Build a Data Classification MVP for M365

Kickstart your governance with data classification users will actually use!

Executive Summary

Info-Tech Insight

• Creating an MVP gets you started in data governance
  Information protection and governance are not something you do once and then you are done. It is a constant process where you start with the basics (a minimum-viable product or MVP) and enhance your schema over time. The objective of the MVP is reducing obstacles to establishing an initial governance position, and then enabling rapid development of the solution to address a variety of real risks, including data loss prevention (DLP), data retention, legal holds, and data labeling.
• Define your information and protection strategy
  The initial strategy is to start looking across your organization and identifying your customer data, regulatory data, and sensitive information. To have a successful data protection strategy you will include lifecycle management, risk management, data protection policies, and DLP. All key stakeholders need to be kept in the loop. Ensure you keep track of all available data and conduct a risk analysis early. Remember, data is your highest valued intangible asset.
• Planning and resourcing are central to getting started on MVP
  A governance plan and governance decisions are your initial focus. Create a team of stakeholders that include IT and business leaders (including Legal, Finance, HR, and Risk), and ensure there is a top-level leader who is the champion of the governance objective, which is to ensure your data is safe, secure, and not prone to leakage or theft, and maintain confidentiality where it is warranted.

Executive Summary

Info-Tech Insight

Data classification is the lynchpin to any effective governance of O/M365 and your objective is to navigate through this easily and effectively and build a robust, secure, and viable governance model. Start your journey by identifying what and where your data is and how much data do you have. You need to understand what sensitive data you have and where it is stored before you can protect or govern it. Ensure there is a high-level leader who is the champion of the governance objectives. Data classification fulfills the governance objectives of risk mitigation, governance and compliance, efficiency and optimization, and analytics.

Questions you need to ask

Four key questions to kick off your MVP.

Classification tiers

Build your schema.

Info-Tech Insight

Deciding on how granular you go into data classification will chiefly be governed by what industry you are in and your regulatory obligations – the more highly regulated your industry, the more classification levels you will be mandated to enforce. The more complexity you introduce into your organization, the more operational overhead both in cost and resources you will have to endure and build.

Microsoft MIP Topology

Microsoft Information Protection (MIP), which is Microsoft’s Data Classification Services, is the key to achieving your governance goals. Without an MVP, data classification will be overwhelming; simplifying is the first step in achieving governance.

(Source: Microsoft, “Microsoft Purview compliance portal”)

Info-Tech Insight

Using least-complex sensitivity labels in your classification are your building blocks to compliance and security in your data management schema; they are your foundational steps.

MVP RACI Chart

Data governance is a "takes a whole village" kind of effort.

Clarify who is expected to do what with a RACI chart.

What and where your data resides Data types that require classification.

M365 Workload Containers
Email Attachments	Site Collections, Sites	Sites	Project Databases
Contacts	Teams and Group Site Collections, Sites	Libraries and Lists	Sites
Metadata	Libraries and Lists	Documents Versions	Libraries and Lists
Teams Conversations	Documents Versions	Metadata	Documents Versions
Teams Chats	Metadata	Permissions Internal Sharing External Sharing	Metadata
	Permissions Internal Sharing External Sharing	Files Shared via Teams Chats	Permissions Internal Sharing External Sharing

Info-Tech Insight

Knowing where your data resides will ensure you do not miss any applicable data that needs to be classified. These are examples of the workload containers; you may have others.

Discover and classify on- premises files using AIP

AIP helps you manage sensitive data prior to migrating to Office 365: Use discover mode to identify and report on files containing sensitive data. Use enforce mode to automatically classify, label, and protect files with sensitive data. Can be configured to scan: SMB files SharePoint Server 2016, 2013

Map your network and find over-exposed file shares. Protect files using MIP encryption. Inspect the content in file repositories and discover sensitive information. Classify and label file per MIP policy.

Azure Information Protection scanner helps discover, classify, label, and protect sensitive information in on-premises file servers. You can run the scanner and get immediate insight into risks with on-premises data. Discover mode helps you identify and report on files containing sensitive data (Microsoft Inside Track and CIAOPS, 2022). Enforce mode automatically classifies, labels, and protects files with sensitive data.

Info-Tech Insight

Any asset deployed to the cloud must have approved data classification. Enforcing this policy is a must to control your data.

Understanding governance

Microsoft Information Governance

Retention and backup policy decision

Retention is not backup.

Understand retention policy

What are retention policies used for? Why you need them as part of your MVP?

Do not confuse retention labels and policies with backup.

Remember: “retention [policies are] auto-applied whereas retention label policies are only applied if the content is tagged with the associated retention label” (AvePoint Blog, 2021).

E-discovery tool retention policies are not turned on automatically.

Retention policies are not a backup tool – when you activate this feature you are unable to delete anyone.

“Data retention policy tools enable a business to:

• “Decide proactively whether to retain content, delete content, or retain and then delete the content when needed.
• “Apply a policy to all content or just content meeting certain conditions, such as items with specific keywords or specific types of sensitive information.
• “Apply a single policy to the entire organization or specific locations or users.
• “Maintain discoverability of content for lawyers and auditors, while protecting it from change or access by other users. […] ‘Retention Policies’ are different than ‘Retention Label Policies’ – they do the same thing – but a retention policy is auto-applied, whereas retention label policies are only applied if the content is tagged with the associated retention label.

