCs by lifecycle stage | Workload planning |
| List of incidents related to changes | Visible failures of the CM process |
| Percentage of RFCs with a tested backout/validation plan | Completeness of change planning |
| List of expedited changes | Spotlighting poor planning and reducing the need for this category going forward (“The Hall of Shame”) |
| CAB approval rate | Change coordinator alignment with CAB priorities – low approval rate indicates need to tighten gatekeeping by the change coordinator |
| Calendar of changes | Planning |
| Ref # | Metric |
|---|---|
|
M1 |
Number of changes implemented for a time period |
| M2 | Number of changes successfully implemented for a time period |
| M3 | Number of changes implemented causing incidents |
| M4 | Number of accepted known errors when change is implemented |
| M5 | Total days for a change build (specific to each change) |
| M6 | Number of changes rescheduled |
| M7 | Number of training questions received following a change |
| Ref# | KPI | Product |
|---|---|---|
| K1 | Successful changes for a period of time (approach 100%) | M2 / M1 x 100% |
| K2 | Changes causing incidents (approach 0%) | M3 / M1 x 100% |
| K3 | Average days to implement a change | ΣM5 / M1 |
| K4 | Change efficiency (approach 100%) | [1 - (M6 / M1)] x 100% |
| K5 | Quality of changes being implemented (approach 100%) | [1 - (M4 / M1)] x 100% |
| K6 | Change training efficiency (approach 100%) | [1 - (M7 / M1)] x 100% |
| Ref# | CSF | Indicator |
|---|---|---|
| C1 | Successful change management process producing quality changes | K1, K5 |
| C2 | Consistent efficient change process | K4, K6 |
| C3 | Change process maps to business needs | K5, K6 |
Info-Tech Best Practice
Make sure you’re measuring the right things and considering all sources of information. It’s very easy to put yourself in a position where you’re congratulating yourselves for improving on a specific metric such as number of releases per month, but satisfaction remains low.
Tracking the progress of metrics is paramount to the success of any change management process. Use Info-Tech’s Change Management Metrics Tool to record metrics and track your progress. This tool is intended to be a substitute for organizations who do not have the capability to track change-related metrics in their ITSM tool.
Download the Change Management Metrics Tool
Industry: Federal Credit Union (anonymous)
Source: Info-Tech Workshop
At this federal credit union, the VP of IT wanted a tight set of metrics to engage with the business, communicate within IT, enable performance management of staff, and provide visibility into workload demands, among other requirements.
The organization was suffering from “metrics fatigue,” with multiple reports being generated from all groups within IT, to the point that weekly/monthly reports were being seen as spam.
Stakeholders were provided with an overview of change management benefits and were asked to identify one key attribute that would be useful to their specific needs.
Metrics were designed around the stakeholder needs, piloted with each stakeholder group, fine-tuned, and rolled out.
Some metrics could not be automated off-the-shelf and were rolled out in a manual fashion. These metrics were subsequently automated and finally made available through a dashboard.
The business received clear guidance regarding estimated times to implement changes across different elements of the environment.
The IT managers were able to plan team workloads with visibility into upstream change activity.
Architects were able to identify vendors and systems that were the leading source of instability.
The VP of IT was able to track the maturity growth of the change management process and proactively engage with the business on identified hot spots.
4.2.1 Use a Communications Plan to Gain End User Buy-In
4.2.2 Create a Project Roadmap to Track Your Implementation Progress
Step 4.1: Identify Metrics and Build the Change Calendar
Step 3.2: Implement the Project
This step involves the following participants:
Change management provides value by promptly evaluating and delivering changes required by the business and by minimizing disruption and rework caused by failed changes. Communication of your new change management process is key. If people do not understand the what and why, it will fail to provide the desired value.
Info-Tech Best Practice
Gather feedback from end users about the new process: if the process is too bureaucratic, end users are more likely to circumvent it.
Info-Tech Insight
The success of change communication can be measured by monitoring the number of service desk tickets related to a change that was not communicated to users.
Why? What problems are you trying to solve?
What? What processes will it affect (that will affect me)?
Who? Who will be affected? Who do I go to if I have issues with the new process?
When? When will this be happening? When will it affect me?
How? How will these changes manifest themselves?
