Create a Right-Sized Disaster Recovery Plan

Close the gap between your DR capabilities and service continuity requirements.

ANALYST PERSPECTIVE

An effective disaster recovery plan (DRP) is not just an insurance policy.

"An effective DRP addresses common outages such as hardware and software failures, as well as regional events, to provide day-to-day service continuity. It’s not just insurance you might never cash in. Customers are also demanding evidence of an effective DRP, so organizations without a DRP risk business impact not only from extended outages but also from lost sales. If you are fortunate enough to have executive buy-in, whether it’s due to customer pressure or concern over potential downtime, you still have the challenge of limited time to dedicate to disaster recovery (DR) planning. Organizations need a practical but structured approach that enables IT leaders to create a DRP without it becoming their full-time job."

Frank Trovato,

Research Director, Infrastructure

Info-Tech Research Group

Is this research for you?

This Research Is Designed For:

• Senior IT management responsible for executing DR.
• Organizations seeking to formalize, optimize, or validate an existing DRP.
• Business continuity management (BCM) professionals leading DRP development.

This Research Will Help You:

• Create a DRP that is aligned with business requirements.
• Prioritize technology enhancements based on DR requirements and risk-impact analysis.
• Identify and address process and technology gaps that impact DR capabilities and day-to-day service continuity.

This Research Will Also Assist:

• Executives who want to understand the time and resource commitment required for DRP.
• Members of BCM and crisis management teams who need to understand the key elements of an IT DRP.

This Research Will Help Them:

• Scope the time and effort required to develop a DRP.
• Align business continuity, DR, and crisis management plans.

Executive summary

Situation

• Any time a natural disaster or major IT outage occurs, it increases executive awareness and internal pressure to create a DRP.
• Industry standards and government regulations are driving external pressure to develop business continuity and IT DR plans.
• Customers are asking suppliers and partners to provide evidence that they have a workable DRP before agreeing to do business.

Complication

• Traditional DRP templates are onerous and result in a lengthy, dense plan that might satisfy auditors, but will not be effective in a crisis.
• The myth that a DRP is only for major disasters leaves organizations vulnerable to more common incidents.
• The growing use of outsourced infrastructure services has increased reliance on vendors to meet recovery timeline objectives.

Resolution

• Create an effective DRP by following a structured process to discover current capabilities and define business requirements for continuity:
  • Define appropriate objectives for service downtime and data loss based on business impact.
  • Document an incident response plan that captures all of the steps from event detection to data center recovery.
  • Create a DR roadmap to close gaps between current DR capabilities and recovery objectives.

Info-Tech Insight

1. At its core, DR is about ensuring service continuity. Create a plan that can be leveraged for both isolated and catastrophic events.
2. Remember Murphy’s Law. Failure happens. Focus on improving overall resiliency and recovery, rather than basing DR on risk probability analysis.
3. Cost-effective DR and service continuity starts with identifying what is truly mission critical so you can focus resources accordingly. Not all services require fast failover.

An effective DRP is critical to reducing the cost of downtime

If you don’t have an effective DRP when failure occurs, expect to face extended downtime and exponentially rising costs due to confusion and lack of documented processes.

Potential Lost Revenue

The impact of downtime tends to increase exponentially as systems remain unavailable (graph at left). A current, tested DRP will significantly improve your ability to execute systems recovery, minimizing downtime and business impact. Without a DRP, IT is gambling on its ability to define and implement a recovery strategy during a time of crisis. At the very least, this means extended downtime – potentially weeks or months – and substantial business impact.

Adapted from: Philip Jan Rothstein, 2007

Cost of Downtime for the Fortune 1000

Cost of unplanned apps downtime per year: $1.25B to $2.5B.

Cost of critical apps failure per hour: $500,000 to $1M.

Cost of infrastructure failure per hour: $100,000.

35% reported to have recovered within 12 hours.

17% of infrastructure failures took more than 24 hours to recover.

13% of application failures took more than 24 hours to recover.

Source: Stephen Elliot, 2015

Info-Tech Insight

The cost of downtime is rising across the board, and not just for organizations that traditionally depend on IT (e.g. e-commerce). Downtime cost increase since 2010:

Hospitality: 129% increase

Transportation: 108% increase

Media organizations: 104% increase

An effective DRP also sets clear recovery objectives that align with system criticality to optimize spend

Take a practical approach that creates a more concise and actionable DRP

DR planning is not your full-time job, so it can’t be a resource- and time-intensive process.

DR must be integrated with day-to-day incident management to ensure service continuity

When a tornado takes out your data center, it’s an obvious DR scenario and the escalation towards declaring a disaster is straightforward.

The challenge is to be just as decisive in less-obvious (and more common) DR scenarios such as a critical system hardware/software failure, and knowing when to move from incident management to DR. Don’t get stuck troubleshooting for days when you could have failed over in hours.

Bridge the gap with clearly-defined escalation rules and criteria for when to treat an incident as a disaster.

Source: Info-Tech Research Group; N=92

Myth busted: The DRP is separate from day-to-day ops and incident management.

The most common threats to service continuity are hardware and software failures, network outages, and power outages

Source: Info-Tech Research Group; N=87

Info-Tech Insight

Does this mean I don’t need to worry about natural disasters? No. It means DR planning needs to focus on overall service continuity, not just major disasters. If you ignore the more common but less dramatic causes of service interruptions, you are diminishing the business value of a DRP.

Myth busted: DRPs are just for destructive events – fires, floods, and natural disasters.

DR isn’t about identifying risks; it’s about ensuring service continuity

The traditional approach to DR starts with an in-depth exercise to identify risks to IT service continuity and the probability that those risks will occur.

Here’s why starting with a risk register is ineffective:

• Odds are, you won’t think of every incident that might occur. If you think of twenty risks, it’ll be the twenty-first that gets you. If you try to guard against that twenty-first risk, you can quickly get into cartoonish scenarios and much more costly solutions.
• The ability to failover to another site mitigates the risk of most (if not all) incidents (fire, flood, hardware failure, tornado, etc.). A risk and probability analysis doesn’t change the need for a plan that includes a failover procedure.

Where risk is incorporated in this methodology:

• Use known risks to further refine your strategy (e.g. if you are prone to hurricanes, plan for greater geographic separation between sites; ensure you have backups, in addition to replication, to mitigate the risk of ransomware).
• Identify risks to your ability to execute DR (e.g. lack of cross-training, backups that are not tested) and take steps to mitigate those risks.

Myth busted: A risk register is the critical first step to creating an effective DR plan.

You can’t outsource accountability and you can’t assume your vendor’s DR capabilities meet your needs

Outsourcing infrastructure services – to a cloud provider, co-location provider, or managed service provider (MSP) – can improve your DR and service continuity capabilities. For example, a large public cloud provider will generally have:

• Redundant telecoms service providers, network infrastructure, power feeds, and standby power.
• Round-the-clock infrastructure and security monitoring.
• Multiple data centers in a given region, and options to replicate data and services across regions.

Still, failure is inevitable – it’s been demonstrated multiple times1 through high-profile outages. When you surrender direct control of the systems themselves, it’s your responsibility to ensure the vendor can meet your DR requirements, including:

• A DR site and acceptable recovery times for systems at that site.
• An acceptable replication/backup schedule.

Sources: Kyle York, 2016; Shaun Nichols, 2017; Stephen Burke, 2017

Myth busted: I outsource infrastructure services so I don’t have to worry about DR. That’s my vendor’s responsibility.

Choose flowcharts over process guides, checklists over procedures, and diagrams over descriptions

IT DR is not an airplane disaster movie. You aren’t going to ask a business user to execute a system recovery, just like you wouldn’t really want a passenger with no flying experience to land a plane.

In reality, you write a DR plan for knowledgeable technical staff, which allows you to summarize key details your staff already know. Concise, visual documentation is:

• Quicker to create.
• Easier to use.
• Simpler to maintain.

"Without question, 300-page DRPs are not effective. I mean, auditors love them because of the detail, but give me a 10-page DRP with contact lists, process flows, diagrams, and recovery checklists that are easy to follow."

– Bernard Jones, MBCI, CBCP, CORP, Manager Disaster Recovery/BCP, ActiveHealth Management

Source: Info-Tech Research Group; N=95

*DR Success is based on stated ability to meet recovery time objectives (RTOs) and recovery point objectives (RPOs), and reported confidence in ability to consistently meet targets.

Myth busted: A DRP must include every detail so anyone can execute recovery.

A DRP is part of an overall business continuity plan

A DRP is the set of procedures and supporting documentation that enables an organization to restore its core IT services (i.e. applications and infrastructure) as part of an overall business continuity plan (BCP), as described below. Use the templates, tools, and activities in this blueprint to create your DRP.

Note: For DRP, we focus on business-facing IT services (as opposed to the underlying infrastructure), and then identify required infrastructure as dependencies (e.g. servers, databases, network).

Take a practical but structured approach to creating a concise and effective DRP

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Info-Tech advisory services deliver measurable value

Info-Tech members save an average of $22,983 and 22 days by working with an Info-Tech analyst on DRP (based on client response data from Info-Tech Research Group’s Measured Value Survey, following analyst advisory on this blueprint).

Why do members report value from analyst engagement?

1. Expert advice on your specific situation to overcome obstacles and speed bumps.
2. Structured project and guidance to stay on track.
3. Project deliverables review to ensure the process is applied properly.

Guided implementation overview

Your trusted advisor is just a call away.

Define DRP scope (Call 1)

Scope requirements, objectives, and your specific challenges. Identify applications/ systems to focus on first.

Define current status and system dependencies (Calls 2-3)

Assess current DRP maturity. Identify system dependencies.

Conduct a BIA (Calls 4-6)

Create an impact scoring scale and conduct a BIA. Identify RTO and RPO for each system.

Recovery workflow (Calls 7-8)

Create a recovery workflow based on tabletop planning. Identify gaps in recovery capabilities.

Projects and action items (Calls 9-10)

Identify and prioritize improvements. Summarize results and plan next steps.

Your guided implementations will pair you with an advisor from our analyst team for the duration of your DRP project.

Workshop overview

Contact your account representative or email Workshops@InfoTech.com for more information.

End-user complaints distract from serious IT-based risks to business continuity

Case Study

Industry: Manufacturing
Source: Info-Tech Research Group Client Engagement

A global manufacturer with annual sales over $1B worked with Info-Tech to improve DR capabilities.

DRP BIA

Conversations with the IT team and business units identified the following impact of downtime over 24 hours:

• Email: Direct Cost: $100k; Goodwill Impact Score: 8.5/16
• ERP: Direct Cost: $1.35mm; Goodwill Impact Score: 12.5/16

Tabletop Testing and Recovery Capabilities

Reviewing the organization’s current systems recovery workflow identified the following capabilities:

• Email: RTO: minutes, RPO: minutes
• ERP: RTO: 14 hours, RPO: 24 hours

Findings

Because of end-user complaints, IT had invested heavily in email resiliency though email downtime had a relatively minimal impact on the business. After working through the methodology, it was clear that the business needed to provide additional support for critical systems.

Insights at each step:

Identify DR Maturity and System Dependencies

Conduct a BIA

Outline Incident Response and Recovery Workflow With Tabletop Exercises

Mitigate Gaps and Risks

Create a Right-Sized Disaster Recovery Plan

Phase 1

Define DRP Scope, Current Status, and Dependencies

Step 1.1: Set Scope, Kick-Off the DRP Project, and Create a Charter

This step will walk you through the following activities:

• Establish a team for DR planning.
• Retrieve and review existing, relevant documentation.
• Create a project charter.

This step involves the following participants:

• DRP Coordinator
• DRP Team (Key IT SMEs)
• IT Managers

Results and Insights

• Set scope for the first iteration of the DRP methodology.
• Don’t try to complete your DR and BCPs all at once.
• Don’t bite off too much at once.

Kick-off your DRP project

You’re ready to start your DR project.

This could be an annual review – but more likely, this is the first time you’ve reviewed the DR plan in years.* Maybe a failed audit might have provided a mandate for DR planning, or a real disaster might have highlighted gaps in DR capabilities. First, set appropriate expectations for what the project is and isn’t, in terms of scope, outputs, and resource commitments. Very few organizations can afford to hire a full-time DR planner, so it’s likely this won’t be your full-time job. Set objectives and timelines accordingly.

Gather a team

• Often, DR efforts are led by the infrastructure and operations leader. This person can act as the DRP coordinator or may delegate this role.
• Key infrastructure subject-matter experts (SMEs) are usually part of the team and involved through the project.

Find and review existing documentation

• An existing DRP may have information you can re-purpose rather than re-create.
• High-level architecture diagrams and network diagrams can help set scope (and will become part of your DR kit).
• Current business-centric continuity of operations plans (COOPs) or BCPs are important to understand.

Set specific, realistic objectives

• Create a project charter (see next slide) to record objectives, timelines, and assumptions.

*Only 20% of respondents to an Info-Tech Research Group survey (N=165) had a complete DRP; only 38% of respondents with a complete or mostly complete DRP felt it would be effective in a crisis.

List DRP drivers and challenges

1(a) Drivers and roadblocks

Estimated Time: 30 minutes

Identify the drivers and challenges to completing a functional DRP plan with the core DR team.

DRP Drivers

• Past outages (be specific):
  • Hardware and software failures
  • External network and power outages
  • Building damage
  • Natural disaster(s)
• Audit findings
• Events in the news
• Other?

DRP Challenges

• Lack of time
• Insufficient DR budget
• Lack of executive support
• No internal DRP expertise
• Challenges making the case for DRP
• Other?

Write down insights from the meeting on flip-chart paper or a whiteboard and use the findings to inform your DRP project (e.g. challenges to address).

Clarify expectations with a project charter

1(b) DRP Project Charter Template

DRP Project Charter Template components:

Define project parameters, roles, and objectives, and clarify expectations with the executive team. Specific subsections are listed below and described in more detail in the remainder of this phase.

• Project Overview: Includes objectives, deliverables, and scope. Leverage relevant notes from the “Project Drivers” brainstorming exercise (e.g. past outages and near misses which help make the case).
• Governance and Management: Includes roles, responsibilities, and resource requirements.
• Project Risks, Assumptions, and Constraints: Includes risks and mitigation strategies, as well as any assumptions and constraints.
• Project Sign-Off: Includes IT and executive sign-off (if required).

Note: Identify the initial team roles and responsibilities first so they can assist in defining the project charter.

Step 1.2: Assess Current State DRP Maturity

This step will walk you through the following activities:

• Complete Info-Tech’s DRP Maturity Scorecard.

This step involves the following participants:

• DRP Coordinator
• IT SMEs

Results and Insights

• Identify the current state of the organization’s DRP and continuity management. Set a baseline for improvement.
• Discover where improvement is most needed to create an effective plan.

Only 38% of IT departments believe their DRPs would be effective in a real crisis

Even organizations with documented DRPs struggle to make them actionable.

• Even when a DRP does become a priority (e.g. due to regulatory or customer drivers), the challenge is knowing where to start and having a methodical step-by-step process for doing the work. With no guide to plan and resource the project, it becomes work that you complete piecemeal when you aren’t working on other projects, or at night after the kids go to bed.
• Far too many organizations create a document to satisfy auditors rather than creating a usable plan. People in this group often just want a fill-in-the-blanks template. What they will typically find is a template for the traditional 300-page manual that goes in a binder that sits on a shelf, is difficult to maintain, and is not effective in a crisis.

Use the DRP Maturity Scorecard to assess the current state of your DRP and identify areas to improve

1(c) DRP Maturity Scorecard

Info-Tech’s DRP Maturity Scorecard evaluates completion status and process maturity for a comprehensive yet practical assessment across three aspects of an effective DRP program – Defining Requirements, Implementation, and Maintenance.

Completion Status: Reflects the progress made with each component of your DRP Program.

Process Maturity: Reflects the consistency and quality of the steps executed to achieve your completion status.

DRP Maturity Assessment: Each component (e.g. BIA) of your DRP Program is evaluated based on completion status and process maturity to provide an accurate holistic assessment. For example, if your BIA completion status is 4 out of 5, but process maturity is a 2, then requirements were not derived from a consistent defined process. The risk is inconsistent application prioritization and misalignment with actual business requirements.

Step 1.3: Identify Applications, Systems, and Dependencies

This step will walk you through the following activities:

• Identify systems, applications, and services, and the business units that use them.
• Document applications, systems, and their dependencies in the DRP Business Impact Analysis Tool.

This step involves the following participants:

• DRP Coordinator
• DRP Team

Results and Insights

• Identify core services and the applications that depend on them.
• Add applications and dependencies to the DRP Business Impact Analysis Tool.

Select 5-10 services to get started on the DRP methodology

1(d) High-level prioritization

Estimated Time: 30 minutes

Working through the planning process the first time can be challenging. If losing momentum is a concern, limit the BIA to a few critical systems to start.

Run this exercise if you need a structured exercise to decide where to focus first and identify the business users you should ask for input on the impact of system downtime.