“It is also important to remember that ‘Retention Label Policies’ do not move a copy of the content to the ‘Preservation Holds’ folder until the content under policy is changed next.” (Source: AvePoint Blog, 2021)

Definitions

Data classification is a focused term used in the fields of cybersecurity and information governance to describe the process of identifying, categorizing, and protecting content according to its sensitivity or impact level. In its most basic form, data classification is a means of protecting your data from unauthorized disclosure, alteration, or destruction based on how sensitive or impactful it is.

Once data is classified, you can then create policies; sensitive data types, trainable classifiers, and sensitivity labels function as inputs to policies. Policies define behaviors, like if there will be a default label, if labeling is mandatory, what locations the label will be applied to, and under what conditions. A policy is created when you configure Microsoft 365 to publish or automatically apply sensitive information types, trainable classifiers, or labels.

Sensitivity label policies show one or more labels to Office apps (like Outlook and Word), SharePoint sites, and Office 365 groups. Once published, users can apply the labels to protect their content.

Data loss prevention (DLP) policies help identify and protect your organization's sensitive info (Microsoft Docs, April 2022). For example, you can set up policies to help make sure information in email and documents is not shared with the wrong people. DLP policies can use sensitive information types and retention labels to identify content containing information that might need protection.

Retention policies and retention label policies help you keep what you want and get rid of what you do not. They also play a significant role in records management.

Data examples for MVP classification

• Examples of the type of data you consider to be Confidential, Internal, or Public.
• This will help you determine what to classify and where it is.

New container sensitivity labels (MIP)

New container sensitivity labels

What users will see when they create or label a Team/Group/Site

(Source: Microsoft, “Microsoft Purview compliance portal”)

Info-Tech Insights

• Manage privacy of Teams Sites and M365 Groups
• Manage external user access to SPO sites and teams
• Manage external sharing from SPO sites
• Manage access from unmanaged devices

Data protection and security baselines

Info-Tech Insights

• Controls are already in place to set data protection policy. This assists in the MVP activities.
• Finally, you need to set your security baseline to ensure proper permissions are in place.

Prerequisite baseline

Security MFA or SSO to access from anywhere, any device Banned password list BYOD sync with corporate network

Users Sign out inactive users automatically Enable guest users External sharing Block client forwarding rules

Resources Account lockout threshold OneDrive SharePoint

Controls Sensitivity labels, retention labels and policies, DLP Mobile application management policy

Building baselines

Sensitivity Profiles: Public, Internal, Confidential; Subcategory: Highly Confidential

Microsoft 365 Collaboration Protection Profiles

Please Note: Global/Compliance Admins go to the 365 Groups platform, the compliance center (Purview), and Teams services (Source: Microsoft Documentation, “Microsoft Purview compliance documentation”)

Info-Tech Insights

• Building baseline profiles will be a part of your MVP. You will understand what type of information you are addressing and label it accordingly.
• Sensitivity labels are a way to classify your organization's data in a way that specifies how sensitive the data is. This helps you decrease risks in sharing information that shouldn't be accessible to anyone outside your organization or department. Applying sensitivity labels allows you to protect all your data easily.

MVP activities

ACME Company MVP for M/O365

Related Blueprints

Govern Office 365

Office 365 is as difficult to wrangle as it is valuable. Leverage best practices to produce governance outcomes aligned with your goals.

Map your organizational goals to the administration features available in the Office 365 console. Your governance should reflect your requirements.

Migrate to Office 365 Now

Jumping into an Office 365 migration project without careful thought of the risks of a cloud migration will lead to project halt and interruption. Intentionally plan in order to expose risk and to develop project foresight for a smooth migration.

Microsoft Teams Cookbook

IT Governance, Risk & Compliance

Several blueprints are available on a broader topic of governance, from Make Your IT Governance Adaptable to Improve IT Governance to Drive Business Results and Build an IT Risk Management Program.

Bibliography

“Best practices for sharing files and folders with unauthenticated users.” Microsoft Build, 28 April 2022. Accessed 2 April 2022.

“Build and manage assessments in Compliance Manager.” Microsoft Docs, 15 June 2022. Web.

“Building a modern workplace with Microsoft 365.” Microsoft Inside Track, n.d. Web.

Crane, Robert. “June 2020 Microsoft 365 Need to Know Webinar.” CIAOPS, SlideShare, 26 June 2020. Web.

“Data Classification: Overview, Types, and Examples.” Simplilearn, 27 Dec. 2021. Accessed 11 April 2022.

“Data loss prevention in Exchange Online.” Microsoft Docs, 19 April 2022. Web.

Davies, Nahla. “5 Common Data Governance Challenges (and How to Overcome Them).” Dataversity. 25 October 2021. Accessed 5 April 2022.

“Default labels and policies to protect your data.” Microsoft Build, April 2022. Accessed 3 April 2022.

M., Peter. "Guide: The difference between Microsoft Backup and Retention." AvePoint Blog, 9 Oct. 2021. Accessed 4 April 2022.

Meyer, Guillaume. “Sensitivity Labels: What They Are, Why You Need Them, and How to Apply Them.” nBold, 6 October 2021. Accessed 2 April 2022.

“Microsoft 365 guidance for security & compliance.” Microsoft, 27 April 2022. Accessed 28 April 2022.

“Microsoft Purview compliance portal.” Microsoft, 19 April 2022. Accessed 22 April 2022.

“Microsoft Purview compliance documentation.” Microsoft, n.d. Accessed 22 April 2022.

“Microsoft Trust Center: Products and services that run on trust.” Microsoft, 2022. Accessed 3 April 2022.