Goal? What is the final goal? How will it benefit me?
Info-Tech Insight
Pay close attention to the medium of communication. For example, stakeholders on their feet all day would not be as receptive to an email communication compared to those who primarily work in front of a computer. Put yourself into various stakeholders’ shoes to craft a tailored communication of change management.
| Group | Benefits | Impact | Method | Timeline |
|---|---|---|---|---|
| IT | Standardized change process | All changes must be reviewed and approved | Poster campaign | 6 months |
| End Users | Decreased wait time for changes | Formal process for RFCs | Lunch-and-learn sessions | 3 months |
| Business | Reduced outages | Increased involvement in planning and approvals | Monthly reports | 1 year |
Download the Change Management Communications Plan
Know your audience:
Info-Tech Insight
The support of senior executive stakeholders is critical to the success of your SOP rollout. Try to wow them with project benefits and make sure they know about the risks/pain points.
Download the Change Management Project Summary Template
Download the Change Management Roadmap Tool
Industry: Technology
Source: Daniel Grove, Intel
Founded in 1968, the world’s largest microchip and semiconductor company employs over 100,000 people. Intel manufactures processors for major players in the PC market including Apple, Lenovo, HP, and Dell.
Intel IT supports over 65,000 servers, 3.2 petabytes of data, over 70,000 PCs, and 2.6 million emails per day.
Intel’s change management program is responsible for over 4,000 changes each week.
Intel had its new change management program in place and the early milestones planned, but one key challenge with any new project is communication.
The company also needed to navigate the simplification of a previously complex process; end users could be familiar with any of the 37 different change processes or 25 different change management systems of record.
Top-level buy-in was another concern.
Intel first communicated the process changes by publishing the vision and strategy for the project with top management sponsorship.
The CIO published all of the new change policies, which were supported by the Change Governance Council.
Intel cited the reason for success as the designation of a Policy and Guidance Council – a group designed to own communication and enforcement of the new policies and processes put in place.
You now have an outline of your new change management process. The hard work starts now for an effective implementation. Make use of the communications plan to socialize the new process with stakeholders and the roadmap to stay on track.
Remember as you are starting your implementation to keep your documents flexible and treat them as “living documents.” You will likely need to tweak and refine the processware and templates several times to continually improve the process. Furthermore, don’t shy away from seeking feedback from your stakeholders to gain buy-in.
Lastly, keep an eye on your progress with objective, data-driven metrics. Leverage the trends in your data to drive your decisions. Be sure to revisit the maturity assessment not only to measure and visualize your progress, but to gain insight into your next steps.
Contact your account representative for more information.
workshops@infotech.com
1-888-670-8889
To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic office in Toronto, Ontario, Canada to participate in an innovative onsite workshop.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
The following are sample activities that will be conducted by Info-Tech analysts with your team:
Run through the change management maturity assessment with tailored commentary for each action item outlining context and best practices.
Build a normal change process using Info-Tech’s Change Management Process Library template with an analyst helping you to right size the process for your organization.
Improve customer service by driving consistency in your support approach and meeting SLAs.
Maintain both speed and control while improving the quality of deployments and releases within the infrastructure team.
Don’t let persistent problems govern your department.
AXELOS Limited. ITIL Foundation: ITIL 4th edition. TSO, 2019, pp. 118–120.
Behr, Kevin and George Spafford. The Visible Ops Handbook: Implementing ITIL in 4 Practical and Auditable Steps. IT Revolution Press. 2013.
BMC. “ITIL Change Management.” BMC Software Canada, 22 December 2016.
Brown, Vance. “Change Management: The Greatest ROI of ITIL.” Cherwell Service Management.
Cisco. “Change Management: Best Practices.” Cisco, 10 March 2008.
Grove, Daniel. “Case Study ITIL Change Management Intel Corporation.” PowerShow, 2005.
ISACA. “COBIT 5: Enabling Processes.” ISACA, 2012.
Jantti, M. and M. Kainulainen. “Exploring an IT Service Change Management Process: A Case Study.” ICDS 2011: The Fifth International Conference on Digital Society, 23 Feb. 2011.
Murphy, Vawns. “How to Assess Changes.” The ITSM Review, 29 Jan. 2016.