1. On a whiteboard or flip-chart paper, list business units in a column on the left. List key applications/systems in a row at the top. Draw a grid.
2. At a high level, review how applications are used by each unit. Take notes to keep track of any assumptions you make.
   • Add a ✓ if members of the unit use the application or system.
   • Add an ✱ if members of the unit are heavy users of the application or system and/or use it for time sensitive tasks.
   • Leave the box blank if the app isn’t used by this unit.
3. Use the chart to prioritize systems to include in the BIA (e.g. systems marked with an *) but also include a few less-critical systems to illustrate DRP requirements for a range of systems.

Draw a high-level sketch of your environment

1(e) Sketch your environment

Estimated Time: 1-2 hours

A high-level topology or architectural diagram is an effective way to identify dependencies, application ownership, outsourced services, hardware redundancies, and more.

Note:

• Network diagrams or high-level architecture diagrams help to identify dependencies and redundancies. Even a rough sketch is a useful reference tool for participants, and will be valuable documentation in the final DR plan.
• Keep the drawings tidy. Visualize the final diagram before you start to draw on the whiteboard to help with spacing and placement.
• Collaborate with relevant SMEs to identify dependencies. Keep the drawing high-level.
• Illustrate connections between applications or components with lines. Use color coding to illustrate where applications are hosted (e.g. in-house, at a co-lo, in a cloud or MSP environment).

Document systems and dependencies

Collaborate with system SMEs to identify dependencies for each application or system. Document the dependencies in the DRP Business Impact Analysis Tool (see image below)

• When listing applications, focus on business-facing systems or services that business users will recognize and use terminology they’ll understand.
• Group infrastructure components that support all other services as a single core infrastructure service to simplify dependency mapping (e.g. core router, virtual hosts, ID management, and DNS).
• In general, each data center will have its own core infrastructure components. List each data center separately – especially if different services are hosted at each data center.
• Be specific when documenting dependencies. Use existing asset tracking tables, discovery tools, asset management records, or configuration management tools to identify specific server names.
• Core infrastructure dependencies, such as the network infrastructure, power supply, and centralized storage, will be a common set of dependencies for most applications, so group these into a separate category called “Core Infrastructure” to minimize repetition in your DR planning.
• Document production components in the BIA tool. Capture in-production, redundant components performing the same work on a single dependency line. List standby systems in the notes.

Info-Tech Best Practice

In general, visual documentation is easier to use in a crisis and easier to maintain over time. Use Info-Tech’s research to help build your own visual SOPs.

Document systems and dependencies

1(f) DRP Business Impact Analysis Tool – Record systems and dependencies

Stories from the field: Info-Tech clients find value in Phase 1 in the following ways

An organization uncovers a key dependency that needed to be treated as a Tier 1 system

Reviewing the entire ecosystem for applications identified key dependencies that were previously considered non-critical. For example, a system used to facilitate secure data transfers was identified as a key dependency for payroll and other critical business processes, and elevated to Tier 1.

A picture’s worth a thousand words (and 1600 servers)

Drawing a simple architectural diagram was an invaluable tool to identify key dependencies and critical systems, and to understand how systems and dependencies were interconnected. The drawing was an aha moment for IT and business stakeholders trying to make sense of their 1600-server environment.

Make the case for DRP

A member of the S&P 500 used Info-Tech’s DRP Maturity Scorecard to provide a reliable objective assessment and make the case for improvements to the board of directors.

State government agency initiates a DRP project to complement an existing COOP

Info-Tech's DRP Project Charter enabled the CIO to clarify their DRP project scope and where it fit into their overall COOP. The project charter example provided much of the standard copy – objectives, scope, project roles, methodology, etc. – required to outline the project.

Phase 1: Insights and accomplishments

Created a charter and identified current maturity

Identified systems and dependencies for the BIA

Summary of Accomplishments:

• Created a DRP project charter.
• Completed the DRP Maturity Scorecard and identified current DRP maturity.
• Prioritized applications/systems for a first pass through DR planning.
• Identified dependencies for each application and system.

Up Next: Conduct a BIA to establish recovery requirements

Create a Right-Sized Disaster Recovery Plan

Phase 2

Conduct a BIA to Determine Acceptable RTOs and RPOs

Step 2.1: Define an Objective Impact Scoring Scale

This step will walk you through the following activities:

• Create a scoring scale to measure the business impact of application and system downtime.

This step involves the following participants:

• DRP Coordinator
• DRP Team

Results and Insights

• Use a scoring scale tied to multiple categories of real business impact to develop a more objective assessment of application and system criticality.

Align capabilities to appropriate and acceptable RTOs and RPOs with a BIA

Too many organizations avoid a BIA because they perceive it as onerous or unneeded. A well-managed BIA is straightforward and the benefits are tangible.

A BIA enables you to identify appropriate spend levels, maintain executive support, and prioritize DR planning for a more successful outcome. Info-Tech has found that a BIA has a measurable impact on the organization’s ability to set appropriate objectives and investment goals.

Info-Tech Insight

Business input is important, but don’t let a lack of it delay a draft BIA. Complete a draft based on your knowledge of the business. Create a draft within IT, and use it to get input from business leaders. It’s easier to edit estimates than to start from scratch; even weak estimates are far better than a blank sheet.

Pick impact categories that are relevant to your business to develop a holistic view of business impact

Direct Cost Impact Categories

• Revenue: permanently lost revenue.
  • Example: one third of daily sales are lost due to a website failure.
• Productivity: lost productivity.
  • Example: finance staff can’t work without the accounting system.
• Operating costs: additional operating costs.
  • Example: temporary staff are needed to re-key data.
• Financial penalties: fines/penalties that could be incurred due to downtime.
  • Example: failure to meet contractual service-level agreements (SLAs) for uptime results in financial penalties.

Goodwill, Compliance, and Health and Safety Categories

• Stakeholder goodwill: lost customer, staff, or business partner goodwill due to harm, frustration, etc.
  • Example: customers can’t access needed services because the website is down.
  • Example: a payroll system outage delays paychecks for all staff.
  • Example: suppliers are paid late because the purchasing system is down.
• Compliance, health, and safety:
  • Example: financial system downtime results in a missed tax filing.
  • Example: network downtime disconnects security cameras.

Info-Tech Insight

You don’t have to include every impact category in your BIA. Include categories that could affect your business. Defer or exclude other categories. For example, the bulk of revenue for governmental organizations comes from taxes, which won’t be permanently lost if IT systems fail.

Modify scoring criteria to help you measure the impact of downtime

The scoring scales define different types of business impact (e.g. costs, lost goodwill) using a common four-point scale and 24-hour timeframe to simplify BIA exercises and documentation.

Use the suggestions below as a guide as you modify scoring criteria in the DRP Business Impact Analysis Tool:

• All the direct cost categories (revenue, productivity, operating costs, financial penalties) require the user to define only a maximum value; the tool will populate the rest of the criteria for that category. Use the suggestions below to find the maximum scores for each of the direct cost categories:
  • Revenue: Divide total revenue for the previous year by 365 to estimate daily revenue. Assume this is the most revenue you could lose in a day, and use this number as the top score.
  • Loss of Productivity: Divide fully-loaded labor costs for the organization by 365 to estimate daily productivity costs. Use this as a proxy measure for the work lost if all business stopped for one day.
  • Increased Operating Costs: Isolate this to known additional costs that result from a disruption (e.g. costs for overtime or temporary staff). Estimate the maximum cost for the organization.
  • Financial Penalties: Isolate this to known financial penalties (e.g. due to failure to meet SLAs or compliance requirements). Use the estimated maximum penalty as the highest value on the scale.
• Impact on Goodwill: Use an estimate of the percentage of all stakeholders impacted to assess goodwill impact.
• Impact on Compliance; Impact on Health and Safety: The BIA tool contains default scoring criteria that account for the severity of the impact, the likelihood of occurrence, and in the case of compliance, whether a grace period is available. Use this scale as-is, or adapt this scale to suit your needs.

Modify the default scoring scale in the DRP Business Impact Analysis Tool to reflect your organization

2(a) DRP Business Impact Analysis Tool – Scoring criteria

Step 2.2: Estimate the Impact of Downtime

This step will walk you through the following activities:

• Identify the business impact of service/system/application downtime.

This step involves the following participants:

• DRP Coordinator
• DRP Team
• IT Service SMEs
• Business-Side Technology Owners (optional)

Results and Insights

• Apply the scoring scale to develop a more objective assessment of the business impact of downtime.
• Create criticality tiers based on the business impact of downtime.

Estimate the impact of downtime for each system and application

2(b) Estimate the impact of systems downtime

Estimated Time: 3 hours

On tab 3 of the DRP Business Impact Analysis Tool indicate the costs of downtime, as described below:

1. Have a copy of the “Scoring Criteria” tab available to use as a reference (e.g. printed or on a second display). In tab 3 use the drop-down menu to assign a score of 0 to 4 based on levels of impact defined in the “Scoring Criteria” tab.
2. Work horizontally across all categories for a single system or application. This will familiarize you with your scoring scales for all impact categories, and allow you to modify the scoring scales if needed before you proceed much further.

For example, if a core call center phone system was down:

• Loss of Revenue would be the portion of sales revenue generated through the call center. This might score a 1 or 2 depending on the percent of sales that are processed by the call center.
• The Impact on Customers might be a 2 or 3 depending on the extent that some customers might be using the call center to receive support or purchase new products or services.
• The Legal/Regulatory Compliance and Health or Safety Risk might be a 0, as the call center has no impact in either area.

Add impact scores to the DRP Business Impact Analysis Tool

2(c) DRP Business Impact Analysis Tool

Record business reasons and assumptions that drive BIA scores

2(d) DRP BIA Scoring Context Example

Info-Tech suggests that IT leadership and staff identify the impact of downtime first to create a version that you can then validate with relevant business owners. As you work through the BIA as a team, have a notetaker record assumptions you make to help you explain the results and drive business engagement and feedback.

Some common assumptions:

• You can’t schedule a disaster, so Info-Tech suggests you assume the worst possible timing for downtime. Base the impact of downtime on the worst day for a disaster (e.g. year-end close, payroll run).
• Record assumptions made about who and what are impacted by system downtime.
• Record assumptions made about impact severity.
• If you deviate from the scoring scale, or if a particular impact doesn’t fit well into the defined scoring scale, document the exception.

Use Info-Tech’s DRP BIA Scoring Context Example as a note-taking template.

Info-Tech Insight

You can’t build a perfect scoring scale. It’s fine to make reasonable assumptions based on your judgment and knowledge of the business. Just write down your assumptions. If you don’t write them down, you’ll forget how you arrived at that conclusion.

Assign a criticality rating based on total direct and indirect costs of downtime

2(e) DRP Business Impact Analysis Tool – Assign criticality tiers

Once you’ve finished estimating the impact of downtime, use the following rough guideline to create an initial sort of applications into Tiers 1, 2, and 3.

1. In general, sort applications based on the Total Impact on Goodwill, Compliance, and Safety first.
   • An effective tactic for a quick sort: assign a Tier 1 rating where scores are 50% or more of the highest total score, Tier 2 where scores are between 25% and 50%, and Tier 3 where scores are below 25%. Some organizations will also include a Tier 0 for the highest-scoring systems.
   • Then review and validate these scores and assignments.
2. Next, consider the Total Cost of Downtime.
   • The Total Cost is calculated by the tool based on the Scoring Criteria in tab 2 and the impact scores on tab 3.
   • Decide if the total cost impact justifies increasing the criticality rating (e.g. from Tier 2 to Tier 1 due to high cost impact).
3. Review the assigned impact scores and tiers to check that they’re in alignment. If you need to make an exception, document why. Keep exceptions to a minimum.

Example: Highest total score is 12

Step 2.3: Determine Acceptable RTO/RPO Targets

This step will walk you through the following activities:

• Review the “Debate Space” approach to setting RTO and RPO (recovery targets).
• Set preliminary RTOs and RPOs by criticality tier.

This step involves the following participants:

• DRP Coordinator
• DRP Team

Results and Insights

• Align recovery targets with the business impact of downtime and data loss.

Use the “Debate Space” approach to align RTOs and RPOs with the impact of downtime

The business must validate acceptable and appropriate RTOs and RPOs, but IT can use the guidelines below to set an initial estimate.

Right-size recovery.

A shorter RTO typically requires higher investment. If a short period of downtime has minimal impact, setting a low RTO may not be justifiable. As downtime continues, impact begins to increase exponentially to a point where downtime is intolerable – an acceptable RTO must be shorter than this. Apply the same thinking to RPOs – how much data loss is unnoticeable? How much is intolerable?

The “Debate Space” is between minimal impact and maximum tolerance for downtime.

Estimate appropriate, acceptable RTOs and RPOs for each tier

2(f) Set recovery targets

Estimated Time: 30 minutes

RTO and RPO tiers simplify management by setting similar recovery goals for systems and applications with similar criticality.

Use the “Debate Space” approach to set appropriate and acceptable targets.

1. For RTO, establish a recovery time range that is appropriate based on impact.
   • Overall, the RTO tiers might be 0-4 hours for gold, 4-24 hours for silver, and 24-48 hours for bronze.
2. RPOs reflect target data protection measures.
   • Identify the lowest RPO within a tier and make that the standard.
   • For example, RPO for gold data might be five minutes, silver might be four hours, and bronze might be one day.
   • Use this as a guideline. RPO doesn’t always align perfectly with RTO tiers.
3. Review RTOs and RPOs and make sure they accurately reflect criticality.

Info-Tech Insight

In general, the more critical the system, the shorter the RPO. But that’s not always the case. For example, a service bus might be Tier 1, but if it doesn’t store any data, RPO might be longer than other Tier 1 systems. Some systems may have a different RPO than most other systems in that tier. As long as the targets are acceptable to the business and appropriate given the impact, that’s okay.

Add recovery targets to the DRP Business Impact Analysis Tool

2(g) DRP Business Impact Analysis Tool – Document recovery objectives

Stories from the field: Info-Tech clients find value in Phase 2 in the following ways

Most organizations discover something new about key applications, or the way stakeholders use them, when they work through the BIA and review the results with stakeholders. For example:

Why complete a BIA? There could be a million reasons

• A global manufacturer completed the DRP BIA exercise. When email went down, Service Desk phones lit up until it was resolved. That grief led to a high availability implementation for email. However, the BIA illustrated that ERP downtime was far more impactful.
• ERP downtime would stop production lines, delay customer orders, and ultimately cost the business a million dollars a day.
• The BIA results clearly showed that the ERP needed to be prioritized higher, and required business support for investment.

Move from airing grievances to making informed decisions

The DRP Business Impact Analysis Tool helped structure stakeholder consultations on DR requirements for a large university IT department. Past consultations had become an airing of grievances. Using objective impact scores helped stakeholders stay focused and make informed decisions around appropriate RTOs and RPOs.

Phase 2: Insights and accomplishments

Estimated the business impact of downtime

Set recovery targets

Summary of Accomplishments

• Created a scoring scale tied to different categories of business impact.
• Applied the scoring scale to estimate the business impact of system downtime.
• Identified appropriate, acceptable RTOs and RPOs.

Up Next:Conduct a tabletop planning exercise to establish current recovery capabilities

Create a Right-Sized Disaster Recovery Plan

Phase 3

Identify and Address Gaps in the Recovery Workflow

Step 3.1: Determine Current Recovery Workflow

This step will walk you through the following activities:

• Run a tabletop exercise.
• Outline the steps for the initial response (notification, assessment, disaster declaration) and systems recovery (i.e. document your recovery workflow).
• Identify any gaps and risks in your initial response and systems recovery.

This step involves the following participants:

• DRP Coordinator
• IT Infrastructure SMEs (for systems in scope)
• Application SMEs (for systems in scope)

Results and Insights

• Use a repeatable practical exercise to outline and document the steps you would use to recover systems in the event of a disaster, as well as identify gaps and risks to address.
• This is also a knowledge-sharing opportunity for your team, and a practical means to get their insights, suggestions, and recovery knowledge down on paper.

Tabletop planning: an effective way to test and document your recovery workflow

In a tabletop planning exercise, the DRP team walks through a disaster scenario to map out what should happen at each stage, and effectively defines a high-level incident response plan (i.e. recovery workflow).

Tabletop planning had the greatest impact on meeting recovery objectives (RTOs/RPOs) among survey respondents.

*Note: Relative importance indicates the contribution an individual testing methodology, conducted at least annually, had on predicting success meeting recovery objectives, when controlling for all other types of tests in a regression model. The relative-importance values have been standardized to sum to 100%.

Success was based on the following items:

• RTOs are consistently met.
• IT has confidence in the ongoing ability to meet RTOs.
• RPOs are consistently met.
• IT has confidence in the ongoing ability to meet RPOs.

Why is tabletop planning so effective?

• It enables you to play out a wider range of scenarios than technology-based testing (e.g. full-scale, parallel) due to cost and complexity factors.
• It is non-intrusive, so it can be executed more frequently than other testing methodologies.
• It easily translates into the backbone of your recovery documentation, as it allows you to review all aspects of your recovery plan.

Focus first on IT DR

Your DRP is IT contingency planning. It is not crisis management or BCP.

The goal is to define a plan to restore applications and systems following a disruption. For your first tabletop exercise, Info-Tech recommends you use a non-life-threatening scenario that requires at least a temporary relocation of your data center (i.e. failing over to a DR site/environment). Assume a gas leak or burst water pipe renders the data center inaccessible. Power is shut off and IT must failover systems to another location. Once you create the master procedure, review the plan to ensure it addresses other scenarios.