“Protect your sensitive data with Microsoft Purview.” Microsoft Build, April 2022. Accessed 3 April 2022.

Zimmergren, Tobias. “4 steps to successful cloud governance in Office 365.” Rencore, 9 Sept. 2021. Accessed 5 April 2022.

Next-Generation InfraOps

Embrace the spectrum of Ops methodologies to build a virtuous cycle.

Executive summary

Your Challenge

IT Operations continue to be challenged by increasing needs for scale and speed, often in the face of constrained resources and time. For most, Agile methodologies have become a foundational part of tackling this problem. Since then, we've seen Agile evolve into DevOps, which started a trend into different categories of "xOps" that are too many to count. How does one make sense of the xOps spectrum? What is InfraOps and where does it fit in?

Common Obstacles

Ultimately, all these methodologies and approaches are there to serve the same purpose: increase effectiveness through automation and improve governance through visibility. The key is to understand what tools and methodologies will deliver actual benefits to your IT operation and to the organization as a whole.

Info-Tech's Approach

By defining your end goals and framing solutions based on the type of visibility and features you need, you can enable speed and reliability without losing control of the work.

1. Understand the xOps spectrum and what approaches will benefit your organization.
2. Make sense of the architectural approaches and enablement tools available to you.
3. Evolve from just improving your current operations to a continuous virtuous cycle of development and deployment.

Info-Tech Insight

InfraOps, when applied well, should be the embodiment of the governance policies as expressed by standards in architecture and automation.

Project overview

The xOps spectrum

xOps categories

There is no definitive list of x's in the xOps spectrum. Different organizations and teams will divide and define these in different ways. In many cases, the definitions and domains of various xOps will overlap.

Some of the commonly adopted and defined xOps models are listed here.

Shift left? Shift right?

Cutting through the jargon

• Shifting left is about focusing on the code and development aspects of a delivery cycle.
• Shifting right is about remembering that infrastructure and tools still do matter.

Info-Tech Insight

Shifting left or right isn't an either/or choice. They're more like opposite sides of the same coin. Like the different xOps approaches, usually more than one shift approach will apply to your IT Operations.

IT Operations in the left-right spectrum

Shifting from executing and deploying to defining the guardrails and standards

Take a middle-out approach

InfraOps and DevOps aren't enemies; they're opposite sides of the same coin.

• InfraOps is about the automation and standardization of execution. It's an essential element in any fully automated CI/CD pipeline.
• Like DevOps, InfraOps is built on similar values (the pillars of DevOps).
• It builds on the principle of Lean to focus on removing friction, or turn-and-type activities, from the pipeline/process.
• In InfraOps, one of the key methods for removing friction is through automation of the interstitia between different phases of a DevOps or CI/CD cycle.

Optimize the Ops in DevOps

Focus on eliminating friction

With the shift from execution to governing and validating, the role of deployment falls downstream of IT Operations.

IT Operations needs to move to a mindset that focuses on creating the guardrails, enforced standards, and compliance rules that need to be used downstream, then apply those standards using automation and tooling to remove friction and error from the interstitia (the white spaces between chevrons) of the various phases.

InfraOps tools

Info-Tech Insight

Your tools can be broken into two categories:

• Infrastructure Architecture
  • HCI vs. CI
• Automation Tooling
  • IaC and A&O

Keep in mind that while your infrastructure architecture is usually an either/or choice, your automation approach should use any and all tooling that helps.

Infrastructure approach

• Hyperconverged

• Composable

Hyperconverged Infrastructure (HCI)

Hyperconvergence is the next phase of convergence, virtualizing servers, networks, and storage on a single server/storage appliance. Capacity scales as more appliances are added to a cluster or stack.
The disruptive departure:

• Even though servers, networks, and storage were each on their own convergence paths, the three remained separate management domains (or silos). Even single-SKU converged infrastructures like VCE Vblocks are still composed of distinct server, network, and storage devices.
• In hyperconvergence, the silos collapse into single-software managed devices. This has been disruptive for both the vendors of technology solutions (especially storage) and for infrastructure management.
• Large storage array vendors are challenged by hyperconvergence alternatives. IT departments need to adapt IT skills and roles away from individual management silos and to more holistic service management.

Info-Tech Insight

HCI follows convergence trends of the past ten years but is also a departure from how IT infrastructure has traditionally been provisioned and managed.

HCI is at the same time a logical progression of infrastructure convergence and a disruptive departure.

Hyperconverged (HCI) – SWOT

HCI can be the foundation block for a fully software defined data center, a prerequisite for private cloud.

Strengths

• Potentially lower TCO through further infrastructure consolidation, reducing CapEx and OpEx expenditures through facilities optimization and cost consolidation.
• Operations in particular can be streamlined, since storage, network connections, and processors/memory are all managed as abstractions via a single control pane.
• HCI comes with built-in automation and analytics that lead to quicker issue resolution.

Opportunities

• Increased business agility by paving the way for a fully software defined infrastructure stack and cloud automation.
• Shift IT human assets from hardware asset maintainers and controllers to service delivery managers.
• Better able to compete with external IT service alternatives.
• Move toward a hybrid cloud service offering where the service catalog contains both internal and external offerings.

Key attributes of a cloud are automation, resource elasticity, and self-service. This kind of agility is impossible if physical infrastructure needs intervention.

Info-Tech Insight

Virtualization alone does not a private cloud make, but complete stack virtualization (software defined) running on a hands-off preconfigured HCI appliance (or group of appliances) provides a solid foundation for building cloud services.