Nyo, Isabel. “Best Practices for Change Management in the Age of DevOps.” Atlassian Engineering, 12 May 2021.
Phillips, Katherine W., Katie A. Liljenquist, and Margaret A. Neale. “Better Decisions Through Diversity.” Kellogg Insight, 1 Oct. 2010.
Pink Elephant. “Best Practices for Change Management.” Pink Elephant, 2005.
Sharwood, Simon. “Google broke its own cloud by doing two updates at once.” The Register, 24 Aug. 2016.
SolarWinds. “How to Eliminate the No: 1 Cause of Network Downtime.” SolarWinds Tech Tips, 25 Apr. 2014.
The Stationery Office. “ITIL Service Transition: 2011.” The Stationary Office, 29 July 2011.
UCISA. “ITIL – A Guide to Change Management.” UCISA.
Zander, Jason. “Final Root Cause Analysis and Improvement Areas: Nov 18 Azure Storage Service Interruption.” Microsoft Azure: Blog and Updates, 17 Dec. 2014.
In many organizations, there are changes which may not fit into the three prescribed categories. The reason behind why the expedited category may be needed generally falls between two possibilities:
For the full process, refer to the Change Management Process Library.
The core tenets of change management still apply no matter the type of development environment an organization has. Changes in any environment carry risk of degrading functionality, and must therefore be vetted. However, the amount of work and rigor put into different stages of the change life cycle can be altered depending on the maturity of the development workflows. The following are several stage gates for change management that MUST be considered if you are a DevOps or Agile shop:
"Understand that process is hard and finding a solution that fits every need can be tricky. With this change management process we do not try to solve every corner case so much as create a framework by which best judgement can be used to ensure maximum availability of our platforms and services while still complying with our regulatory requirements and making positive changes that will delight our customers.“ -IT Director, Information Cybersecurity Organization
The core differences between an Agile or DevOps transition and a traditional approach are the restructuring and the team behind it. As a result, the stakeholders of change management must be onboard for the process to work. This is the most difficult problem to solve if it’s an issue, but open avenues of feedback for a process build is a start.
Automation comes in many forms and is well documented in many development workflows. Having automated signoffs for QA/security checks and stakeholders/cross dependency owner sign offs may not fully replace the CAB but can ease the burden on discussions before implementation.
Canary releases, phased releases, dark releases, and toggles are all options you can employ to reduce risk during a release. Furthermore, building in contingencies to the test/rollback plan decreases the risk of the change by decreasing the factor of likelihood.
Building change from the ground up doesn’t meant the process has to be fully fledged before launch. Iterative improvements are possible before achieving an optimal state. Having the proper metrics on the pain points and bottlenecks in the process can identify areas for automation and improvement.
Conducting the appropriate due diligence on your vendor’s account team is as important as the due diligence you put into the vendor. Ongoing management of the account team should follow the lifecycle of the vendor relationship.
Understanding your vendor team’s background, experience, and strategic approach to your account is key to the management of the relationship, the success of the vendor agreement, and, depending on the vendor, the success of your business.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Learn how to best qualify that you have the right team for your business needs, using the accompanying tools to measure and monitor success throughout the relationship.
The Vendor Rules of Engagement template will help you develop your written expectations for the vendor for how they will interact with your business and stakeholders.
Evaluate your vendor account teams using this template to gather stakeholder feedback on vendor performance.
IT professionals interact with vendor account teams on a regular basis. You may not give it much thought, but do you have a good understanding of your rep’s ability to support/service your account, in the manner you expect, for the best possible outcome? The consequences to your business of an inappropriately assigned and poorly trained account team can have a disastrous impact on your relationship with the vendor, your business, and your budget. Doing the appropriate due diligence with your account team is as important as the due diligence you should put into the vendor. And, of course, ongoing management of the account team relationship is vital. Here we will share how best to qualify that you have the right team for your business needs as well as how to measure and monitor success throughout the relationship.
 |
Donna Glidden
|
Your Challenge
|
Common Obstacles
|
Info-Tech’s Approach
|
Understanding your vendor team’s background, their experience, and their strategic approach to your account is key to the management of the relationship, the success of the vendor agreement, and, depending on the vendor, the success of your business.