Info-Tech Insight

When systems fail, you are faced with two high-level options: failover or recover in place. If you document the plan to failover systems to another location, you’ll have documented the core of your DR procedures. This differs from traditional scenario planning where you define separate plans for different what-if scenarios. The goal is one plan that can be adapted to different scenarios, which reduces the effort to build and maintain your DRP.

Conduct a tabletop planning exercise to outline DR procedures in your current environment

3(a) Tabletop planning

Estimated Time: 2-3 hours

For each high-level recovery step, do the following:

1. On white cue cards:
   • Record the step.
   • Indicate the task owner (if required for clarity).
   • Note time required to complete the step. After the exercise, use this to build a running recovery time where 00:00 is when the incident occurred.
2. On yellow cue cards, document gaps in people, process, and technology requirements to complete the step.
3. On red cue cards, indicate risks (e.g. no backup person for a key staff member).

Do:

• Review the complete workflow from notification all the way to user acceptance testing.
• Keep focused; stay on task and on time.
• Revisit each step and record gaps and risks (and known solutions, but don’t dwell on this).
• Revise and improve the plan with task owners.

Don't:

• Get weighed down by tools.
• Document the details right away – stick to the high-level plan for the first exercise.
• Try to find solutions to every gap/risk as you go. Save in-depth research/discussion for later.

Flowchart the current-state incident response plan (i.e. document the recovery workflow)

3(b) DRP Recovery Workflow Template and Case Study: Practical, Right-Sized DRP

Why use flowcharts?

• Flowcharts provide an at-a-glance view, ideal for disaster scenarios where pressure is high and quick upward communication is necessary.
• For experienced staff, a high-level reminder of key steps is sufficient.

Use the completed tabletop planning exercise results to build this workflow.

"We use flowcharts for our declaration procedures. Flowcharts are more effective when you have to explain status and next steps to upper management." – Assistant Director, IT Operations, Healthcare Industry

Source: Info-Tech Research Group Interview

For a formatted template you can use to capture your plan, see Info-Tech’s DRP Recovery Workflow Template.

For a completed example of tabletop planning results, review Info-Tech’s Case Study: Practical, Right-Sized DRP.

Identify RPA

What’s my RPA? Consider the following case:

• Once a week, a full backup is taken of the complete ERP system and is transferred over the WAN to a secondary site 250 miles away, where it is stored on disk.
• Overnight, an incremental backup is taken of the day’s changes, and is transferred to the same secondary site, and also stored on disk.
• During office hours, the SAN takes a snapshot of changes which are kept on local storage (information on the accounting system usually only changes during office hours).
• So what’s the RPA? One hour (snapshots), one day (incrementals), or one week (full backups)?

When identifying RPA, remember the following:

You are planning for a disaster scenario, where on-site systems may be inaccessible and any copies of data taken during the disaster may fail, be corrupt, or never make it out of the data center (e.g. if the network fails before the backup file ships). In the scenario above, it seems likely that off-site incremental backups could be restored, leading to a 24-hour RPA. However, if there were serious concerns about the reliability of the daily incrementals, the RPA could arguably be based on the weekly full backups.

Info-Tech Best Practice

The RPA is a commitment to the maximum data you would lose in a DR scenario with current capabilities (people, process, and technology). Pick a number you can likely achieve. List any situations where you couldn’t meet this RPA, and identify those for a risk tolerance discussion. In the example above, complete loss of the primary SAN would also mean losing the snapshots, so the last good copy of the data could be up to 24-hours old.

Add recovery actuals (RTA/RPA) to your copy of the BIA

3(c) DRP Business Impact Analysis Tool– Recovery actuals

On the “Impact Analysis” tab in the DRP Business Impact Analysis Tool, enter the estimated maximum downtime and data loss in the RTA and RPA columns.

1. Estimate the RTA based on the required time for complete recovery. Review your recovery workflow to identify this timeline. For example, if the notification, assessment, and declaration process takes two hours, and systems recovery requires most of a day, the estimated RTA could be 24 hours.
2. Estimate the RPA based on the longest interval between copies of the data being shipped offsite. For example, if data on a particular system is backed up offsite once per day, and the onsite system was destroyed just before that backup began, the entire day’s data could be lost and estimated RPA could be 24 hours. Note: Enter 9999 to indicate that data is unrecoverable.

Info-Tech Best Practice

It’s okay to round numbers to the nearest shift, day, or week for simplicity (e.g. 24 hours rather than 22.5 hours, or 8 hours rather than 7.25 hours).

Test the recovery workflow against additional scenarios

3(d) Workflow review

Estimated Time: 1 hour

Review your recovery workflow with a different scenario in mind.

• Work from and update the soft copy of your recovery workflow.
• Would any steps be different if the scenario changes? If yes, capture the different flow with a decision diamond. Identify any new gaps or risks you encounter with red and yellow cards. Use as few decision diamonds as possible.

Info-Tech Best Practice

As you start to consider scenarios where injuries or loss of life are a possibility, remember that health and safety risks are the top priority in a crisis. If there’s a fire in the data center, evacuating the building is the first priority, even if that means foregoing a graceful shut down. For more details on emergency response and crisis management, see Implement Crisis Management Best Practices.

Consider additional IT disaster scenarios

3(e) Thought experiment – Review additional scenarios

Walk through your recovery workflow in the context of additional, different scenarios to ensure there are no gaps. Collaborate with your DR team to identify changes that might be required, and incorporate these changes in the plan.

Step 3.2: Identify and Prioritize Projects to Close Gaps

This step will walk you through the following activities:

• Analyze the gaps that were identified from the maturity scorecard, tabletop planning exercise, and the RTO/RPO gaps analysis.
• Brainstorm solutions to close gaps and mitigate risks.
• Determine a course of action to close these gaps. Prioritize each project. Create a project implementation timeline.

This step involves the following participants:

• DRP Coordinator
• IT Infrastructure SMEs

Results and Insights

• Prioritized list of projects and action items that can improve DR capabilities.
• Often low-cost, low-effort quick wins are identified to mitigate at least some gaps/risks. Higher-cost, higher-effort projects can be part of a longer-term IT strategy. Improving service continuity is an ongoing commitment.

Brainstorm solutions to address gaps and risk

3(f) Solutioning

Estimated Time: 1.5 hours

1. Review each of the risk and gap cards from the tabletop exercise.
2. As a group, brainstorm ideas to address gaps, mitigate risks, and improve resiliency. Write the list of ideas on a whiteboard or flip-chart paper. The solutions can range from quick-wins and action items to major capital investments.
3. Try to avoid debates about feasibility at this point – that should happen later. The goal is to get all ideas on the board.

Info-Tech Best Practice

It’s about finding ways to solve the problem, not about solving the problem. When you’re brainstorming solutions to problems, don’t stop with the first idea, even if the solution seems obvious. The first idea isn’t always the best or only solution; other ideas can expand on and improve that first idea.

Select an optimal DR deployment model from a world of choice

There are many options for a DR deployment. What makes sense for you?

• Sifting through the options for a DR site can be overwhelming. Simplify by eliminating deployment models that aren’t a good fit for your requirements or organization using Info-Tech’s research.
• Someone will ask you about DR in the cloud. Cut to the chase and evaluate cloud for fit with your organization’s current capabilities and requirements. Read about the 10 Secrets for Successful DR in the Cloud.
• Selecting and deploying a DR site is an exercise in risk mitigation. IT’s role is to advise the business on options to address the risk of not having a DR site, including cost and effort estimates. The business must then decide how to manage risk. Build total cost of ownership (TCO) estimates and evaluate possible challenges and risks for each option.

Is it practical to invest in greater geo-redundancy that meets RTOs and RPOs during a widespread event?

Info-Tech suggests you consider events that impact both sites, and your risk tolerance for that impact. Outline the impact of downtime at a high level if both the primary and secondary site were affected. Research how often events severe enough to have impacted both your primary and secondary sites have occurred in the past. What’s the business tolerance for this type of event?

A common strategy: have a primary and DR site that are close enough to support low RPO/RTO, but far enough away to mitigate the impact of known regional events. Back up data to a remote third location as protection against a catastrophic event.

Info-Tech Insight

Approach site selection as a project. Leverage Select an Optimal Disaster Recovery Deployment Model to structure your own site-selection project.

Set up the DRP Roadmap Tool

3(g) DRP Roadmap Tool – Set up tool

Use the DRP Roadmap Tool to create a high-level roadmap to plan and communicate DR action items and initiatives. Determine the data you’ll use to define roadmap items.

Plan next steps by estimating timeline, effort, priority, and more

3(h) DRP Roadmap Tool – Describe roadmap items

Review and communicate the DRP Roadmap Tool

3(i) DRP Roadmap Tool – View roadmap chart

Step 3.3: Review the Future State Recovery Process

This step will walk you through the following activities:

• Update the recovery workflow to outline your future recovery procedure.
• Summarize findings from DR exercises and present the results to the project sponsor and other interested executives.

This step involves the following participants:

• DRP Coordinator
• IT SMEs (Future State Recovery Flow)
• DR Project Sponsor

Results and Insights

• Summarize results from DR planning exercises to make the case for needed DR investment.

Outline your future state recovery flow

3(j) Update the recovery workflow to outline response and recovery in the future

Estimated Time: 30 minutes

Outline your expected future state recovery flow to demonstrate improvements once projects and action items have been completed.

1. Create a copy of your DRP recovery workflow in a new tab in Visio.
2. Delete gap and risk cards that are addressed by proposed projects. Consolidate or eliminate steps that would be simplified or streamlined in the future if projects are implemented.
3. Create a short-, medium-, and long-term review of changes to illustrate improvements over time to the project roadmap.
4. Update this workflow as you implement and improve DR capabilities.

Validate recovery targets and communicate actual recovery capabilities

3(k) Validate findings, present recommendations, secure budget

Estimated Time: time required will vary

1. Interview managers or process owners to validate RTO, RPO, and business impact scores.Use your assessment of “heavy users” of particular applications (picture at right) to remind you which business users you should include in the interview process.
2. Present an overview of your findings to the management team.Use Info-Tech’s DRP Recap and Results Template to summarize your findings.
3. Take projects into the budget process.With the management team aware of the rationale for investment in DRP, build the business case and secure budget where needed.

Present DRP findings and make the case for needed investment

3(I) DRP Recap and Results Template

Create a communication deck to recap key findings for stakeholders.

• Write a clear problem statement. Identify why you did this project (what problem you’re solving).
• Clearly state key findings, insights, and recommendations.
• Leverage the completed tools and templates to populate the deck. Callouts throughout the template presentation will direct you to take and populate screenshots throughout the document.
• Use the presentation to communicate key findings to, and gather feedback from, business unit managers, executives, and IT staff.

Stories from the field: Info-Tech clients find value in Phase 3 in the following ways

Tabletop planning is an effective way to discover gaps in recovery capabilities. Identify issues in the tabletop exercise so you can manage them before disaster strikes. For example:

Back up a second…

A client started to back up application data offsite. To minimize data transfer and storage costs, the systems themselves weren’t backed up. Working through the restore process at the DR site, the DBA realized 30 years of COBOL and SQR code – critical business functionality – wasn’t backed up offsite.

Net… work?

A 500-employee professional services firm realized its internet connection could be a significant roadblock to recovery. Without internet, no one at head office could access critical cloud systems. The tabletop exercise identified this recovery bottleneck and helped prioritize the fix on the roadmap.

Someone call a doctor!

Hospitals rely on their phone systems for system downtime procedures. A tabletop exercise with a hospital client highlighted that if the data center were damaged, the phone system would likely be damaged as well. Identifying this provided more urgency to the ongoing VOIP migration.

The test of time

A small municipality relied on a local MSP to perform systems restore, but realized it had never tested the restore procedure to identify RTA. Contacting the MSP to review capabilities became a roadmap item to address this risk.

Phase 3: Insights and accomplishments

Outlined the DRP response and risks to recovery

Brainstormed risk mitigation measures

Summary of Accomplishments

• Planned and documented your DR incident response and systems recovery workflow.
• Identified gaps and risks to recovery and incident management.
• Brainstormed and identified projects and action items to mitigate risks and close gaps.

Up Next: Leverage the core deliverables to complete, extend, and maintain your DRP

Create a Right-Sized Disaster Recovery Plan

Phase 4

Complete, Extend, and Maintain Your DRP

Phase 4: Complete, Extend, and Maintain Your DRP

This phase will walk you through the following activities:

• Identify progress made on your DRP by reassessing your DRP maturity.
• Prioritize the highest value major initiatives to complete, extend, and maintain your DRP.

This phase involves the following participants:

• DRP Coordinator
• Executive Sponsor

Results and Insights

• Communicate the value of your DRP by demonstrating progress against items in the DRP Maturity Scorecard.
• Identify and prioritize future major initiatives to support the DRP, and the larger BCP.

Celebrate accomplishments, plan for the future

Congratulations! You’ve completed the core DRP deliverables and made the case for investment in DR capabilities. Take a moment to celebrate your accomplishments.

This milestone is an opportunity to look back and look forward.

• Look back: measure your progress since you started to build your DRP. Revisit the assessments completed in phase 1, and assess the change in your overall DRP maturity.
• Look forward: prioritize future initiatives to complete, extend, and maintain your DRP. Prioritize initiatives that are the highest impact for the least requirement of effort and resources.

We have completed the core DRP methodology for key systems:

• BIA, recovery objectives, high-level recovery workflow, and recovery actuals.
• Identify key tasks to meet recovery objectives.

What could we do next?

• Repeat the core methodology for additional systems.
• Identify a DR site to meet recovery requirements, and review vendor DR capabilities.
• Create a summary DRP document including requirements, capabilities, and change procedures.
• Create a test plan and detailed recovery documentation.
• Coordinate the creation of BCPs.
• Integrate DR in other key operational processes.

Revisit the DRP Maturity Scorecard to measure progress and identify remaining areas to improve

4(a) DRP Maturity Scorecard – Reassess your DRP program maturity

1. Find the copy of the DRP Maturity Scorecard you completed previously. Save a second copy of the completed scorecard in the same folder.
2. Update scoring where you have improved your DRP documentation or capabilities.
3. Review the new scores on tab 3. Compare the new scores to the original scores.

Info-Tech Best Practice

Use the completed, updated DRP Maturity Scorecard to demonstrate the value of your continuity program, and to help you decide where to focus next.

Prioritize major initiatives to complete, extend, and maintain the DRP

4(b) Prioritize major initiatives

Estimated Time: 2 hours

Prioritize major initiatives that mitigate significant risk with the least cost and effort.

1. Use the scoring criteria below to evaluate risk, effort, and cost for potential initiatives. Modify the criteria if required for your organization. Write this out on a whiteboard or flip-chart paper.
2. Assign a score from 1 to 3. Multiply the scores for each initiative together for an aggregate score. In general, prioritize initiatives with higher scores.

Info-Tech Best Practice

You can use a similar scoring exercise to prioritize and schedule high-benefit, low-effort, low-cost items identified in the roadmap in phase 3.

Example: Prioritize major initiatives

4(b) Prioritize major initiatives continued

Write out the table on a whiteboard (record the results in a spreadsheet for reference). In the case below, IT might decide to work on repeating the core methodology first as they create the active testing plans, and tackle process changes later.

Info-Tech Best Practice

Find a pace that allows you to keep momentum going, but also leaves enough time to act on the initial findings, projects, and action items identified in the DRP Roadmap Tool. Include these initiatives in the Roadmap tool to visualize how identified initiatives fit with other tasks identified to improve your recovery capabilities.

Repeat the core DR methodology for additional systems and applications

You have created a DR plan for your most critical systems. Now, add the rest:

• Build on the work you’ve already done. Re-use the BIA scoring scale. Update your existing recovery workflows, rather than creating and formatting an entirely new document. A number of steps in the recovery will be shared with, or similar to, the recovery procedures for your Tier 1 systems.

Risks and Challenges Mitigated

• DR requirements and capabilities for less-critical systems have not been evaluated.
• Gaps in the recovery process for less critical systems have not been evaluated or addressed.
• DR capabilities for less critical systems may not meet business requirements.

Info-Tech Best Practice

Use this example of a complete, practical, right-size DR plan to drive and guide your efforts.

Extend your core DRP deliverables

You’ve completed the core DRP deliverables. Continue to create DRP documentation to support recovery procedures and governance processes:

• DR documentation efforts fail when organizations try to boil the ocean with an all-in-one plan aimed at auditors, business leaders, and IT. It’s long, hard to maintain, and ends up as shelfware.
• Create documentation in layers to keep it manageable. Build supporting documentation over time to support your high-level recovery workflow.

Risks and Challenges Mitigated

• Key contact information, escalation, and disaster declaration responsibilities are not identified or formalized.
• DRP requirements and capabilities aren’t centralized. Key DRP findings are in multiple documents, complicating governance and oversight by auditors, executives, and board members.
• Detailed recovery procedures and peripheral information (e.g. network diagrams) are not documented.

Info-Tech Best Practice

Use this example of a complete, practical, right-size DR plan to drive and guide your efforts.