Hyperconverged (HCI) – SWOT

Silo-busting and private cloud sound great, but are your people and processes able to manage the change?

Weaknesses

• HCI typically scales out linearly (CPU & storage). This does not suit traditional scale-up applications such as high-performance databases and large-capacity data warehouses.
• Infrastructure stacks are perceived as more flexible for variable growth across segments. For example, if storage is growing but processing is not, storage can scale separately from processing.

Threats

• HCI will be disruptive to roles within IT. Internal pushback is a real threat if necessary changes in skills and roles are not addressed.
• HCI is not a simple component replacement but an adoption of a different kind of infrastructure. Different places in the lifecycles for each of storage, network, and processing devices could make HCI a solution where there is no immediate problem.

In traditional infrastructure, performance and capacity are managed as distinct though complementary jobs. An all-in-one approach may not work.

Composable Infrastructure (CI)

• Composable infrastructure in many ways represents the opposite of an HCI approach. Its focus is on further disaggregating resources and components used to build systems.
  • Unlike traditional cloud virtual systems, composable infrastructure provides virtual bare metal resources, allowing tightly coupled resources like CPU, RAM, and GPU – or any device/card/module – to be released back and forth into the resource pool as required by a given workload.
  • This is enabled by the use of high-speed, low-latency PCI Express (PCI-e) and Compute Express Link (CXL) fabrics that allow these resources to be decoupled.
  • It also supports the ability to present other fabric types critical for building out enterprise systems (e.g. Ethernet, InfiniBand).
• Accordingly, CI systems are also based on next-generation network architecture that supports moving critical functions to the network layer, which enables more efficient use of the application-layer resources.

Composable Infrastructure (CI)

• CI may also leverage network-resident data/infrastructure processing units (DPUs/IPUs), which offload many network, security, and storage functions.
  • As new devices and functions become available, they can be added into the catalog of resources/functions available in a CI pool.

Use Case Example: Composable AI flow

Data Ingestion > Data Cleaning/Tagging > Training > Conclusion

• At each phase of the process, resources, including specialized hardware like memory and GPU cores, can be dynamically allocated and reallocated to the workload on demand

Composable Infrastructure (CI)

Use cases and considerations

Where it's useful

• Enable even more efficient allocation/utilization of resources for workloads.
• Very large memory or shared memory requirements can benefit greatly.
• Decouple purchasing decisions for underlying resources.
• Leverage the fabric to make it easier to incrementally upgrade underlying resources as required.
• Build "the Impossible Server."

Considerations

• Requires significant footprint/scale to justify in many cases
• Not necessarily good value for environments that aren't very volatile and heterogeneous in terms of deployment requirements
• May not be best value for environments where resource-stranding is not a significant issue

Info-Tech Insight

Many organizations using a traditional approach report resource stranding as having an impact of 20% or more on efficiency. When focusing specifically on the stranding of memory in workloads, the number can often approach 40%.

The CI ecosystem

• The CI ecosystem has many players, large and small!
• Note that the CI ecosystem is dependent on a large ecosystem of underlying enablers and component builders to support the required technologies.

Understanding the differences

Automation approach

• Infrastructure as Code
• Automation & Orchestration
• Metaorchestration

Infrastructure as Code (IaC)

Infrastructure as code (IaC) is the process of managing and provisioning computer data centers through machine-readable definition files rather than physical hardware configuration or interactive configuration tools.

Before IaC, IT personnel would have to manually change configurations to manage their infrastructure. Maybe they would use throwaway scripts to automate some tasks, but that was the extent of it.

With IaC, your infrastructure's configuration takes the form of a code file, making it easy to edit, copy, and distribute.

Info-Tech Insight
IaC is a critical tool in enabling key benefits!

• Reduced costs
• Increased scalability, flexibility, and speed
• Better consistency and version control
• Reduced deployment errors

Infrastructure as Code (IaC)

1. IaC uses a high-level descriptive coding language to automate the provisioning of IT infrastructure. This eliminates the need to manually provision and manage servers, OS, database connections, storage, and other elements every time we want to develop, test, or deploy an application.
2. IaC allows us to define the computer systems on which code needs to run. Most commonly, we use a framework like Chef, Ansible, Puppet, etc., to define their infrastructure. These automation and orchestration tools focus on the provisioning and configuring of base compute infrastructure.
3. IaC is also an essential DevOps practice. It enables teams to rapidly create and version infrastructure in the same way they version source code and to track these versions so as to avoid inconsistency among IT environments that can lead to serious issues during deployment.

• Idempotence is a principle of IaC. This means a deployment command always sets the target environment into the same configuration, regardless of the environment's starting state.
  • Idempotency is achieved by either automatically configuring an existing target or discarding the existing target and recreating a fresh environment.

Automation/Orchestration

Orchestration describes the automated arrangement, coordination, and management of complex computer systems, middleware, and services.

This usage of orchestration is often discussed in the context of service-oriented architecture, virtualization, provisioning, converged infrastructure, and dynamic data center topics. Orchestration in this sense is about aligning the business request with the applications, data, and infrastructure.

It defines the policies and service levels through automated workflows,
provisioning, and change management. This creates an application-aligned infrastructure that can be scaled up or down based on the needs of each application.

As the requirement for more resources or a new application is triggered, automated tools now can perform tasks that previously could only be done by multiple administrators operating on their individual pieces of the physical stack.