IT Benefits
|
Mutual IT and
|
Business Benefits
|
Conducting the appropriate due diligence on your vendor’s account team is as important as the due diligence you put into the vendor. Ongoing management of the account team should follow the lifecycle of the vendor relationship.
Introductory/RFP phase
|
Contract phase
|
Vendor management phase
|
| Tactical insight
Don’t forget to look at your organization’s role in how well the account team is able to perform to your expectations. |
Tactical insight
Measure to manage – what are the predetermined criteria that you will measure the account team’s success against? |
(Source: Spotio) | Info-Tech InsightRemember to examine the inadequacies of vendor training as part of the root cause of why the account team may lack substance. |
Why it matters1.8 yearsis the average tenure for top ten tech companies2.6 years is the average experience required to hire. 2.4 years is the average account executive tenure. 44% of reps plan to leave their job within two years. The higher the average contract value, the longer the tenure. More-experienced account reps tend to stay longer. (Source: Xactly, 2021) |
 |
You are always going to be engaged in training your rep, so be prepared.
|
When you formalize your expectations regarding vendor contact with your organization and create structure around it, vendors will take notice.
Consider a standard intake process for fielding vendor inquiries and responding to requests for meetings to save yourself the headaches that come with trying to keep up with them. Stakeholder teams, IT, and Procurement need to be on the same page in this regard to avoid missteps in the important introductory phase of dealing with vendors and the resulting confusion on the part of vendor account teams when they get mixed messages and feel “passed around.” |
| If vendors know you have no process to track their activities, they’ll call who they want when they want, and the likelihood of them having more information about your business than you about theirs is significant.
Vendor contacts are made in several ways:
Things to consider:
|
Not every vendor contact will result in an “engagement” such as invitation to an RFP or a contract for business. As such, we recommend that you set up an intake process to track/manage supplier inquiries so that when you are ready to engage, the vendor teams will be set up to work according to your expectations. |
What are your ongoing expectations for the account team?
|
 |
Even if you don’t have a vendor management initiative in place, consider these steps to manage both new and legacy vendor relationships:
|
|
What your account team doesn’t say is equally important as what they do say. For example, an account rep with high influence says, “I can get that for you” vs. “I'll get back to you.” Pay attention to the level of detail in their responses to you – it references how well they are networked within their own organization.
|
|||||||||
 |
|||||||||
Effective
|
Ineffective
|
|
A little recognition goes a long way in reinforcing a positive vendor relationship. |
Don’t forget to put the relationship in vendor relationship management – give a simple “Thank you for your support” to the account team from executive management.
An ineffective rep can take your time and attention away from more important activities.
|
“Addressing poor performance is an important aspect of supplier management, but prevention is even more so.” (Logistics Bureau) |
|
|
Qualify the account team as you would the vendor – get to know their background and history. |
| Articulate your vendor expectations in writing
Clearly document your expectations via formal rules of engagement for vendor teams in order to outline how they are expected to interact with your business and stakeholders. This can have a positive impact on your vendor and stakeholder relationships and enable you to gain control of:
Include the rules in your RFXs and contracts to formalize your expectations. See the Vendor Rules of Engagement template included with this research. Download the Vendor Rules of Engagement template |
 |
Measure stakeholder feedback to ensure your account team is on target to meet your needs.
 Download the Evalu-Rate Your Account Team tool |
|
DO
|
DON'T
|
Upon completion of this blueprint, Guided Implementation, or workshop, your team should have a comprehensive, well-defined, end-to-end approach to evaluating and managing your account team. Leveraging Info-Tech’s industry-proven tools and templates provides your organization with an effective approach to establishing, maintaining, and evaluating your vendor account team; improving your vendor and stakeholder communications; and maintaining control of the client/vendor relationship.
Additionally, your team will have a foundation to execute your vendor management principles. These principles will assist your organization in ensuring you receive the perceived value from the vendor as a result of your vendor account team evaluation process.
Contact your account representative for more information.
“14 Essential Qualities of a Good Salesperson.” Forbes, 5 Oct. 2021. Accessed 11 March 2022.
“149 Eye-Opening Sales Stats to Consider.” Spotio, 30 Oct. 2018. Accessed 11 March 2022.