Select an optimal DR deployment model and deployment site

Your DR site has been identified as inadequate:

• Begin with the end in mind. Commit to mastering the selected model and leverage your vendor relationship for effective DR.
• Cut to the chase and evaluate the feasibility of cloud first. Gauge your organization’s current capabilities for DR in the cloud before becoming infatuated with the idea.
• A mixed model gives you the best of both worlds. Diversify your strategy by identifying fit for purpose and balancing the work required to maintain various models.

Risks and Challenges Mitigated

• Without an identified DR site, you’ll be scrambling when a disaster hits to find and contract for a location to restore IT services.
• Without systems and application data backed up offsite, you stand to lose critical business data and logic if all copies of the data at your primary site were lost.

Info-Tech Best Practice

Use Info-Tech’s blueprint, Select the Optimal Disaster Recovery Deployment Model, to help you make sense of a world of choice for your DR site.

Extend DRP findings to business process resiliency with a BCP pilot

Integrate your findings from DRP into the overall BCP:

• As an IT leader you have the skillset and organizational knowledge to lead a BCP project, but ultimately business leaders need to own the BCP – they know their processes and requirements to resume business operations better than anyone else.
• The traditional approach to BCP is a massive project that most organizations can’t execute without hiring a consultant. To execute BCP in-house, carve up the task into manageable pieces.

Risks and Challenges Mitigated

• No formal plan exists to recover from a disruption to critical business processes.
• Business requirements for IT systems recovery may change following a comprehensive review of business continuity requirements.
• Outside of core systems recovery, IT could be involved in relocating staff, imaging and issuing new end-user equipment, etc. Identifying these requirements is part of BCP.

Info-Tech Best Practice

Use Info-Tech’s blueprint, Develop a Business Continuity Plan, to develop and deploy a repeatable BCP methodology.

Test the plan to validate capabilities and cross-train staff on recovery procedures

You don’t have a program to regularly test the DR plan:

• Most DR tests are focused solely on the technology and not the DR management process – which is where most plans fail.
• Be proactive – establish an annual test cycle and identify and coordinate resources well in advance.
• Update DRP documentation with findings from the plan, and track the changes you make over time.

Risks and Challenges Mitigated

• Gaps likely still exist in the plan that are hard to find without some form of testing.
• Customers and auditors may ask for some form of DR testing.
• Staff may not be familiar with DR documentation or how they can use it.
• No formal cycle to validate and update the DRP.

Info-Tech Best Practice

Uncover deficiencies in your recovery procedures by using Info-Tech’s blueprint Reduce Costly Downtime Through DR Testing.

“Operationalize” DRP management

Inject DR planning in key operational processes to support plan maintenance:

• Major changes, or multiple routine changes, can materially alter DR capabilities and requirements. It’s not feasible to update the DR plan after every routine change, so leverage criticality tiers in the BIA to focus your change management efforts. Critical systems require more rigorous change procedures.
• Likewise, you can build criticality tiers into more focused project management and performance measurement processes.
• Schedule regular tasks in your ticketing system to verify capabilities and cross-train staff on key recovery procedures (e.g. backup and restore).

Risks and Challenges Mitigated

• DRP is not updated “as needed” – as requirements and capabilities change due to business and technology changes.
• The DRP is disconnected from day-to-day operations.

Review infrastructure service provider DR capabilities

Insert DR planning in key operational processes to support plan maintenance:

• Reviewing vendor DR capabilities is a core IT vendor management competency.
• As your DR requirements change year-to-year, ensure your vendors’ service commitments still meet your DR requirements.
• Identify changes in the vendor’s service offerings and DR capabilities, e.g. higher costs for additional DR support, new offerings to reduce potential downtime, or conversely, a degradation in DR capabilities.

Risks and Challenges Mitigated

• Vendor capabilities haven’t been measured against business requirements.
• No internal capability exists currently to assess vendor ability to meet promised SLAs.
• No internal capability exists to track vendor performance on recoverability.

Phase 4: Insights and accomplishments

Identified progress against targets

Prioritized further initiatives

Added initiatives to the roadmap

Summary of Accomplishments

• Developed a list of high-priority initiatives that can support the extension and maintenance of the DR plan over the long term.
• Reviewed and update maturity assessments to establish progress and communicate the value of the DR program.

Summary of accomplishment

Knowledge Gained

• Conduct a BIA to determine appropriate targets for RTOs and RPOs.
• Identify DR projects required to close RTO/RPO gaps and mitigate risks.
• Use tabletop planning to create and validate an incident response plan.

Processes Optimized

• Your DRP process was optimized, from BIA to documenting an incident response plan.
• Your vendor evaluation process was optimized to identify and assess a vendor’s ability to meet your DR requirements, and to repeat this evaluation on an annual basis.

Deliverables Completed

• DRP Maturity Scorecard
• DRP Business Impact Analysis Tool
• DRP Roadmap Tool
• Incident response plan and systems recovery workflow
• Executive presentation

Info-Tech’s insights bust the most obstinate myths of DRP

Myth #1: DRPs need to focus on major events such as natural disasters and other highly destructive incidents such as fire and flood.

Reality: The most common threats to service continuity are hardware and software failures, network outages, and power outages.

Myth #2: Effective DRPs start with identifying and evaluating potential risks.

Reality: DR isn’t about identifying risks; it’s about ensuring service continuity.

Myth #3: DRPs are separate from day-to-day operations and incident management.

Reality: DR must be integrated with service management to ensure service continuity.

Myth #4: I use a co-lo or cloud services so I don’t have to worry about DR. That’s my vendor’s responsibility.

Reality: You can’t outsource accountability. You can’t just assume your vendor’s DR capabilities will meet your needs.

Myth #5: A DRP must include every detail so anyone can execute the recovery.

Reality: IT DR is not an airplane disaster movie. You aren’t going to ask a business user to execute a system recovery, just like you wouldn’t really want a passenger with no flying experience to land a plane.

Supplement the core documentation with these tools and templates

• An Excel workbook workbook to track key roles on DR, business continuity, and emergency response teams. Can also track DR documentation location and any hardware purchases required for DR.
• A questionnaire template and a response tracking tool to structure your investigation of vendor DR capabilities.
• Integrate escalation with your DR plan by defining incident severity and escalation rules . Use this example as a template or integrate ideas into your own severity definitions and escalation rules in your incident management procedures.
• A minute-by-minute time-tracking tool to capture progress in a DR or testing scenario. Monitor progress against objectives in real time as recovery tasks are started and completed.

Next steps: Related Info-Tech research

Select the Optimal Disaster Recovery Deployment Model Evaluate cloud, co-lo, and on-premises disaster recovery deployment models.

Develop a Business Continuity Plan Streamline the traditional approach to make BCP development manageable and repeatable.

Prepare for a DRP Audit Assess your current DRP maturity, identify required improvements, and complete an audit-ready DRP summary document.

Document and Maintain Your Disaster Recovery Plan Put your DRP on a diet: keep it fit, trim, and ready for action.

Reduce Costly Downtime Through DR Testing Improve your DR plan and your team’s ability to execute on it.

Implement Crisis Management Best Practices An effective crisis response minimizes the impact of a crisis on reputation, profitability, and continuity.

Research contributors and experts

• Alan Byrum, Director of Business Continuity, Intellitech
• Bernard Jones (MBCI, CBCP, CORP, ITILv3), Owner/Principal, B Jones BCP Consulting, LLC
• Paul Beaudry, Assistant Vice-President, Technical Services, MIS, Richardson International Limited
• Yogi Schulz, President, Corvelle Consulting

Glossary

• Business Continuity Management (BCM) Program: Ongoing management and governance process supported by top management and appropriately resourced to implement and maintain business continuity management. (Source: ISO 22301:2012)
• Business Continuity Plan (BCP): Documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption. The BCP is not necessarily one document, but a collection of procedures and information.
• Crisis: A situation with a high level of uncertainty that disrupts the core activities and/or credibility of an organization and requires urgent action. (Source: ISO 22300)
• Crisis Management Team (CMT): A group of individuals responsible for developing and implementing a comprehensive plan for responding to a disruptive incident. The team consists of a core group of decision makers trained in incident management and prepared to respond to any situation.
• Disaster Recovery Planning (DRP): The activities associated with the continuing availability and restoration of the IT infrastructure.
• Incident: An event that has the capacity to lead to loss of, or a disruption to, an organization’s operations, services, or functions – which, if not managed, can escalate into an emergency, crisis, or disaster.

BCI Editor’s Note: In most countries “incident” and “crisis” are used interchangeably, but in the UK the term “crisis” has been generally reserved for dealing with wide-area incidents involving Emergency Services. The BCI prefers the use of “incident” for normal BCM purposes. (Source: The Business Continuity Institute)

• Incident Management Plan: A clearly defined and documented plan of action for use at the time of an incident, typically covering the key personnel, resources, services, and actions needed to implement the incident management process.
• IT Disaster: A service interruption requiring IT to rebuild a service, restore from backups, or activate redundancy at the backup site.
• Recovery Point: Time elapsed between the last good copy of the data being taken and failure/corruption on the production environment; think of this as data loss.
• Recovery Point Actual (RPA): The currently achievable recovery point after a disaster event, given existing people, processes, and technology. This reflects expected maximum data loss that could actually occur in a disaster scenario.
• Recovery Point Objective (RPO): The target recovery point after a disaster event, usually calculated in hours, on a given system, application, or service. Think of this as acceptable and appropriate data loss. RPO should be based on a business impact analysis (BIA) to identify an acceptable and appropriate recovery target.
• Recovery Time: Time required to restore a system, application, or service to a functional state; think of this as downtime.
• Recovery Time Actual (RTA): The currently achievable recovery time after a disaster event, given existing people, processes, and technology. This reflects expected maximum downtime that could actually occur in a disaster scenario.
• Recovery Time Objective (RTO): The target recovery time after a disaster event for a given system, application, or service. RTO should be based on a business impact analysis (BIA) to identify acceptable and appropriate downtime.

Bibliography

BCMpedia. “Recovery Objectives: RTO, RPO, and MTPD.” BCMpedia, n.d. Web.

Burke, Stephen. “Public Cloud Pitfalls: Microsoft Azure Storage Cluster Loses Power, Puts Spotlight On Private, Hybrid Cloud Advantages.” CRN, 16 Mar. 2017. Web.

Elliot, Stephen. “DevOps and the Cost of Downtime: Fortune 1000 Best Practice Metrics Quantified.” IDC, 2015. Web.

FEMA. Planning & Templates. FEMA, 2015. Web.

FINRA. “Business Continuity Plans and Emergency Contact Information.” FINRA, 2015. Web.

FINRA. “FINRA, the SEC and CFTC Issue Joint Advisory on Business Continuity Planning.” FINRA, 2013. Web.

Gosling, Mel, and Andrew Hiles. “Business Continuity Statistics: Where Myth Meets Fact.” Continuity Central, 2009. Web.

Hanwacker, Linda. “COOP Templates for Success Workbook.” The LSH Group, n.d. Web.

Homeland Security. Federal Information Security Management Act (FISMA). Homeland Security, 2015. Web.

Nichols, Shaun. “AWS's S3 Outage Was So Bad Amazon Couldn't Get Into Its Own Dashboard to Warn the World.” The Register, 1 Mar. 2017. Web.

Potter, Patrick. “BCM Regulatory Alphabet Soup.” RSA Archer Organization, 2012. Web.

Rothstein, Philip Jan. “Disaster Recovery Testing: Exercising Your Contingency Plan.” Rothstein Associates Inc., 2007. Web.

The Business Continuity Institute. “The Good Practice Guidelines.” The Business Continuity Institute, 2013. Web.

The Disaster Recovery Journal. “Disaster Resource Guide.” The Disaster Recovery Journal, 2015. Web.

The Disaster Recovery Journal. “DR Rules & Regulations.” The Disaster Recovery Journal, 2015. Web.

The Federal Financial Institution Examination Council (FFIEC). Business Continuity Planning. IT Examination Handbook InfoBase, 2015. Web.

York, Kyle. “Read Dyn’s Statement on the 10/21/2016 DNS DDoS Attack.” Oracle, 22 Oct. 2016. Web.

Drive Ongoing Adoption With an M365 Center of Excellence

Accelerate business processes change and get more value from your subscription by building and sharing thanks to an effective Centre of Excellence.

CLIENT ADVISORY DECK

Drive Ongoing Adoption With an M365 Centre of Excellence

Accelerate business processes change and get more value from your subscription by building and sharing thanks to an effective Centre of Excellence

Research Team:
John Donovan
John Annand
Principal Research Directors I&O Practice

41 builds released in 2021!
IT can no longer be expected to provide training to all users on all features

• Traditional classroom training (online and self-paced) is time consuming and overly generic
• Users tend to hold onto old familiar tools even as new ones roll out
• Citizen Programming comes with a lot of promise but also the spectre of reliving the era of Access ‘97 databases
• Seemingly small decisions around configuration have outsized impacts
• Every enterprises’ journey through adoption is unique

▲20% $ spent in 2021

148% more meetings
66% more users collaborating on documents
40.6B more emails

2021 vs. 2022 Source: Microsoft The Work Trend Index

• Who needs to be in a CoE? What daily tasks do they undertake?
• How do you turn artifacts like best practice documents into actual behavioral change?
• How does CoE differ from governance? And why is it going to be any more successful?
• How does the CoE evolve over time as enterprises become more mature?

CoE Competencies, Membership and Roles
Communication, Standards Templates
Adoption, and Business Success Metrics

Using these deliverables, Info-Tech will help you drive consistency in your enterprise collaboration, increase end-user satisfaction in the tools they are provided, optimize your license spending, fill the gaps between implementation of a technology and realization of business value, and empower end-users to innovate in ways that senior leadership had not imagined.

Executive Summary

Insight

User adoption is the primary focus of the efforts in the CoE

User adoption and setting up guardrails in governance are the focuses of the CoE in its early stages. Purging obsolete data from legacy share servers, and exchange, and rationalize legacy applications that are comparable to Microsoft offerings. The primary goal is M365 excellence, but that needs to be primed with a Roadmap, and laying down clear milestones to show progress, along with setting up quick wins to get buy in from the organization.

Breakdown your CoE into distinct areas for improvement

Due to the size and complexity of Microsoft 365, breaking it into clearly defined divisions makes sense. The parts that need to be fragmented into are, Collaboration, Power Apps, Office tools, Learning, Professional Training and Certifications, Governance and Support. Subject Matter experts needs to keep pace with the ever-changing M365 environment with enhancements continuously being rolled out. (There were 41 build releases in 2021 alone! )

Set up your M365 CoE in a decentralized design

Define how your CoE will be set up. It will either be centralized, distributed, or a combination of both. They all have their strengths and weaknesses; however a distributed CoE can ensure there is buy-in from the various departments across the CoE, as they participate in the decision making and therefore the direction the CoE goes. Additionally, it ensures that each segment of the CoE is accountable for the success of the M365 adoption, its usage, and delivering value to the organization.

Summary

Your Challenge

You have purchased Microsoft 365 for your business, and you have determined that you are not realizing the full value and potential of the product, neither adoption nor usage – for example, you have legacy applications that the user base is reluctant to move away from, whether it be Skype, Jabber, or other collaboration tools available to them. You have released Teams to the organization but may have not shown how useful it is and you have not communicated to the business that it is your new collaboration tool, along with SharePoint Online and OneDrive. How do you fix this problem?

Common Obstacles

There are roadblocks common to all CoEs: lack of in-house expertise, lack of resources (time, budget, etc.) and employee perception of just another burdensome administrative layer. These are exacerbated when building an M365 CoE.

• Constant vendor-initiated change in M365 means expertise always needs updating
• The self-service architecture of M365 is at odds with centralized limits and controls
• M365 is a multitude of services, adopted across a huge swath of the organization compared to the specific capabilities and limited audience of traditional CoEs

Info-Tech’s Approach

Having a clear vision of what business outcomes you want your Microsoft 365 CoE to accomplish is key. This vision helps select the core competencies and deliverables of the CoE.

1. Ongoing measurement and reporting of business value generated from M365 adoption
2. Servant leadership allows the CoE to work closely and deeply with end-users, which builds them up to share knowledge with others
3. Focus and clear lines of accountability ensure that everyone involved feels part of the compromise when decisions are to be made

Info-Tech Insight

The M365 CoE should be somewhat decentralized to avoid an “us versus them” mentality. Having clear KPIs at the center of the program makes it easier to demonstrate improvements and competencies. COMMUNICATE these early successes! They are vital in gaining widespread credibility and momentum.

Charter Mandate Authority to Operate

Mission : To accelerate the value that M365 brings to the organization by using the M365 CoE to increase adoption, build competency through training and best practices, and deliver on end user innovation throughout the business.

Vision Statement: To transform the organization’s efficiencies and performance through an optimized world-class M365 CoE by meeting all KPIs set out in the Charter.