Orchestration also provides centralized management of the resource pool, including billing, metering, and chargeback for consumption. For example, orchestration reduces the time and effort for deploying multiple instances of a single application.

Info-Tech Insight

Automation and orchestration tools can be key components of an effective governance toolkit too! Remember to understand what data can be pulled from your various tools and leveraged for other purposes such as cost management and portfolio roadmapping.

Automation/Orchestration

There are a wide variety of orchestration and automation tools and technologies.

Configuration Management

Configuration Management
CI/CD Orchestration
Container Orchestration
Cloud-Specific Orchestration
PaaS Orchestration

Info-Tech Insight

Automation and orchestration tools and software offerings are plentiful, and many of them have a different focus on where in the application delivery ecosystem they provide automation functionality.

Often there are different tools for different deployment and service models as well as for different functional phases for each service model.

Automation/Orchestration

Every tool focuses on different aspects or functions of the deployment of resources and applications.

• Resources
  • Compute
  • Storage
  • Network
• Extended Services
  • Platforms
  • Infrastructure Services
  • Web Services
• Application Assets
  • Images
  • Templates
  • Containers
  • Code

Info-Tech Insight

Let the large ecosystem of tools be your ally. Leverage the right tools where needed and then address the complexity of tools using a master orchestration scheme.

Metaorchestration

Additionally, most tools do not cover all aspects required for most automation implementations, especially in hybrid cloud scenarios.

As such, often multiple tools must be deployed, which can lead to fragmentation and loss of unified controls.

Many enterprises address this fragmentation using a cloud management platform approach.

One method of achieving this is to establish a higher layer of orchestration – an "orchestrator of orchestrators," or metaorchestration.

In complex scenarios, this can be a challenge that requires customization and development.

InfraOps tools ecosystem

Build a virtuous cycle

Remember, the goal is to increase speed AND reliability. That's why we focus on removing friction from our delivery pipelines.

• The first step is to identify the points of friction in your cycle and understand the intensity and frequency of these friction points.
• Depending on your delivery and project management methodology, you'll have a different posture of the different tools that make sense for your pipeline.
• For example, if you are focused on delivering raw resources for sysadmins and/or you're in a Waterfall methodology where the friction points are large but infrequent, hyperconverged is likely to delivery good value, whereas tools like IaC and orchestration may not be as necessary.

Info-Tech Insight

Remember that, especially in modern and rapid methodologies, your IT footprint can drift unexpectedly. This means you need a real feedback mechanism on where the friction moves to next.

This is particularly important in more Agile methodologies.

Activity: Map your IT operations delivery

Identify your high-friction interstitial points

• Using the table below, or a table modified to your delivery phases, map out the activities and tasks that are not standardized and automated.
• For the incoming and outgoing sections, think about what resources and activities need to be (or could be) created, destroyed, or repurposed to efficiently manage each cycle and the spaces between cycles.

Info-Tech Insight

Map your ops groups to the delivery cycles in your pipeline. How many delivery cycles do you have or need?

Good InfraOps is a reflection of governance policies, expressed by standards in architecture and automation.

Related Info-Tech Research

Evaluate Hyperconverged Infrastructure for Your Infrastructure Roadmap

• This Info-Tech note covers evaluation of HCI platforms.

Design Your Cloud Operations

• This Info-Tech blueprint covers organization of operations teams for various deployment and Agile modes.

Bibliography

Banks, Ethan, host. "Choosing Your Next Infrastructure." Datanauts, episode 094, Packet Pushers, 26 July 2017. Podcast.
"Composable Infrastructure Solutions." Hewlett Packard Canada, n.d. Web.
"Composable Infrastructure Technology." Liqid Inc., n.d. Web.
"DataOps architecture design." Azure Architecture Center, Microsoft Learn, n.d. Web.
Tan, Pei Send. "Differences: DevOps, ITOps, MLOps, DataOps, ModelOps, AIOps, SecOps, DevSecOps." Medium, 5 July 2021. Web.

Define the Role of Project Management in Agile and Product-Centric Delivery

Projects and products are not mutually exclusive.

Table of Contents

3 Analyst Perspective

4 Executive Summary

7 Step 1.1: Clarify How You Want to Talk About Projects and Products

13 Step 1.2: Align Project Management and Agility

16 Step 1.3: Specify the Different Activities for Project Management

20 Step 1.4: Identify Key Differences in Funding of Products Instead of Projects

25 Where Do I Go Next?

26 Bibliography

Analyst Perspective

Project management still has an important role to play!

When moving to more product-centric delivery practices, many assume that projects are no longer necessary. That isn’t necessarily the case!

Product delivery can mean different things to different organizations, and in many cases it can involve the need to maintain both projects and project delivery.

Projects are a necessary vehicle in many organizations to drive value delivery, and the activities performed by project managers still need to be done by someone. It is the form and who is involved that will change the most.

Ari Glaizel Practice Lead, Applications Delivery and Management Info-Tech Research Group

Executive Summary

Info-Tech Insight

There is no one-size-fits-all approach to product delivery. For many organizations product delivery requires detailed project management practices, while for others it requires much less. Taking an outcome-first approach when planning your product transformation is critical to make the right decision on the balance between project and product management.