“35 Sales Representative Interview Questions and Answers.” Indeed, 29 Oct. 2021. Accessed 8 March 2022.
“8 Intelligent Questions for Evaluating Your Sales Reps Performance” Inc., 16 Aug. 2016. Accessed 9 March 2022.
Altschuler, Max. “Reality Check: You’re Probably A Bad Salesperson If You Possess Any Of These 11 Qualities.” Sales Hacker, 9 Jan. 2018. Accessed 4 May 2022.
Bertuzzi, Matt. “Account Executive Data Points in the SaaS Marketplace.” Treeline, April 12, 2017. Accessed 9 March 2022. “Appreciation Letter to Vendor – Example, Sample & Writing Tips.” Letters.org, 10 Jan. 2020. Web.
D’Entremont, Lauren. “Are Your Sales Reps Sabotaging Your Customer Success Without Realizing It?” Proposify, 4 Dec. 2018. Accessed 7 March 2022.
Freedman, Max. “14 Important Traits of Successful Salespeople.” Business News Daily, 14 April 2022. Accessed 10 April 2022.
Hansen, Drew. “6 Tips For Hiring Your Next Sales All-Star.” Forbes, 16 Oct. 2012. Web.
Hulland, Ryan. “Getting Along with Your Vendors.” MonMan, 12 March 2014. Accessed 9 March 2022.
Lawrence, Jess. “Talking to Vendors: 10 quick tips for getting it right.” Turbine, 30 Oct. 2018. Accessed 11 March 2022.
Lucero, Karrie. “Sales Turnover Statistics You Need To Know.” Xactly, 24 Aug. 2021. Accessed 9 March 2022.
Noyes, Jesse. “4 Qualities to Look For in Your Supplier Sales Representative.” QSR, Nov. 2017. Accessed 9 March 2022.
O’Byrne, Rob. “How To Address Chronic Poor Supplier Performance.” Logistics Bureau, 26 July 2016. Accessed 4 May 2022.
O'Brien, Jonathan. Supplier Relationship Management: Unlocking the Hidden Value in Your Supply Base. Kogan Page, 2014.
Short, Alex. “Three Things You Should Consider to Become A Customer of Choice.” Vizibl, 29 Oct. 2021. Web.
Wayshak, Marc. “18 New Sales Statistics for 2022 from Our Groundbreaking Study!” Sales Insights Lab, 28 March 2022. Web.
“What Does a Good Customer Experience Look Like In Technology?” Virtual Systems, 23 June 2021. Accessed 10 March 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Plan out your employee engagement program and launch the Employee Experience Monitor survey for your team.
Interpret your Employee Experience Monitor results, understand what they mean in the context of your team, and involve your staff in brainstorming engagement initiatives.
Select engagement initiatives for maximal impact, create an action plan, and establish open and ongoing communication about engagement with your team.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Set up the EXM and collect a few months of data to build on during the workshop.
Arm yourself with an index of employee experience and candid feedback from your team to use as a starting point for your engagement program.
1.1 Identify EXM use case.
1.2 Identify engagement program goals and obstacles.
1.3 Launch EXM.
Defined engagement goals.
EXM online dashboard with three months of results.
To understand the current state of engagement and prepare to discuss the drivers behind it with your staff.
Empower your leadership team to take charge of their own team's engagement.
2.1 Review EXM results to understand employee experience.
2.2 Finalize focus group agendas.
2.3 Train managers.
Customized focus group agendas.
Establish an open dialogue with your staff to understand what drives their engagement.
Understand where in your team’s experience you can make the most impact as an IT leader.
3.1 Identify priority drivers.
3.2 Identify engagement KPIs.
3.3 Brainstorm engagement initiatives.
3.4 Vote on initiatives within teams.
Summary of focus groups results
Identified engagement initiatives.
Learn the characteristics of successful engagement initiatives and build execution plans for each.
Choose initiatives with the greatest impact on your team’s engagement, and ensure you have the necessary resources for success.
4.1 Select engagement initiatives with IT leadership.
4.2 Discuss and decide on the top five engagement initiatives.
4.3 Create initiative project plans.
4.4 Build detailed project plans.
4.5 Present project plans.
Engagement project plans.