Info-Tech Insights

A mission and vision for your M365 CoE are a necessary step to kick the program off. Not aving clear goals and a roadmap to get there will hinder your progress. It may even stall the whole objective if you cannot agree or measure what you are trying to accomplish

• The scope of the M365 CoE is to build the adoption rate that can meet milestone goals to advance user competency, as well as the maturation of the SMEs in each segment of the CoE leadership and contributors.
• Maturity will be measured through 100% adoption, specifically around collaboration tools and Office apps across the organization that use M365. Strategic value will be measured by core competencies within the CoE.
• SMEs are developed and educated with certifications and other training throughout the course of the CoE development to bring “bench strength” to the vision of optimizing a world-class M365 CoE.
• SMEs will all be certified Microsoft professionals. They will set the standard to be met within the CoE. The SMEs can either be internal candidates or external hires, depending on the current IT department competency.
• Additional resources required will be tech savvy department leads that understand and can help in the training of staff, who also are willing to spend a certain amount of their work time in coaching colleagues.
• They will be assisted by the training through the SMEs providing relevant material and various M365 courses both in class and self-paced online learning using M365 VIVA tools.

Charter Metrics

Areas in Scope:

• Ensure Mission is aligned to the business objectives.
• Form core team for M365 CoE, including steering committee.
• Create document for signoff from business sponsors.
• Build training plans for users, engineers, and admins.
• Document best practices and build standard templates for organizational uniformity.
• Build governance charter and priorities, setting up guardrails early to ensure compliance and security.
• Transition away and retire all legacy on-Prem apps to M365 Cloud apps.
• Build a RACI model for roles and responsibility.

Info-Tech Insights

If meaningful metrics are set up correctly, the CoE can produce results early in the one- or two-year process, demonstrating business value and increasing production amongst staff and demonstrating SME development.

CoE

What are the reason to build an M365 CoE, and what is it expected to deliver?

What It IS NOT

It does not design or build applications, migrate applications, or create migration plans. It does not deploy applications nor does it operate and monitor applications. While a steering committee is a key part of the M365 CoE, its real function is to set the standards to be achieved though metrics that can measure a successful, efficient, and best-in-class M365 operation. It does not set business goals but does align M365 goals to the business drivers. SMEs in the CoE give guidance on M365 best practices and assist in its adoption and users’ competency.

What It IS

M365 CoE means investing in and developing usage growth and adoption while maintaining governance and control. A CoE is designed to drive innovation and improvement, and as a business-wide functional unit, it can break down geographical and organizational silos that utilize their own tools and collaboration platforms. It builds a training and artifacts database of relevant and up-to-date materials.

Why Build It

Benefits that can be realized are:

• Building efficiencies, delivering quality training and knowledge transfer, and reducing risk from an organized and effective governance.
• Consistency in document and information management.
• Reusable templates and blueprints that standardize the business processes.
• Standardized and communicated business policies around security and best practices.
• Overcoming the challenges that comes with the titan of a platform that is M365.

Expected Goals and Benefits With Risk

Demonstrated impact for sustainability
Ensuring value is delivered
Ability to escalate to executive branch

The What?

What does the M365 CoE solve?

• M365 Adoption
• M365 tools templates
• SME in tools deployment and delivery
• Training and education – create artifacts and organize training sessions and certifications
• Empower users into super users
• Build analytics around usage, adoption, and ROI from license optimization

And the How?

How does the M365 CoE do it?

• By defining clear adoption goals and best practices
• By building a dedicated team with the confidence to improve the user experience
• By creating a collection of reusable artifacts.
• By establishing a stable, tested environment ensures users are not hindered in execution of the tools
• By continuously improving M365 processes

What are the Risks?

• All goals must be achievable
• Timeline phases are based on core SME competency of the IT department and the training quality of end users
• Current state of SMEs in house or hired to execute the mandate of the M365 CoE
• Business success – if business is struggling to make profits and grow, its usually the CoE that will get chopped – mainly due to layoffs
• Inability to find SMEs or train SMEs
• Turnover in CoE due to job function changes or attrition
• Overload of day-to-day responsibilities preventing SMEs from executing work for the CoE – Need to align SMEs and CoE steering chair to establish and enable shared responsibilities.

Who needs to be in a CoE for M365

Design the CoE – What model to be used?

What are their daily tasks? Is the CoE centralized, decentralized, or a combination?

Info-Tech Insights

Due to the size and complexity of Microsoft 365, a decentralized model works best. Each segment of the group could in themselves be a CoE, as in governance, training, or collaboration CoE. Maintaining SME in each group will drive the success of the M365 CoE.

Key Competencies for CoE

• Build a team of experts in M365 with sub teams in Products.
• Manage the business processes around M365.
• Train and optimize technical teams.
• Share best practices and create a knowledge base.
• Build processes that are repeatable and self-provisioned.

CoE for M365

What is the Structure? Is it centralized, decentralized, or combination? What are the pros and cons?

Thought Model

How does the CoE differ from governance?

Why is it going to be any more successful?

“These problems already exist and haven't been successfully addressed by governance – how is the CoE going to be any different?”

• Leadership
• Empower end users
• Automation of processes
• Retention policies
• Governance priorities
• Risk management
• Standard procedures
• Set metrics
• Self service
• Training
• SMEs
• Automation
• Innovation

CoE

While M365 governance is an integral part of the M365 CoE, the CoE is a more strategic program aimed at providing guidance, experienced leadership, and training.

The CoE is designed to drive innovation and improvements throughout the organization’s M365 deployment. It will build best practices, create artifacts, and mentor members to become SMEs.

Governance

CoE is a form of collaborative governance. Those responsible for making the rules are the same ones who are working through how the rules are implemented in practice.

The word most associated with CoE is "nurture." The word most associated with governance is "prevent."

The CoE is experimental and innovative and constantly revising its guidance compared to governance, which is opaque and static.

RACI chart for CoE define activities and ownership

The Work

Build artifacts

Templates

Scripts

Reference architecture

Policies definition

Blueprints

Version control

Measure usage and ROI

Quality assurance

Baseline creation and integrity

Steering Committee

Roles and Responsibilities

• Set the goals and metrics for the CoE charter
• Ensure the CoE is aligned to the business objectives
• Clear any roadblocks that may hinder progress for the team leads
• Provide guidance on best practices
• Set expectations for training and certifications
• Build SME strength through mentoring
• Promote and facilitate research into M365 developments and releases
• Ensure knowledge transfer is documented
• Create roadmap to ensure phase KPIs are met and drive toward excellence

Info-Tech Insight

Executive sponsorship is an element of the CoE that cannot be overlooked. If this occurs, the funding and longevity of the CoE will be limited. Additionally, ensure you determine if the CoE will have an end of life and what that looks like.

M365 Governance CoE Team

Governance and Management

After you’ve developed and implemented your data classification framework, ongoing governance and maintenance will be critical to your success. In addition to tracking how sensitivity labels are used in practice, you’ll need to update your control requirements based on changes in regulations, cybersecurity leading practices, and the nature of the content you manage. Governance and maintenance efforts can include:

• Establishing a governance body dedicated to data classification or adding a data classification responsibility to the charter of an existing information security body.
• Defining roles and responsibilities for those overseeing Data Classification
• Establishing KPIs to monitor and measure progress
• Tracking cybersecurity leading practices and regulatory changes
• Developing Standard Operating Procedures that support and enforce a data classification framework

Governance CoE

Tools Used in the Governance CoE Identity – MFA, SSO, Identity Manager, Conditional Access, AD , Microsoft Defender, Compliance Assessments Templates

Security and Compliance - Azure Purview, Microsoft Defender Threat Analytics, Rules-Based Classification (AIP Client & Scanner), Endpoint DLP, Insider Risk Management

Information Management – Audit Log Retention, Information Protection and Governance, Trainable Classifiers

Licenses – Entitlement Management, Risk-Based Conditional Access.

M365 Tools CoE Team

• Collaboration tools are at the center of the product portfolio for M365.
• Need to get users empowered to manage and operate Teams, OneDrive, and SharePoint Online and promote uniform communications and collaborate with document building, sharing, and storing.

Collaboration SME – Teams admin, Exchange admin, SharePoint, One Drive admin, Viva Learning (Premium), and Viva Insights (Premium)

Application SME – Covers all updates and new features related to Office programs

Power BI SME – Covers Power Automate for Office 365, Power Apps for Office 365, and Power BI Pro

Voice and Video – Tools-Calling Plan, Audio Conference (Full), Teams Phone, Mobility

PMO – Manages all M365 products online and in production. Also coordinates enhancements, writes up documentation for updates, and releases them to the training CoE for publication.

Microsoft 365 tools used to support business

• Appointments – Booking
• Blog – Sway
• Browser – Edge
• Cloud Storage – OneDrive
• Collaboration – Teams
• Email and Calendar – Outlook
• Notebook – OneNote
• Planner – Planner
• Presentation – PowerPoint
• Spreadsheet - Excel
• Surveys/Quizzes/Polls - Forms
• Whiteboard - Whiteboard
• Word Processor – Word
• Voice – Teams Phone

M365 Training CoE Team

Training and certifications for both end users and technical staff managing the M365 platform. Ensure that you set goals and objectives with your training schedule.

Training for SMEs can be broken into two categories:

First line training is internal training for users, in the collaboration space. Teams, One Drive, SharePoint Online, Exchange, and specialty training on Office tools – Word, PowerPoint, Excel, and Microsoft Forms.

Second line training is professional development for the SMEs including certifications in M365 admin, Global admin, Teams admin, and SharePoint administrator.

Additional training and certification can be obtained in governance, information management, and in the admin center for licencing optimization and compliance.

Tools used

• Viva topics – Integrated knowledge and expert discovery
• Viva Insight
• Viva Learning
• Viva Connections
• Dynamics 365
• Voice of the customer surveys

Support M365 CoE Team

Support CoE:

In charge of creating a knowledge base for M365. Manages incidents with access, usage, and administering apps to desktop. Manages change issues related to updates in patching.

Help Desk Admin:

Resets passwords when self service fails, force sign out, manages service requests.

Works with learning CoE to populate knowledge base with articles and templates.

Manages end user issues with changes and enhancements for M365.

Supporting Metrics

• Number of calls for M365 support
• Recurring M365 incidents
• Number of unresolved Platform issues
• First call resolution
• Knowledge sharing of M365
• Customer satisfaction
• Turnaround time of tickets created

Roadmap

How does the CoE evolve over time as enterprises become more mature?

• Depending on the complexity and regulatory requirements of the business, baseline governance and rules around external partners sharing internal documents will need to be set up.
• Identifying your SMEs in the organization is a perquisite at the beginning stages of setting up the M365 working group.

• Build a roadmap to get to maturity and competency that brings strategic business value.
• Meet milestone goals through a two-year, three-phase process. Begin with setting up governance guardrails.
• Set up foundational baselines against which metrics will be measured.
• Set up the M365 CoE, at first with target easy wins through group training and policy communications throughout the organization.

How do you turn artifacts like best practice documents into actual behavior change?

Info-Tech Insights

Building Blocks
The building blocks for a change in end user behavior are based on four criteria which must be clearly communicated. Knowledge transfer from SMEs to the training team is key. That in turn leads to effective knowledge transfer, allowing end users to develop skills quickly that can be shared with their teams. Sharing practices leads to best practices and maintaining these in a repository that can be quickly accessed will build on the efficiencies and effectiveness of the employees.

How Do You Empower End Users to Innovate?

Info-Tech Insights

Understand the Vision

Empowering End users starts with understanding the business vision that is embedded into the M365 CoE charter.

Ensure that the business innovation goals are aligned to the organizational strategies.

The innovative strategies need to be clearly communicated to the employees and the tools to achieve this needs to be mapped out and trained. Clearly lay out the goals, outcomes, and expectations.

End users need to understand how the M365 CoE will assist them in their day-to-day operations, whether in the collaboration space with their colleagues, or with power BI that assists them in their decision making though analytics.

The Right Resources

Arm your team with the resources they need to be successful. Building use cases as part of the training program will give the employees insight into how the M365 tools can be used in their daily work environment. It will also address the pervasive use of nonstandard tools as is seen throughout organizations that are operated in a vacuum.

Empowering your user base though the knowledge transfer borne through the building of artifacts that deal with real life examples that join the dots for employees.

By painting a picture of how the innovative use of the M365 platform can be achieved, users will feel empowered and use those use cases to build out their own innovative ideas.

Hybrid Work

Digital fabric

Collaboration – Communication – Creation

Cloud Services – Innovative Apps – Security

Productivity anywhere any place

Shared working documents in secure cloud

Mesh for Microsoft Teams/Viva

Power apps and dataverse for Teams

Self Service M365

My Apps

My Sign-Ins

My Groups

My Staff

My Access

My Account

Password reset

Sample Best Practices
Tools and Standards Templates

Then communicate them

Collaboration Best Practices

Sharing documents

Real time co-authoring

Comment

Meet

Mobile

Version History

Security Best Practices

Default Security Settings

Microsoft Security Score

Enable Alert Policies

Assign RBAC for Admins

Enable Continuous Access Evaluation

Admin Roles Best Practices in M365

• Two or three global admins in tenant/limit usage of secondary admin roles
• See Admin Portal
• •Screen shots: Best Practices Securing M365

Business Success Metrics for M365 CoE

What does success look like?

• Are you aligning the M365 metrics to business goals?
• Are your decisions data driven?
• Are you able to determine opportunities to improve with your metrics – continuous process improvement?
• Are you seeing productivity gains, and are they being measured?

Activity Output

Start building your M365 CoE and considering the steps for the Phase 1 checklist

BUILD A FOUNDATIONAL BASELINE

Step 1

1. Select Resources to create a CoE working group
2. Define your goals and objectives
3. Identify SMEs within the business and do a gap analysis
4. Build the M365 charter, mission, and vision
5. Build consensus and sponsorship from C suite
6. Create an organizational M365 framework that provides best coverage for all touch points to the platform, from support to training to controls.
7. Determine the type of CoE you want to create that fits your business (centralized, distributed, or a combination).

Step 2

1. Build training plans for SMEs and M365 teams
2. Populate company intranet with artifacts, knowledge articles, and user training portal with all things M365
3. Build out best practice workbooks, tools, and templates that encompass all departments
4. Create roles and responsibilities matrix
5. Identify “super users” in departments to assist with promoting learning and knowledge sharing.
6. Develop Metrics scorecards on success criteria ensuring they align to business goals

Step 3

1. Rational M365 licensing
2. Create communication plan promoting CoE and M365 advantages
3. Align your governance posture and building guardrails
4. Identify legacy apps that can be retired and replaced
5. Train support team and analysts with metrics supporting M365 CoE goals
6. Create baseline metrics with clear alignment to business KPIs

Related Blueprints

Modernize Your Microsoft Licensing for the Cloud Era

• Take control of your Microsoft licensing and optimize spend

Govern Office 365

• Office 365 is as difficult to wrangle as it is valuable. Leverage best practices to produce governance outcomes aligned with your goals

Migrate to Office 365 Now

• One small step to cloud, one big leap to Office 365. The key is to look before you leap

Build a Data Classification MVP for M365

• Kickstart your governance with data classification users will actually use!

Bibliography

“Five Guiding Principles of a successful Center of Excellence” Perficient, n.d. Web.

“Self Service in Microsoft 365.” Janbakker.tech, n.d. Web.

“My Apps portal overview.” Microsoft, June 2, 2022. Web.

“Collaboration Best Practices Microsoft365.” Microsoft, n.d. Web.

“Security Best Practices Microsoft 365” Microsoft, July 1, 2022. Web.

Collaborate Effectively in Microsoft Teams

Empower your users to explore Teams collaboration beyond the basics.

Analyst Perspective

Life after Teams implementation

You have adopted Teams, implemented it, and painted an early picture for your users on the basics. However, your organization is not yet maximizing its use of Teams' collaboration capabilities. Although web conferencing, channel-based collaboration, and chat are the most obvious ways Teams supports collaboration, users must explore Teams' functionality further to harness the application's full potential.

You should enable your users to expand their collaboration use cases in Teams, but not at the risk of being flooded with app requests, nor user confusion or dissatisfaction. Instead, develop a process to evaluate and integrate new apps that will benefit the organization. Encourage your users to request new apps that will benefit them, while proactively planning for app integration that users should be alerted to.

Emily Sugerman Research Analyst, Infrastructure and Operations Info-Tech Research Group

Executive Summary

Your Challenge

Your organization has adopted Microsoft Teams, but users are not getting the maximum benefit.

• IT needs to support the business to get the best value out of Microsoft Teams: managing Teams effectively while enabling end-user creativity.
• IT must follow best practices for evaluating new functionality when integrating Microsoft and third-party apps, while communicating changes to end users.
• Due partly to the frequent addition of new features and lack of communication and training, many organizations don't know which apps would benefit their users.

Common Obstacles

• Users are unenthusiastic about exploring Teams further due to negative past experiences, preference for other applications, or indifference.
• End users are unaware of the available range of features. When they become aware and try to add unapproved or unlicensed apps, they experience the frustration of being declined.
• Users seek support from IT who are unfamiliar with new Teams features an apps, or with supporting Teams beyond the basics.
• IT teams have no process to raise end-user awareness of these apps and functionality.

Info-Tech's Approach

Use Info-Tech's Collaborate Effectively in Microsoft Teams to help collaboration flourish:

• Collate key organizational collaboration use cases
• Prioritize the most important Teams apps and features to support use cases
• Implement request process for new Teams apps
• Communicate new Teams collaboration functionality

Info-Tech Insight

Collaboration is as much an art as a science. IT can help users collaborate more effectively in Teams by removing friction – while still maintaining guardrails – for users attempting to build out and experiment with features and capabilities.