Your evolution of delivery practice is not a binary switch

1. PROJECTS WITH WATERFALL The project manager is accountable for delivery of the project, and the project manager owns resources and scope.
2. PROJECTS WITH AGILE DELIVERY A transitional state where the product owner is accountable for feature delivery and the project manager accountable for the overall project.
3. PRODUCTS WITH AGILE PROJECT AND OPERATIONAL DELIVERY The product owner is accountable for the delivery of the project and products, and the project manager plays a role of facilitator and enabler.
4. PRODUCTS WITH AGILE DELIVERY Delivery of products can happen without necessarily having projects. However, projects could be instantiated to cover major initiatives.

Info-Tech Insight

• Organizations do not need to go to full product and Agile delivery to improve delivery practices! Every organization needs to make its own determination on how far it needs to go. You can do it in one step or take each step and evaluate how well you are delivering against your goals and objectives.
• Many organizations will go to Products With Agile Project and Operational Delivery, and some will go to Products With Agile Delivery.

Activities to undertake as you transition to product-centric delivery

1. PROJECTS WITH WATERFALL
   • Clarify how you want to talk about projects and products. The center of the conversation will start to change.
2. PROJECTS WITH AGILE DELIVERY
   • Align project management and agility. They are not mutually exclusive (but not necessarily always aligned).
3. PRODUCTS WITH AGILE PROJECT AND OPERATIONAL DELIVERY
   • Specify the different activities for project management. As you mature your product practices, project management becomes a facilitator and collaborator.
4. PRODUCTS WITH AGILE DELIVERY
   • Identify key differences in funding. Delivering products instead of projects requires a change in the focus of your funding.

Step 1.1

Clarify How You Want to Talk About Projects and Products

Activities

• 1.1.1 Define “product” and “project” in your context
• 1.1.2 Brainstorm potential changes in the role of projects as you become Agile and product-centric

This step involves the following participants:

• Product owners
• Product managers
• Development team leads
• Portfolio managers
• Business analysts

Outcomes of this step

• An understanding of how the role can change through the evolution from project to more product-centric practices

Definition of terms

Project “A temporary endeavor undertaken to create a unique product, service, or result. The temporary nature of projects indicates a beginning and an end to the project work or a phase of the project work. Projects can stand alone or be part of a program or portfolio.” (PMBOK, PMI)

Product “A tangible solution, tool, or service (physical or digital) that enables the long-term and evolving delivery of value to customers and stakeholders based on business and user requirements.” (Deliver on Your Digital Product Vision, Info-Tech Research Group)

Info-Tech InsightLet these definitions be a guide, not necessarily to be taken verbatim. You need to define these terms in your context based on your particular needs and objectives. The only caveat is to be consistent with your usage of these terms in your organization.

1.1.1 Define “product” and “project” in your context

Output: Your enterprise/organizational definition of products and projects

Participants: Executives, Product/project managers, Applications teams

1. Discuss what “product” and “project” mean in your organization.
2. Create common, enterprise-wide definitions for “product” and “project.”

Agile and product management does not mean projects go away

Projects Within Products

Regardless of whether you recognize yourself as a “product-based” or “project-based” shop, the same basic principles should apply.

You go through a period or periods of project-like development to build or implement a version of an application or product.

You also have parallel services along with your project development that encompass the more product-based view. These may range from basic support and maintenance to full-fledged strategy teams or services like sales and marketing.

Info-Tech Note

As your product transformation continues, projects can become optional and needed only as part of your organization’s overall delivery processes

Identify the differences between a project-centric and a product-centric organization

Info-Tech Insight

Product delivery requires significant shifts in the way you complete development and implementation work and deliver value to your users. Make the changes that support improving end-user value and enterprise alignment.

1.1.2 Brainstorm potential changes in the role of projects as you become Agile and product-centric

5-10 minutes

Output: Increased appreciation of the relationship between project and product delivery

Participants: Executives, Product/project managers, Applications teams

• Discuss as a group:
  • What stands out in the evolution from project to product?
  • What concerns do you have with the change?
  • What will remain the same?
  • Which changes feel the most impactful?
  

Step 1.2

Align Project Management and Agility

Activities

• 1.2.1 Explore gaps in Agile/product-centric delivery of projects

This step involves the following participants:

• Executives
• Product/Project managers
• Applications teams

Outcomes of this step

• A clearer view of how agility can be introduced into projects.

Challenges with the project management role in Agile and product-centric organizations

Many project managers feel left out in the cold. That should not be the case!

In product-centric, Agile teams, many roles that a project manager previously performed are now taken care of to different degrees by the product owner, delivery team, and process manager.

The overall change alters the role of project management from one that orchestrates all activities to one that supports, monitors, and escalates.

Product Owner

• Defines the “what” and heavily involved in the “when” and the “why”
• Accountable for delivery of value

Delivery team members

• Define the “how”
• Accountable for building and delivering high-quality deliverables
• Can include roles like user experience, interaction design, business analysis, architecture

Process Manager

• Facilitates the other teams to ensure valuable delivery
• Can potentially, in a Scrum environment, play the scrum master role, which involves leading scrums, retrospectives, and sprint reviews and working to resolve team issues and impediments
• Evolves into more of a facilitator and communicator role

1.2.1 Explore gaps in Agile/ product-centric delivery of projects

5-10 minutes

Output: An assessment of what is in the way to effectively deliver on Agile and product-focused projects

Participants: Executives, Product/project managers, Applications teams

• Discuss as a group:
  • What project management activities do you see in Agile/product roles?
  • What gaps do you see?
  • How can project management help Agile/product teams be successful?