Are your users in a Teams rut?

Are users failing to maximize their use of Teams to collaborate and get work done?

Teams can do much more than chat, video conferencing, and document sharing. A fully-deployed Teams also lets users leverage apps and advanced collaboration features.

However, IT must create a process for evaluating and approving Microsoft and third-party apps, and for communicating changes to end users.

In the end, IT needs to support the business to get the best value out of Microsoft Teams: managing Teams effectively while also enabling end-user creativity.

Third-party app use in Teams is rising:

“Within Teams, the third-party apps with 10,000 users and above rose nearly 40% year-over-year.”
Source: UC Today, 2023.

Collaborate effectively in Microsoft Teams

Set up your users for Teams collaboration success. Create a process that improves their ability to access, understand, and maximize their use of your chosen collaboration software solution.

Challenges with Teams collaboration

• Lack of motivation to explore available features
• Scattered information
• Lack of comfort using Teams beyond the basics
• Blocked apps
• Overlapping features
• Confusing permissions

Empowering Collaboration in Microsoft Teams

1. Identify current collaboration challenges and use cases in Teams
2. Create Teams app request workflows
3. Set up communication hubs in Teams
4. Empower end users to customize their Teams for effective collaboration

Solution

• Collate key organizational collaboration use cases
• Prioritize the most important Teams apps and features to support use cases
• Implement request process for new Teams apps
• Communicate new Teams collaboration functionality

Project deliverables

Use these tools to develop your plan to enable effective collaboration in Microsoft Teams.

Key deliverable:

Microsoft Teams Planning Tool

An Excel tool for documenting the organization's key collaboration use cases and prioritizing which Teams apps to implement and encourage adoption of.

Additional support:

Microsoft Teams End-User Satisfaction Survey

Use or adapt this survey to capture user perception of how effectively Teams supports collaboration needs.

Insight Summary

Key Insight:

Collaboration is as much an art as a science. IT can help users collaborate more effectively in Teams by removing friction – while still maintaining guardrails – for users attempting to build out and experiment with features and capabilities.

Additional insights:

Insight 1

Users can browse the Teams app store and attempt to add unapproved apps, but they may not be able to distinguish between available and blocked apps. To avoid a bad user experience, communicate which apps they can add without additional approval and which they will need to send through an approval process.

Insight 2

Teams lets you customize the message users see when they request unapproved apps and/or redirect their request to your own URL. Review this step in the request process to ensure users are seeing the instructions that they need to see.

Insight 3

A Teams hub is where users can access a service catalog of approved Teams apps and submit service requests for new ones via the Make a Request button.

Section 1: Collaborating Effectively in Teams for IT

Stop: Do you need the Teams Cookbook?

If you:

• are at the Teams implementation stage,
• require IT best practices for initial governance of Teams creation, or
• require end-user best practices for basic Teams functionality …

Consult the Microsoft Teams Cookbook first.

Understand the Microsoft vision of Teams collaboration

Does it work for you?

Microsoft's vision for Teams collaboration is to enable end-user freedom. For example, out of the box, users can create their own teams and channels unless IT restricts this ability.

Teams is meant to be more than just chats and meetings. Microsoft is pushing Teams app integration so that Teams becomes, essentially, a landing page from which users can centralize their work and org updates.

In partnership with the business, IT must determine which guardrails are necessary to balance end-user collaboration and creativity with the need for governance and control.

Why is it difficult to increase the caliber of collaboration in Teams?

Because collaboration is inherently messy, complex, and creative

Schubert & Glitsch find that enterprise collaboration systems (such as Teams) have characteristics that reflect the unstructured and creative nature of collaboration. These systems “are designed to support joint work among people in the workplace. . . [They] contain, for the most part, unstructured content such as documents, blogs, or news posts,” and their implementations “are often reported to follow a ‘bottom up' and rather experimental introduction approach.” The open-endedness of the tool requires users to be able to creatively and voluntarily apply it, which in turn requires more enterprise effort to help increase adoption over time through trial and error.

Source: Procedia Computer Science, 2015

Info-Tech Insight

Collaboration is as much an art as a science. IT can help users collaborate more effectively in Teams by removing friction – while still maintaining guardrails – for users attempting to build out and experiment with features and capabilities.

Activity 1: Identify current challenges

Input: Team input, Survey results
Output: List of Teams challenges experienced by the organization
Materials: Whiteboard (digital or physical)
Participants: Teams collaboration working group

First, identify what works and what doesn't for your users in Teams

• Have users reported any challenges with Teams as their primary means of channel-based collaboration? Run a short survey to capture end-user sentiment on how Teams works for them. This survey can be set up and distributed through Microsoft Forms. Distribute either to the whole organization or a specific focus group. Gather feedback from users on the following: What are the major ways they need to collaborate to do their jobs? What IT-supported tools do they need to support this collaboration? What specific aspects of Teams do they want to better exploit?
• If you send out transactional surveys on service desk tickets, run a report on Teams-related tickets to identify common complaints.
• Brainstorm Teams challenges IT has experienced personally or have seen reported – especially difficulties with collaboration.
• Once you have the data, group the challenges into themes. Are the challenges specifically related to collaboration? Data issues? Support issues? Access issues? Technical issues? Document them in tab 2 of the Microsoft Teams Planning Tool.

Download the Microsoft Teams End-User Satisfaction Survey template

Define your organization's key collaboration scenarios

Next, identify what users need to do in Teams

The term collaboration scenarios has been proposed to describe the types of collaboration behavior your software – in this case, Teams – must support (Schubert & Glitsch, 2015). A successful implementation of this kind of tool requires that you “identif[y] use cases and collaboration scenarios that best suit a specific company and the people working in it” (Schubert & Glitsch, 2016).

Teams tends to support the following kinds of collaboration and productivity goals (see list).

What types of collaboration scenarios arise in the user feedback in the previous activity? What do users most need to do?

Be proactive: Configure Microsoft Teams to match collaboration scenarios/use cases your users must engage in. This will help prevent an increase in shadow IT, where users attempt to bring in unapproved/unreviewed software that might duplicate your existing service catalog and/or circumvent the proper review and procurement process.

MS Teams Use Cases

1. Gather feedback
2. Collaboratively create content
3. Improve project & task management
4. Add media content
5. Conduct knowledge management
6. Increase meeting effectiveness
7. Increase employee engagement
8. Enhance professional development
9. Provide or access support
10. Add third-party apps

Activity 2: Match your collaboration scenarios to Teams capabilities

Input: Collaboration scenarios, Teams use cases
Output: Ranked list of Teams features to implement and/or promote
Materials: Microsoft Teams Planning Tool
Participants: Teams collaboration working group

Which features support the key collaboration use cases?

1. Using the Microsoft Teams Planning Tool, list your organization's key collaboration scenarios. Draw on the data returned in the previous activity. List them in Tab 2.
2. See the following slide for the types of collaboration use cases Teams is designed to support. In the planning tool, select use cases that best match your organizational collaboration scenarios.
3. Dive into more specific features on Tab 3, which are categorized by collaboration use case. Where do users' collaboration needs align with Teams' inherent capabilities? Add lines in Tab C for the third-party apps that you are considering adding to Teams.
4. In columns B and C of Tab 3, decide and prioritize the candidates for implementation. Review the list of prioritized features on tab 4.

NB: Microsoft has introduced a Teams Premium offering, with additional capabilities for meetings and webinars (including customized banding, meeting watermarks, and virtual webinar green rooms) and will paywall some features previously available without Premium (live caption translations, meeting data on attendee departure/arrival times) (“What is Microsoft Teams Premium?”, n.d.)

Download the Microsoft Teams Planning Tool

MS Teams productivity & collab features

Teams apps & collaboration features enable the following types of work. When designing collaboration use cases, identify which types of collaboration are necessary, then explore each category in depth.

1. Gather feedback

   Solicit feedback and comments, and provide updates

2. Collaboratively create content

   Compose as a group, with live-synced changes

3. Improve project & task management

   Keep track of projects and tasks

4. Add media content

   Enrich Teams conversations with media, and keep a library of video resources

5. Knowledge management

   Pull together document libraries and make information easier to find

6. Increase meeting effectiveness

   Facilitate interactions and document meeting outcomes

7. Increase employee engagement

   Use features that enhance social interaction among Teams users

8. Enhance professional development

   Find resources to help achieve professional goals

9. Provide or access support

   IT and user-facing resources for accessing and/or providing support

10. Add third-party apps

    Understand the availability/restrictions of the built-in Teams app catalog

The Teams app store

• The lure of the app store: Your users will encounter a mix of supported and unsupported applications, some of which they can access, some for which you have no licenses, some built by your organization, some built by Microsoft or third parties. However, the distinction between these categories may not be immediately apparent to users. Microsoft does not remove blocked apps from users' view.
• Users may attempt to add unsupported apps and then receive error messages or prompts to send a request through Teams to IT for approval.
• App add-ins are not limited to those built by Microsoft Corporation. The Teams app store also features a plethora of third-party apps that can provide value.
• However, their third-party status introduces another set of complications.
• Attempting to add third-party apps may expose users to sales pitches and encourage the implementation of shadow IT, circumventing the IT request process.

Info-Tech Insight

Users can browse and attempt to add unapproved apps in the Teams app store, but they may have difficulty distinguishing between available and blocked apps. To avoid a bad user experience, communicate to your users which apps they can add without additional approval, and which must be sent through an approval process.

Decide how you will evaluate requests for new Teams apps

• As you encourage users to explore and fully utilize Teams, you may see increased requests for admin approval for apps you do not currently support.
• To prevent disorganized response and user dissatisfaction, build out a workflow for handling new/unapproved Teams app requests. Ensure the workflow accounts for Microsoft and third-party apps.
• What must you consider when integrating third-party tools? You must have control over what users may add. These requests should follow, or build upon, your existing process for non-standard requests, including a process for communicating the change.
• Track the fulfillment time for Teams app requests. The longer the user must wait for a response, the more their satisfaction will decline.

icrosoft suggests that you regularly review the app usage report in the Teams admin center as “a signal about the demand for an app within your organization.” This will help you proactively determine which apps to evaluate for approval.

Build request workflow for unsupported Teams apps

What are the key steps?

1. Request comes in
2. Review by a technical review team
3. Review by service desk or business analyst
4. Additional operational technical reviews if necessary
5. Procurement and installation
6. Communication of result to requester
7. App added to the catalog so it can be used by others

Info-Tech Insight

Teams allows you to customize the message users see when they request an unapproved app and/or redirect their request to your own URL. Review this step in the request process to ensure your users are seeing the instructions that they need to see.

Download the Service Request Workflow library

Incorporate new approved service requests into a service request catalog

Follow the process in Reduce Shadow IT With a Service Request Catalog to build out a robust request management process and service catalog to continuously incorporate new non-standard requests and advertise new Teams apps:

• Design the service
• Design the catalog
• Build the catalog
• Market the service

Add a company hub to Teams

Use Teams to help users access the company intranet for organizational information that is relevant to their roles.

This can be done in two ways:

1. By adding a SharePoint home site to Teams.
2. By leveraging Viva Connections: A hub to access other apps and Viva services. The user sees a personalized dashboard, feed, and resources.

(Venn diagram recreated from Microsoft Learn, 2023.)

Info-Tech Insight

The hub is where users can access a service catalog of approved Teams apps and submit service requests for a new one via a Make a Request button.

Communicate changes to Teams

Let end users know what's available and how to add new productivity tools.

Where will users find approved Teams apps? How will you inform people about what's available? Once a new app is available, how is this communicated?

Options:

• Communicate new Teams features in high-visibility places (e.g. the Hub).
• Leverage the Power Apps Bulletins app in Teams to communicate regular announcements about new features.
• Create a company-wide Team with a channel called “What's New in Teams.” Post updates on new features and integrations, and link to more detailed knowledgebase articles on how to use the new features.
• Aim for the sweet spot of communication frequency: not too much nor too little.

Measure your success

Determine how you will evaluate the success of your efforts to improve the Teams collaboration experience

Improved satisfaction with Teams: Increased net promoter score (NPS)

Utilization of features: Increased daily average users on key features, apps, integrations

Timeliness: % of SLAs met for service request fulfillment

Improved communication to end users about Teams' functionality: Satisfaction with knowledgebase articles on Teams

Satisfaction with communication from IT

Section 2: Collaborating Effectively in Teams for End Users

For IT: Use this section to help users understand Teams collaboration features

Share the collateral in this section with your users to support their deeper exploration of Teams collaboration.

• Use the Microsoft Teams Planning Tool to prepare a simple service catalog of the features and apps available to your users.
• Edit Tab 2 (MS Teams Collab Features & Apps) by deleting the blocked apps/features.
• Share this document with your users by linking to it via this image on the following slides:

Download the Microsoft Teams Planning Tool for an expanded list of features & apps

End-user customization of Teams

Consider how you want to set up your Teams view. Add the apps you already use to have them at your fingertips in Teams.

You can . . .

1. Customize your navigation bar by pinning your preferred apps and working with them within Teams (Microsoft calls these personal apps).
2. Customize your message bar by adding the app extensions you find most useful.
3. Customize chats and Teams by adding tabs with content your group needs frequent access to.
4. Set up connectors to send notifications from apps to a Team and bots to answer questions and automate simple tasks.

Learn more from Microsoft here

MS Teams productivity & collab features

The Apps catalog includes a range of apps that users may add to channels, chat, or the navigation bar. Teams also possesses other collaboration features that may be underused in your organization.

1. Gather feedback

   Solicit feedback and comments, and provide updates

2. Collaboratively create content

   Compose as a group, with live-synced changes

3. Improve project & task management

   Keep track of projects and tasks

4. Add media content

   Enrich Teams conversations with media, and keep a library of video resources

5. Knowledge management

   Pull together document libraries and make information easier to find

6. Increase meeting effectiveness

   Facilitate interactions and document meeting outcomes

7. Increase employee engagement

   Use features that enhance social interaction among Teams users

8. Enhance professional development

   Find resources to help achieve professional goals

9. Provide or access support

   IT and user-facing resources for accessing and/or providing support

10. Add third-party apps

    Understand the availability/restrictions of the built-in Teams app catalog

Download the Microsoft Teams Collaboration Tool for an expanded list of features & apps

Use integrated Teams features to gather feedback and provide updates

• Vote: Create a list of items for teams to brainstorm pros and cons, and then tabulate votes on. This component can be edited inline by anyone with whom the component is shared. The edits will sync anywhere the component is shared.
• Meeting polls: Capture instant feedback from teams, chat, and call participants. Participant anonymity can be set by the poll organizer. Results can be exported.
• Create surveys and quizzes and share the results. Results can be exported.
• Create, track, and review updates and progress reports from teams and individuals.

Collaboratively create content

Download the Microsoft Teams Planning Tool for an expanded list of features & apps

Use integrated Teams features composed as a group, with live-synced changes

• Microsoft Office documents: Add/upload files to a chat or channel discussion. Find them again in the Files tab or add the file itself as a tab to a chat or channel and edit it within Teams.
• Brainstorm with the Whiteboard application. Add a whiteboard to a tab or to a meeting.
• Add Loop components to a chat: Create a list, checklist, paragraph, or table that can be edited in real time by anyone in the chat.
• Add OneNote to a chat or channel tab or use during a meeting to take notes. Pin OneNote to your app bar if it's one of your most frequently-used apps.

Improve project & task management

Download the Microsoft Teams Planning Tool for an expanded list of features & apps

Keep track of projects and tasks

• Use the Approvals and Update apps to create, track, and respond to requests for approvals and progress reports within Teams.
• Use Tasks by Planner & To Do to track both individual and team tasks. Pin the Tasks app to the app bar, add a plan as a tab to a Team, and turn any Teams message into a task by right-clicking on it.
• Start a chat with yourself to maintain a private space to jot down quick notes.
• Add Lists to a Teams channel.
• Explore automation: Add pre-built Teams workflows from the Workflows app, or build new ones in PowerAutomate
• IT teams may leverage Teams apps like Azure Boards, Pipelines, Repos, AD notifications, and GitHub.

Add media content

Download the Microsoft Teams Planning Tool for an expanded list of features & apps

Enrich Teams conversations with media, and keep a library of video resources

• Search for and add specific news stories to a chat or channel. See recent news stories in search.
• Search, share, and watch YouTube videos.
• Share video links from Microsoft Stream.
• Add RSS feeds.

Knowledge management

Download the Microsoft Teams Planning Tool for an expanded list of features & apps

Pull together document libraries and make information easier to find

• Add a page from an existing SharePoint site to a Team as a tab.
• Add a SharePoint document library to a Team as a tab.
• Search names of members of your organization to learn about their role, place in the organizational structure, and contact information.

Increase meeting effectiveness

Download the Microsoft Teams Planning Tool for an expanded list of features & apps

Facilitate interactions and document meeting outcomes

• Take simple notes during a meeting.
• Start conversations and ask and answer questions in a dedicated Q&A space during the Teams meeting.
• Turn on live captions during the meeting.
• Record a meeting and automatically generate a transcript of the meeting.
• Assign attendees to breakout rooms.
• Track the effectiveness of the meeting by producing an attendance report with the number of attendees, the meeting start/end time, a list of the attendees, and participation in activities.

Increase employee engagement

Download the Microsoft Teams Planning Tool for an expanded list of features & apps

Use features that enhance social interaction among Teams users

• Send supportive comments to colleagues using Praise.
• Build out digital avatars to toggle on during meetings instead of your own video.
• Apply different visual effects, filters, and backgrounds to your screen during meetings.
• Games for Work: Launch icebreaker games during a meeting.
• Translate a Teams message from another language to your default language.
• Send emojis, GIFs, and stickers in messages or as reactions to others' messages. You can also send reactions live during meetings to increase meeting engagement.

Enhance professional development

Download the Microsoft Teams Planning Tool for an expanded list of features & apps

Connect with learning resources and apply data-driven feedback based on Teams usage

• Add learning materials from various course catalogs in Viva Learning.
• Speaker Coach: Receive AI feedback on your performance as a speaker during a meeting.
• Receive automatically generated insights and suggestions from Viva Insights on work habits and time allocation to different work activities.
• Viva Goals: Track organizational "objectives and key results"/manage organizational goals

Provide or access support

Download the Microsoft Teams Planning Tool for an expanded list of features & apps

IT and user-facing resources for accessing or providing support

• Admin: Carry out simple Teams management tasks (for IT).
• Power Virtual Agents: Build out chatbots to answer user questions (can be built by IT and end users for their customers).
• Resource Center: A combination of pre-built Microsoft resources (tips, templates) with resources provided by organizational IT.
• Support: Access Microsoft self-serve knowledgebase articles (for IT).

Add third-party apps

Understand the availability/restrictions of the built-in Teams app catalog

• App add-ins are not limited to those built by Microsoft Corporation. The Teams app store also features a plethora of third-party apps that may provide value.
• However, being able to view an app in the app store does not necessarily mean it's supported or licensed by your organization.
• Teams will allow users to request access to apps, which will then be evaluated by your IT support team. Follow your service desk's recommended request process for requesting and justifying the addition of a new Teams app that is not currently supported.
• Before making the request, investigate existing Teams features to determine if the functionality is already available.

Research contributors

Mike Cavanagh
Global Service Desk Manager
Clearwater Seafoods LP

Info-Tech contributors:

Benedict Chang, Senior Advisory Analyst

John Donovan, Principal Research Director

Allison Kinnaird, Practice Lead

P.J. Ryan, Research Director

Natalie Sansone, Research Director

Christine West, Managing Partner

Related Info-Tech Research

Reduce Shadow IT With a Service Request Catalog

Foster business relationships through sourcing-as-a-service. There is a direct correlation between service delivery dissatisfaction and increases in shadow IT. Whether the goal is to reduce shadow IT or gain control, improved customer service and fast delivery are key to making lasting changes.

Microsoft Teams Cookbook

Recipes for best practices and use cases for Teams. Microsoft Teams is not a standalone app. Successful utilization of Teams occurs when conceived in the broader context of how it integrates with M365. Understanding how information flows between Teams, SharePoint Online, and OneDrive for Business, for instance, will aid governance with permissions, information storage, and file sharing.

Govern Office 365

You bought it. Use it right. Map your organizational goals to the administration features available in the Office 365/M365 console. Your governance should reflect your requirements.

Bibliography

Mehta, Tejas. “The Home Site App for Microsoft Teams.” Microsoft Community Hub. https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/the-home-site-app-for-microsoft-teams/ba-p/1714255.

Overview: Viva Connections. 7 Mar. 2023, https://learn.microsoft.com/en-us/viva/connections/viva-connections-overview.

Rogers, Laura. “SharePoint Home Site in Teams.” Wonderlaura, 24 Jun 2021. https://wonderlaura.com/2021/06/24/sharepoint-home...

Schubert, Petra, and Johannes H. Glitsch. “Adding Structure to Enterprise Collaboration Systems: Identification of Use Cases and Collaboration Scenarios.” Procedia Computer Science, vol. 64, Jan. 2015, pp. 161–69. ScienceDirect, https://doi.org/10.1016/j.procs.2015.08.477.

Schubert, Petra, and Johannes Glitsch. “Use Cases and Collaboration Scenarios: How Employees Use Socially-Enabled Enterprise Collaboration Systems (ECS).” International Journal of Information Systems and Project Management, vol. 4, no. 2, Jan. 2016, pp. 41–62.

Thompson, Mark. “User Requests for Blocked Apps in the Teams Store.” Supersimple365, 5 Apr 2022, https://supersimple365.com/user-requests-for-apps-...

“What is Microsoft Teams Premium?” Breakwater IT, n.d., https://breakwaterit.co.uk/guides/microsoft-teams-...

Wills, Jonny. “Microsoft Teams Monthly Users Hits 280 Million.” UC Today, 25 Jan. 2023, https://www.uctoday.com/unified-communications/microsoft-teams-monthly-users-hits-280-million/.

Select and Prioritize Digital Initiatives

Build your digital investment business case.

Info-Tech Research Group

Key Concepts

Digital initiative

A project – or a group of interdependent projects – whose primary purpose is to enable digital technologies and/or digital business models. These technologies and models may be net new to the organization, or they may be existing ones that are optimized and improved by the initiative itself.

The feasibility of any initiative is gauged by answering:

• What amount of return on investment (ROI) or value does it bring to the organization?
• What level of complexity does it pose to project execution?
• To what extent does it solve a problem or leverage an opportunity?
• To what degree is it aligned with digital business goals?

Digital strategy

The plan to deploy existing/emerging technologies to look at developing new products and services, new business models, and operational efficiency to meet or exceed performance targets.

IT strategy

The plan for deploying and maintaining applications, hardware, infrastructure, and IT services that support the business goals in a secure/regulatory-compliant manner to ensure reliability.

Digital transformation

Digital transformation is an at-scale change program – planned and executed over a finite time period – with the aspiration of creating material and sustainable improvement in the performance of an organization. Techniques include deploying a programmatic approach to innovation along with enabling technologies, capabilities, and practices that drive efficiency and create new products, markets, and business models.

Info-Tech Insight

The business has embarked on its digital transformation journey. As CIO, you are being relied on to help triage what is most important – initiatives that will move the needle to achieve and fulfill the digital goals and ambitions of the organization.

Analyst Perspective

Prioritization follows ideation, and it’s not always easy.

Your stakeholders have spent considerable time and effort identifying and articulating a digital business strategy. Now that ideas have turned into opportunities, the CIO must prioritize those opportunities as actual initiatives. Where to begin?

Your first task is to identify the criteria that will be used to conduct prioritization activities. These criteria should be immutable and rigorously applied.

Your second task will be to develop business cases for each opportunity that passes muster. But don’t worry, you won’t need an MBA to get the job done properly.

Ross Armstrong

Principal Research Director
Info-Tech Research Group

Info-Tech’s digital transformation journey

By now, you have established your current strategic context

You have reviewed trends to reimagine the future of your industry and undertaken a digital maturity assessment to validate your business objectives and innovation goals. Now you need to evolve the current scope of your digital vision and opportunities.

• Phase 1.1: Industry Trends Report

• Phase 1.2: Digital Maturity Assessment

• Phase 2.1: Zero In on Business Objectives

By this point you have leveraged industry roundtables to better understand the art of the possible – exploring global trends, shifts in market forces or industry, customer needs, emerging technologies, and economic forecasts and creating opportunities out of these disruptions.

In Phase 2.1, you identified your business and innovation goals and documented your current capabilities, prioritized for transformation.

Business and innovation goals have been established through stakeholder interviews and business document review.

Current capabilities have been prioritized for transformation and heat mapped.

You have also formalized your digital strategy

Throughout the course of Phase 2.2, you identified new digital opportunities, identified the business capabilities required to capitalize those opportunities, and updated the digital goals of your organization, accordingly.

The end result of this exercise is a new goals cascade that aligns digital goals and capabilities with those of the business. Digital initiatives were also identified but not yet selected or prioritized for execution at the project level.

Now you will select and prioritize digital initiatives

The goal of this phase is to ensure that initiatives that are green-lit for execution have been successfully assessed against your chosen criteria and that the business case for each initiative is firmly established and documented.

There are three key activities outlined here that describe the actions that can be undertaken by industry members to help select and prioritize digital initiatives for the business.

1. Identify your selection criteria

2. Evaluate initiatives against criteria

3. Determine a prioritized list of initiatives

Info-Tech’s approach

Step 1: Identify Your Selection Criteria

Understand which conditions must be met in order to turn an opportunity into a digital initiative.

Step 1

Identify Your Selection Criteria

Use these selection criteria to prioritize initiatives

Ideas matter, but not all ideas are created equal. Now that you have elicited ideas and identified opportunities, discuss the assumptions, risks, and benefits associated with each proposed digital business initiative.

Prioritize opportunities into initiatives

Recall that the opportunities identified in Phase 2.2 also became proposed digital initiatives demonstrated in your goals cascade.

In your discussion, evaluate each opportunity through a matrix to create tension between value and complexity or other dimensions. Capture the information based on measurable business benefits-realization; risks or considerations; assumptions; and competencies, talent, and assets needed to deliver.

Leverage opportunity profiles from your digital strategy

To start, take one of the opportunity profiles you created in Phase 2.2, Build Your Digital Vision and Strategy, and use it throughout the following steps. Once done, repeat with the next opportunity profile until all have been vetted against criteria. If you did not use Info-Tech’s approach, simply use whatever list of digital business opportunities provided to you from stakeholders.

Prioritization Criteria

Run each initiative through the following evaluation criteria. When finished, any opportunities that appear in the top left quadrant (high value/low complexity) are now your highest priority digital initiatives.

Instructions:

Assign each initiative a letter. As you decide on each one, move a copy of the circled letter to its appropriate place on the 2x2 selection matrix.

Info-Tech Insight

Evaluation should be based on the insights from analysis across all criteria. Leverage group discussion to help contextualize and challenge assumptions when validating opportunities.

Digital initiative ≠ IT project

Every idea is a good one, unless you need one that works. What “works” as a digital initiative is not the same thing as a straightforward IT project that would be typically managed by a project manager or PMO. These latter projects will be addressed in Phase 3.1 of the digital journey.

Opportunities and business needs > Business model > Impact > Mandatory > Innovation path forward

Digital Track

Focus: Transform the business and operations

1. Problem may not be well defined.
2. “Initiative” is not clear.
3. Based on market research, customer needs, trend analysis, and economic forecast, risk to the business if fit-for-purpose initiative is not identified.
4. Previous delivery results not as expected, or uncertain how to continue the project.
5. Highly complex with significant impact to transform the business or operations.
6. Execution approach is not clear.
7. Capabilities may not exist within IT.

IT PMO

1. Emerging technology trends create opportunities to modernize IT, not transform business.
2. Problem is well defined and understood.
3. Initiative is clearly identified.
4. New IT project.
5. Can be complex but does not transform the business.
6. Standard PMP approach is a good fit.
7. Capabilities exist to execute within IT.
8. Software vendor or systems integrator is initiative provider.

Step 2: Evaluate Initiatives Against Criteria

Ruthlessly prioritize which opportunities will deliver the greatest business value and pose the best chance of success.

Step 2

Evaluate Initiatives Against Criteria

Exemplar: Prioritization criteria

Your prioritization matrix should look something like this. Initiatives B and C will now have short-form business cases developed for them. Initiatives in the “Should Plan” quadrant can be dealt with later.

Draw information from the opportunity profiles

You created opportunity profiles in Phase 2.2 to clarify, validate and evaluate specific ideas for digital initiatives. In these profiles, you considered the timing, relevance, and impact of those opportunities.

Some prioritized initiatives will have an immediate and significant impact on your business. Some may have a significant impact, but on a longer timeline. Understanding this is important context for your overall digital business strategy.

Above all, you must be able to communicate to stakeholders how the newly prioritized digital initiatives are relevant to driving the strategic growth of the business.

Start by elucidating further on initiative benefits and business value as outlined in the opportunity profile. This will become crucial for completing your next step – building a short-form business case for each prioritized initiative.

Short-Form Business Case Template

Prepare your business case for each initiative

Tasks:

1. On a whiteboard, draw the visual initiative canvas supplied below.
2. For each prioritized initiative, leverage its opportunity profile (if used) to list the resulting customer or stakeholder products/services and its pain relievers and gain creators in the associated sections of the canvas.
3. Ensure that the top pains, gains, and jobs are addressed by products/services, pain relievers, and gain creators.
4. Use this information as a basis for further exercises in this section, such as defining benefits, articulating value proposition and vision, and cost estimates.

Expand on the key benefits of each initiative

Business cases are not just a vehicle with which to acquire resources for investments, they are a mechanism that helps ensure the benefits of an investment are realized. To accomplish this, a business case must have a set of clearly defined benefits, combined with an understanding of how they will be measured and an explicitly stated beneficiary who can corroborate that the benefit has been realized.

What is a benefit?

Benefits are the advantages, or outcomes, that specific groups or individuals realize as a result of the proposed initiative’s implementation.

Initiative inputs

Initiative inputs are the time, resources, and scope dedicated to the endeavor of implementing an initiative.

Identify how to measure benefit achievement

Benefits are realized when an organization either starts doing something new, stops doing something, or improves the way something is already being done. The impact of these changes must be measured in order to determine whether the change is positive and if the case warrants more resources in order to scale.

Types of benefits

• Observable: These are measured by opinion or judgement.
• Measurable: These can be identified when there is an existing measure in place for the benefit (or when one can be easily created).
• Quantifiable: Similar to measurable benefits; however, these benefits additionally feature size or magnitude (if it can be reliably estimated).
• Financial: These are benefits that can be communicated in monetary terms. A benefit should only be classified as financial when sufficient evidence is available to show that the stated value is likely to be achieved.

Benefit owners and responsibilities

1. Each benefit should have assigned to it an explicit owner who gains an advantage as a result of the initiative’s implementation.
2. For most benefits, the owner will be the primary beneficiary of the initiative.
3. These individuals are the ones who must corroborate that a benefit has been realized.
4. Assigning an owner to each benefit will foster a sense of accountability in terms of benefits realization and will also create a traceable path that helps track the success of the initiative.

Complete the benefits section of the business case

Tasks:

1. Use the Short-Form Business Case Template included in this deck.
2. Arrange a meeting with the key beneficiary or beneficiaries of your initiative. Refer back to the benefits and outcomes section of the initiative’s opportunity profile (if used) as a starting point.
3. Clearly define what the key benefits of your initiative will be and list them in the Short-Form Business Case Template.
4. Assign an owner to each benefit – the individual who will corroborate that the benefit has accrued.
5. Come to a mutual agreement with the beneficiaries as to whether each benefit is:
   • Financial
   • Quantifiable
   • Measurable
   • Observable
6. Discuss and list the methods that will be used to measure each benefit and list them in the Short-Form Business Case Template.

Craft value proposition and vision statements

The way one articulates the value an initiative provides is just as important as the initiative itself. Use the previous exercises as inputs to craft a statement that reflects the value your initiative will provide, but also describes how the initiative will create value. Specifically, a value proposition should answer the following questions:

1. Who is the initiative for?
2. What is the initiative?
3. What does the initiative do?
4. How is the initiative different from others?

Complete value prop and vision statement sections of the business case

Tasks:

1. Having already completed the benefits section of the Short-Form Business Case Template, turn your attention to the value proposition section.
2. Using your problem and initiative canvases, in addition to the benefits section, craft a value proposition statement that answers the following questions in one or two sentences:
   • Who is the initiative for?
   • What is the initiative?
   • What does the initiative do?
   • How is the initiative different?
3. Input the value proposition statement into the value proposition section of the Short-Form Business Case Template.

Identify initiative steps and add to business case

Tasks:

Turn your attention to the roadmap section of the Short-Form Business Case Template and fill it in through the following steps:

1. Select which scope, resource, and/or time reduction tactics to apply given the context of the project.
2. Use the test, run, gauge, and collect framework supplied, unless you elect to generate your own project phases. If that is the case, ensure that phases are mutually exclusive and completely exhaustive (MECE).
3. For each phase, supply a brief description of the activities to be undertaken for that phase.
4. Map the benefits to be accrued within each phase.
5. For each phase, supply a set of two to three potential factors that create risk toward the benefits listed.
6. For each risk, supply a mitigation tactic that could be employed to diffuse the risk or to mitigate it completely.

Fill out the cost section of the business case

Tasks:

1. Having already completed the roadmap part of the Short-Form Business Case Template, turn your attention to the cost section.
2. Use the scope, resource, and time reduction tactics and roadmap to estimate the cost necessary to execute the project. Remember that costs are a factor of the resources required and the cost type.
   • Resources:
     • Hardware
     • Software
     • Human
     • Network and communications
     • Facilities
   • Cost Types:
     • Acquisition
     • Operation
     • Growth and change
3. Complete the cost section of the Short-Form Business Case Template with the cost estimate for the project.

Exemplar: Short-Form Business Case

Step 3: Determine a Prioritized List of Initiatives

Green-light opportunities for digital investment and create your list of high-priority digital initiatives.