Step 1.3

Specify the Different Activities for Project Management

Activities

• 1.3.1 Articulate the changes in a project manager’s role

This step involves the following participants:

• Executives
• Product/Project managers
• Applications teams

Outcomes of this step

• An understanding of the role of project management in an Agile and product context

Kicking off the project

Product-centric delivery still requires key activities to successfully deliver value. Where project managers get their information from does change.

Project Charter Project managers should still define a charter and capture the vision and scope. The vision and high-level scope is primarily defined by the product owner. Key Stakeholders and Communication Clearly defining stakeholders and communication needs is still important. However, they are defined based on significant input and cues by the product owner. Standardizing on Tools and Processes To ensure consistency across projects, project managers will want to align tools to how the team manages their backlog and workflow. This will smooth communication about status with stakeholders.

Info-Tech Insight

1. Product management plays a similar role to the one that was traditionally filled by the project sponsor except for a personal accountability to the product beyond the life of the project.
2. When fully transitioned to product-centric delivery, these activities could be replaced by a product canvas. See Deliver on Your Digital Product Vision for more information.

During the project: Three key activities

The role of project management evolves from a position of ownership to a position of communication, collaboration, and coordination.

Support Communicate Agile/product team needs to leadership Liaise and co-ordinate for non-Agile/product-focused parts of the organization Coach members of the team Monitoring Regular status updates to PMO still required Metrics aligned with Agile/product practices Leverage similar tooling and approaches to what is done locally on Agile/product teams (if possible) Escalation Still a key escalation point for roadblocks that go outside the product teams Collaborate closely with Agile/product team leadership and scrum masters (if applicable)

1.3.1: Articulate the changes in a project manager’s role

5-10 minutes

Output: Current understanding of the role of project management in Agile/product delivery

Participants: Executives, Product/project managers, Applications teams

Why is this important?

Project managers still have a role to play in Agile projects and products. Agreeing to what they should be doing is critical to successfully moving to a product-centric approach to delivery.

• Review how Info-Tech views the role of project management at project initiation and during the project.
• Review the state of your Agile and product transformation, paying special attention to who performs which roles.
• Discuss as a group:
  • What are the current activities of project managers in your organization?
  • Based on how you see delivery practices evolving, what do you see as the new role of project managers when it comes to Agile-centric and product-centric delivery.

Step 1.4

Identify Key Differences in Funding of Products Instead of Projects

Activities

• 1.4.1 Discuss traditional versus product-centric funding methods

This step involves the following participants:

• Executives
• Product owners
• Product managers
• Project managers
• Delivery managers

Outcomes of this step

• Identified differences in funding of products instead of projects

Planning and budgeting for products and families

Reward for delivering outcomes, not features

Autonomy Fund what delivers value Fund long-lived delivery of value through products (not projects). Give autonomy to the team to decide exactly what to build.

Flexibility Allocate iteratively Allocate to a pool based on higher-level business case. Provide funds in smaller amounts to different product teams and initiatives based on need.

Accountability Measure and adjust Product teams define metrics that contribute to given outcomes. Track progress and allocate more (or less) funds as appropriate.

Info-Tech Insight Changes to funding require changes to product and Agile practices to ensure product ownership and accountability.

(Adapted from Bain & Company)

Budgeting approaches must evolve as you mature your product operating environment

Info-Tech Insight

As you evolve your approach to product delivery, you will be decoupling the expected benefits, forecast, and budget. Managing them independently will improve your ability adapt to change and drive the right outcomes!

1.4.1 Discuss traditional versus product-centric funding methods

Output: Understanding of funding principles and challenges

Participants: Executives, Product owners, Product managers, Project managers, Delivery managers

1. Discuss how projects are currently funded.
2. Review how the Agile/product funding models differ from how you currently operate.
3. What changes do you need to consider to support a product delivery model?
4. For each change, identify the key stakeholders and list at least one action to take.

Case Study

Global Digital Financial Services Company This financial services company looked to drive better results by adopting more product-centric practices. Its projects exhibited: High complexity/strong dependencies between components High implementation effort High clarification/reconciliation (more than two departments involved) Multiple methodologies (Agile/Waterfall/Hybrid) The team recognized they could not get rid of projects entirely, but getting to a level where there was a coordinated delivery between projects and products being implemented is important. Results Moving several initiatives to more product-centric practices allowed for: Delivery within current assigned capacity Limited need for coordination across departments Lower complexity A unified Agile approach to delivery Through balancing the needs of projects and products, there were three key insights about the project management’s role: The role of project management changes depending on the context of the work. There is no one-size-fits-all definition. Project management played a much bigger role when work spanned multiple products and business units. Project management was used as a key coordinator when delivery became complicated and multilayered.

Where Do I Go Next?

Bibliography

Cobb, Chuck. “Are there Project Managers in Agile?” High Impact Project Management, n.d. Web.

Cohn, Mike. “What Is a Product?” Mountain Goat Software, 6 Sept. 2016. Web.

Cobb, Chuck. “Agile Project Manager Job Description.” High Impact Project Management, n.d. Web.

“How do you define a product?” Scrum.org, 4 April 2017. Web.

Johnson, Darren, et al. “How to Plan and Budget for Agile at Scale.” Bain & Company, 8 Oct. 2019. Web.

“Product Definition.” SlideShare, uploaded by Mark Curphey, 25 Feb. 2007. Web.

Project Management Institute. A Guide to the Project Management Body of Knowledge (PMBOK Guide). 7th ed., Project Management Institute, 2021.

Schuurman, Robbin. “Scrum Master vs Project Manager – An Overview of the Differences.” Scrum.org, 11 Feb 2020. Web.