Step 3

Determine a Prioritized List of Initiatives

Compile your prioritized initiatives

There are two follow-up actions to do with your newly prioritized list of digital initiative business cases: present them to stakeholders for approval and then add them to your IT strategic roadmap.

Present business cases to stakeholders

For most high-profile digital business initiatives, the short-form business case will not be the first time stakeholders hear about them. By this point, securing approval should only be a formality if the initiative has been effectively socialized beforehand. If this is not the case, one must build an adequate understanding of the stakeholder landscape and then use this understanding to effectively present business cases for digital initiative and receive approval to proceed with them.

Gauge the importance of various stakeholders and tailor your message according to their concerns and the requirements of their role. Consider the following important questions about each stakeholder:

• Authority: How much influence does the stakeholder have? Enough to drive the initiative forward?
• Involvement: How interested is the stakeholder? How involved is the stakeholder in the initiative already?
• Impact: To what degree will the stakeholder be impacted? Will this significantly change how they do their job?
• Support: Is the stakeholder a supporter of the initiative? Neutral? A resistor?

Develop a stakeholder map

A stakeholder map helps visualize the importance of various stakeholders and their concerns so you can prioritize your time according to those stakeholders who are most impacted by a digital initiative, as well as those who have the authority to green-light them.

1. Evaluate each stakeholder in terms of authority, involvement, impact, and support, as discussed in the previous slide.
2. Map each stakeholder to an area on the right template (slide four) based upon the level of their authority and involvement (high or low).
   • Vary the size of the circle to distinguish stakeholders that are highly impacted by the IT strategy from those who are not. Color each circle to show each stakeholder’s estimated or gauged level of support for the project.
3. Ask yourself if the stakeholder map looks accurate. Is there someone who has no involvement in digital initiatives, but should?
   • A) For example, if a CFO who has the authority to disapprove project funding is heavily impacted and not involved, the success of the business cases will be put at risk.
4. Draw a dotted circle to show where that stakeholder needs to be located (increased involvement and support), and an arrow with a dotted line to signify the needed change. Some stakeholders may have influence over others.
   • B) For example, a COO who highly values the opinion of the director of operations would be influenced by that director. Draw an arrow from one stakeholder to another to signify this relationship.

Focus on key players: Relevant stakeholders who have high power are highly impacted and should have high involvement. Engage the stakeholders that are impacted most and have the authority to influence digital initiatives and approve business cases.

Summary of key insights

By now, you should have a firm understanding of the principles and desired actions, behaviors, and outcomes that have been presented in this methodology. Furthermore:

1. Prioritization of digital opportunities can be a relatively straightforward task as long as the correct stakeholders are involved and use a common and agreed upon set of criteria.
2. Developing a business case for a digital initiative in an agile manner need not be a grueling exercise provided that a vetted and repeatable process is used.
3. Above all, remember that this is a journey. Going from an intangible (macro-trend, problem, or opportunity) to a tangible (actual project or initiative) does not happen all at once.

Related Info-Tech Research

Understand Industry Trends

Assess how the external environment presents opportunities or threats to your organization.

Build a Business-Aligned IT Strategy

Align with the business by creating an IT strategy that documents the business context, key initiatives, and a strategic roadmap.

Define Your Digital Business Strategy

Design a strategy that applies innovation to your business model, streamlines and transforms processes, and makes use of technologies to enhance interactions with customers and employees.

Research Contributors and Experts

Ross Armstrong

Principal Research Director, CIO Advisory
Info-Tech Research Group

Ross Armstrong is a Principal Research Director in the CIO Advisory practice at Info-Tech Research Group, covering the areas of IT strategic planning, digital strategy, digital transformation, and IT innovation.

Ross has worked in a variety of public and private sector industries including automotive, IT, mobile/telecom, and higher education. All of his roles over the years have centered around data-driven market research – in pursuit of insightful and successful product development and product management – at their core.

In addition to his long tenure as an Info-Tech Research Group analyst, Ross has worked in research and product innovation positions at Autodata initiatives (J.D. Power), BlackBerry, and Ivey Business School (Western University).

Ross holds a Master of Arts degree in English Language and Literature from Western University (UWO) and has served as an advisory board member for a number of not-for-profit and educational institutions.

Joanne Lee

Principal Research Director, CIO Advisory
Info-Tech Research Group

Joanne is an executive with over 25 years of experience providing leadership in digital technology and management consulting across both public and private entities from initiative delivery to organizational redesign across BC, Ontario, and Globally.

A Director within KPMG’s CIO Advisory Management Consulting services and practice lead for Digital Health in BC, Joanne has led various client engagements from ERP Cloud Strategy, IT Operating Models, Data and Analytics maturity, to process redesign. More recently, Joanne was the Chief Program Officer and Executive Director responsible for leading the implementation of a $450M technology and business transformation initiative across 13 hospitals and community services for one of the largest health authorities in BC.

A former clinician, Joanne has held progressive leadership roles in healthcare with accountabilities across IT operations and service management, data analytics, project management office (PMO), clinical informatics, and privacy and contract management. Joanne is passionate about connecting people, concepts, and capital.

Bibliography

“AI: From Data to ROI.” Cognizant, September 2020. Accessed November 2022.

Bughin, Jacques, et al. “The Case for Digital Reinvention.” McKinsey Quarterly, February 2017. Accessed November 2022.

“The Business Case for Digital Transformation.” CPA Canada, June 2021. Accessed November 2022.

“The Case for Digital Transformation.” The National Center for the Middle Market, Ohio State University, 2020. Accessed October 2022.

“Digital Transformation in Government Case Study.” Ionology, April 2020. Accessed October 2022.

Louis, Peter, et al. “Internet of Things – From Buzzword to Business Case.” Siemens, 11 January 2021. Accessed December 2022.

Miesen, Nick. “Case Studies of Digital Transformations in Process and Aerospace Industries.” Jugaad, 2018. Accessed November 2022.

Proff, Harald, and Claudia Bittrich. “The Digital Business Case - Done Right!” Deloitte, August 2019. Accessed October 2022.

“Propelling an Aerospace Innovator.” Accenture, 2021. Accessed October 2022.

Schmidt-Subramanian, Maxie. “The ROI of CX Transformation.” Forrester, 15 August 2019. Accessed November 2022.

Ward, John, et al. “Building Better Business Cases for IT Investments.” California Management Review, Sept. 2007. Web.

Document Your Cloud Strategy

Get ready for the cloudy future with a consistent, proven strategy.

Analyst perspective

Any approach is better than no approach

Moving to the cloud is a big, scary transition, like moving from gas-powered to electric cars, or from cable to streaming, or even from the office to working from home. There are some undeniable benefits, but we must reorient our lives a bit to accommodate those changes, and the results aren’t always one-for-one. A strategy helps you make decisions about your future direction and how you should respond to changes and challenges. In Document Your Cloud Strategy we hope to help you accomplish just that: clarifying your overall mission and vision (as it relates to the cloud) and helping you develop an approach to changes in technology, people management, and, of course, governance. The cloud is not a panacea. Taken on its own, it will not solve your problems. But it can be an important tool in your IT toolkit, and you should aim to make the best use of it – whatever “best” happens to mean for you.

Jeremy Roberts

Research Director, Infrastructure and Operations

Info-Tech Research Group

Executive Summary

Your Challenge

The cloud is multifaceted. It can be complicated. It can be expensive. Everyone has an opinion on the best way to proceed – and in many cases has already begun the process without bothering to get clearance from IT. The core challenge is creating a coherent strategy to facilitate your overall goals while making the best use of cloud technology, your financial resources, and your people.

Common Obstacles

Despite the universally agreed-upon benefit of formulating a coherent strategy, several obstacles make execution difficult:

• Inconsistent understanding of what the cloud means
• Inability to come to a consensus on key decisions
• Ungoverned decision making
• Unclear understanding of cloud roles and responsibilities

Info-Tech’s Approach

A cloud strategy might seem like a big project, but it’s just a series of smaller conversations. The methodology presented here is designed to facilitate those conversations, using a curated list of topics, prompts, participant lists, and sample outcomes. We have divided the strategy into four key areas:

1. Vision and alignment
2. People
3. Governance
4. Technology

The answers might be different, but the questions are the same

Every organization will approach the cloud differently, but they all need to ask the same questions: When will we use the cloud? What forms will our cloud usage take? How will we manage governance? What will we do about people? How will we incorporate new technology into our environment? The answers to these questions are as numerous as there are people to answer them, but the questions must be asked.

Your challenge

This research is designed to help organizations that are facing these challenges or looking to:

• Ensure that the cloud strategy is complete and accurately reflects organizational goals and priorities.
• Develop a consistent and coherent approach to adopting cloud services.
• Design an approach to mitigate risks and challenges associated with adopting cloud services.
• Create a shared understanding of the expected benefits of cloud services and the steps required to realize those benefits.

Grappling with a cloud strategy is a top initiative: 43% of respondents report progressing on a cloud-first strategy as a top cloud initiative.

Source: Flexera, 2021.

Definition: Cloud strategy

A document providing a systematic overview of cloud services, their appropriate use, and the steps that an organization will take to maximize value and minimize risk.

Common obstacles

These barriers make this challenge difficult to address for many organizations:

• The cloud means different things to different people, and creating a strategy that is comprehensive enough to cover a multitude of use cases while also being written to be consumable by all stakeholders is difficult.
• The incentives to adopt the cloud differ based on the expected benefit for the individual customer. User-led decision making and historically ungoverned deployments can make it difficult to reset expectation and align with a formal strategy.
• Getting all the right people in a room together to agree on the key components of the strategy and the direction undertaken for each one is often difficult.

Info-Tech’s approach

Info-Tech’s approach

Your cloud strategy will comprise the elements listed under “vision and alignment,” “technology,” “governance,” and “people.” The Info-Tech methodology involves breaking the strategy down into subcomponents and going through a three-step process for each one. Start by reviewing a standard set of questions and understanding the goal of the exercise: What do we need to know? What are some common considerations and best practices? Once you’ve had a chance to review, discuss your current state and any gaps: What has been done? What still needs to be done? Finally, outline how you plan to go forward: What are your next steps? Who needs to be involved?

Review

• What questions do we need to answer to complete the discussion of this strategy component? What does the decision look like?
• What are some key terms and best practices we must understand before deciding?

Discuss

• What steps have we already taken to address this component?
• Does anything still need to be done?
• Is there anything we’re not sure about or need further guidance on?

Go forward

• What are the next steps?
• Who needs to be involved?
• What questions still need to be asked/answered?
• What should the document’s wording look like?

Info-Tech’s methodology for documenting your cloud strategy

Insight summary

Separate strategy from tactics

Separate strategy from tactics! A strategy requires building out the framework for ongoing decision making. It is meant to be high level and achieve a large goal. The outcome of a strategy is often a sense of commitment to the goal and better communication on the topic.

The cloud does not exist in a vacuum

Your cloud strategy flows from your cloud vision and should align with the broader IT strategy. It is also part of a pantheon of strategies and should exist harmoniously with other strategies – data, security, etc.

People problems needn’t preponderate

The cloud doesn’t have to be a great disruptor. If you handle the transition well, you can focus your people on doing more valuable work – and this is generally engaging.

Governance is a means to an end

Governing your deployment for its own sake will only frustrate your end users. Articulate the benefits users and the organization can expect to see and you’re more likely to receive the necessary buy-in.

Technology isn’t a panacea

Technology won’t solve all your problems. Technology is a force multiplier, but you will still have to design processes and train your people to fully leverage it.

Key deliverable

Cloud Strategy Document template

Inconsistency and informality are the enemies of efficiency. Capture the results of the cloud strategy generation exercises in the Cloud Strategy Document template.

• Record the results of the exercises undertaken as part of this blueprint in the Cloud Strategy Document template.
• It is important to remember that not every cloud strategy will look exactly the same, but this template represents an amalgamation of best practices and cloud strategy creation honed over several years of advisory service in the space.
• You know your audience better than anyone. If you would prefer a strategy delivered in a different way (e.g. presentation format) feel free to adapt the Cloud Vision Executive Presentation into a longer strategy presentation.
• Emphasis is an area where you should exercise discretion as well. A cost-oriented cloud strategy, or one that prioritizes one type of cloud (e.g. SaaS) at the exclusion of others, may benefit from more focus on some areas than others, or the introduction of relevant subcategories. Include as many of these as you think will be relevant.
• Parsimony is king – if you can distill a concept to its essence, start there. Include additional detail only as needed. You want your cloud strategy document to be read. If it’s too long or overly detailed, you’ll encounter readability issues.

Blueprint benefits

Measure the value of this blueprint

Don’t take our word for it:

• Document Your Cloud Strategy has been available for several years in various forms as both a workshop and as an analyst-led guided implementation.
• After each engagement, we send a survey that asks members how they benefited from the experience. Those who have worked through Info-Tech’s cloud strategy material have given overwhelmingly positive feedback.
• Additionally, members reported saving between 10 and 20 days and an average of $46,499.
• Measure the value by calculating the time saved as a result of using Info-Tech’s framework vs. a home-brewed cloud strategy alternative and by comparing the overall cost of a guided implementation or workshop with the equivalent offering from another firm. We’re confident you’ll come out ahead.

8.8/10 Average reported satisfaction

13 Days Average reported time savings

$46,499 Average cost savings

Executive Brief Case Study

INDUSTRY: Pharmaceuticals

SOURCE: Info-Tech workshop

Pharmaceutical company

The unnamed pharmaceutical company that is the subject of this case study was looking to make the transition to the cloud. In the absence of a coherent strategy, the organization had a few cloud deployments with no easily discernable overall approach. Representatives of several distinct functions (legal, infrastructure, data, etc.) all had opinions on the uses and abuses of cloud services, but it had been difficult to round everyone up and have the necessary conversations. As a result, the strategy exercise had not proceeded in a speedy or well-governed way. This lack of strategic readiness presented a roadblock to moving forward with the cloud strategy and to work with the cloud implementation partner, tasked with execution.

Results

The company engaged Info-Tech for a four-day workshop on cloud strategy documentation. Over the course of four days, participants drawn from across the organization discussed the strategic components and generated consensus statements and next steps. The team was able to formalize the cloud strategy and described the experience as saving 10 days.

Example output: Document your cloud strategy workshop exercise

Anything in green, the team was reasonably sure they had good alignment and next steps. Those yellow flags warranted more discussion and were not ready for documentation.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is 4 to 6 calls over the course of 1 to 3 months

Workshop Overview

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

Phase 1

Document Your Vision and Alignment

This phase will walk you through the following activities:

1. Record your cloud mission and vision
2. Document your cloud strategy’s alignment with other strategic plans
3. Record your cloud guiding principles
4. Define success

This phase has the following outcome:

• Documented strategy: vision and alignment

Record your mission and vision

Build on the work you’ve already done

Before formally documenting your cloud strategy, you should ensure that you have a good understanding of your overall cloud vision. How do you plan to leverage the cloud? What goals are you looking to accomplish? How will you distribute your workloads between different cloud service models (SaaS, PaaS, IaaS)? What will your preferred delivery model be (public, private, hybrid)? Will you support your cloud deployment internally or use the services of various consultants or managed service providers?

The answers to these questions will inform the first section of your cloud strategy. If you haven’t put much thought into this or think you could use a deep dive on the fundamentals of your cloud vision and cloud archetypes, consider reviewing Define Your Cloud Vision, the companion blueprint to this one.

Once you understand your cloud vision and what you’re trying to accomplish with your cloud strategy, this phase will walk you through aligning the strategy with other strategic initiatives. What decisions have others made that will impact the cloud strategy (or that the cloud strategy will impact)? Who must be involved/informed? What callouts must be involved at what point? Do users have access to the appropriate strategic documentation (and would they understand it if they did)?

You must also capture some guiding principles. A strategy by its nature provides direction, helping readers understand the decisions they should make and why those decisions align with organizational interests. Creating some top-level principles is a useful exercise because those principles facilitate comprehension and ensure the strategy’s applicability.

Finally, this phase will walk you through the process of measuring success. Once you know where you’d like to go, the principles that underpin your direction, and how your cloud strategy figures into the broader strategic pantheon, you should record what success actually means. If you’re looking to save money, overall cost should be a metric you track. If the cloud is all about productivity, generate appropriate productivity metrics. If you’re looking to expand into new technology or close a datacenter, you will need to track output specific to those overall goals.

Review: mission and vision

The overall organizational mission is a key foundational element of the cloud strategy. If you don’t understand where you’re going, how can you begin the journey to get there? This section of the strategy has four key parts that you should understand and incorporate into the beginning of the strategy document. If you haven’t already, review Define Your Cloud Vision for instructions on how to generate these elements.

Understand key cloud concepts: Archetype

Once you understand the value of the cloud, your workloads’ general suitability for the cloud, and your proposed risks and mitigations, the next step is to define your cloud archetype. Your organization’s cloud archetype is the strategic posture that IT adopts to best support the organization’s goals. Info-Tech’s model recognizes seven archetypes, divided into three high-level archetypes. After consultation with your stakeholders, and based on the results of the suitability and risk assessment activities, define your archetype. The archetype feeds into the overall cloud vision and provides simple insight into the cloud future state for all stakeholders. The cloud vision itself is captured in a “vision statement,” a short summary of the overall approach that includes the overall cloud archetype.