Schuurman, Robbin. “Product Owner vs Project Manager.” Scrum.org, 12 March 2020. Web.

Vlaanderen, Kevin. “Towards Agile Product and Portfolio Management.” Academia.edu, 2010. Web.

“What is a Developer in Scrum?” Scrum.org, n.d. Web.

“What is a Scrum Master?” Scrum.org, n.d. Web.

“What is a Product Owner?” Scrum.org, n.d. Web.

Embrace the Inevitability of Multicloud

The heterogeneous ecosystem is worth it; you just need a cohesive strategy.

Executive summary

Info-Tech Insight

Embracing multicloud in your organization is an opportunity to gain control while enabling choice. Although it increases complexity for both IT operations and governance, with the right tools and principles in place you can reduce the IT burden and increase business agility at the same time.

Project overview

Aligning the terms

Modern organizations have multiple IT footprints. How do we classify different stances?

01 Hybrid Cloud
Private cloud and public cloud infrastructure managed as one entity

02 Multicloud
Includes multiple distinct public cloud services, or “footprints”

03 Hybrid IT
Putting the right workloads in the right places with an overall management framework

Info-Tech Insight

• Hybrid cloud is about applying the same service model across multiple deployment models (most commonly public and private clouds).
• Multicloud is about using multiple cloud offerings irrespective of differences in service model or deployment model.

Multicloud

• An approach that includes multiple distinct public cloud services (e.g. AWS EC2 but also Salesforce and M365)
• Usually defined around a steady state for each workload and footprint
• Everything in its right place (with portability for events and disasters)
• NOT everything everywhere all at once

Multicloud is inevitable

The SaaS ecosystem has led organizations to encourage business units to exercise the IT choices that are best for them.

The multicloud maturity journey

1. Move a workload to the cloud
2. Move more workloads to the same cloud
3. Move the right workloads to the right clouds
4. Hybrid cloud & multicloud
5. Integrate cloud and traditional/ on-premises footprints

Hybrid IT: Aggregate Management, Monitoring, Optimization, Continuous Improvement

Multicloud is about enabling choice while maintaining oversight

The broader your footprint, the harder it becomes to manage risks across each environment.

Managing multicloud risks

The risks in multicloud are the same as in traditional cloud but amplified by the differences across footprints and providers in your ecosystem.

• Variations across platforms include:
  • Rules
  • Security
  • Mapping corresponding products and services
• Training and certifications by platform/provider
• Managing cost across footprints
• Complexity of integration
• Managing compliance across platforms
• Loss of standardization due to multicloud fragmentation

Info-Tech Insight

Don’t be afraid to ask for help! Each cloud platform you adopt in your multicloud posture requires training, knowledge, and execution. If you’re already leveraging an ecosystem of cloud providers, leverage the ecosystem of cloud enablers as needed to help you on your way.

Despite the risks, multicloud is a springboard

Info-Tech Insight

Don’t bite off more than you can chew! Especially with IaaS and PaaS services, it’s important to ensure you have the skills and bandwidth to manage and deploy services effectively. It’s better to start with one IaaS platform, master it, and then expand.

Let your workloads guide the way

Multicloud is a road to best-of-breed everything

Stick with a workload-level approach

The principles of cloud strategy don’t change with multicloud!
If anything, a multicloud approach increases your ability to put the right workloads in the right places, wherever that may be.
It can also (with some work and tooling) provide even broader options for portability and resilience.

Multicloud = multiple right places

Put everything in its right place.

Just like with any cloud strategy, start with a workload-level approach and figure out the right migration path and landing point for your workload in cloud.

Understand the other right places!

Multicloud means for many workloads, especially IaaS- and PaaS-focused ones, you will have multiple footprints you can use for secondary locations as desired for portability, resilience, and high availability (with the right tooling and design).

Info-Tech Insight

Portability is always a matter of balancing increased flexibility, availability, and resilience against increased complexity, maintenance effort, and cost. Make sure to understand the requirement for your workloads and apply portability efforts where they make the most sense

Your management will need to evolve

Don’t manage multicloud with off-the-rack tools.

The default dashboards and management tools from most cloud vendors are a great starting point when managing a single cloud. Unfortunately, most of these tools do not extend well to other platforms, which can lead to multiple dashboards for multiple footprints.

These ultimately lead to an inability to view your multicloud portfolio in aggregate and fragmentation of metrics and management practices across your various platforms. In such a situation maintaining compliance and control of IT can become difficult, if not impossible!

Unified standards and tools that work across your entire cloud portfolio will help keep you on track, and the best way to realize these is by applying repeatable, open standards across your various environments and usually adopting new software and tools from the ecosystem of multicloud management software platforms available in the market.

Info-Tech Insight

Even in multicloud, don’t forget that the raw data available from the vendor’s default dashboards is a critical source of information for optimizing performance, efficiency, and costs.

Multicloud management tool selection

The ecosystem is heterogeneous.

The explosion of cloud platforms and stacks means no single multicloud management tool can provide support for every stack in the private and public cloud ecosystem. This challenge becomes even greater when moving from IaaS/PaaS to addressing the near-infinite number of offerings available in the SaaS market.

When it comes to selecting the right multicloud management tool, it’s important to keep a few things in mind:

1. Mapping your requirements to the feature sets for your multicloud management platform is critical.
2. Depending on your goals and metrics, and the underlying platforms and data you need to collect from them, you may need more than one tool.
3. Especially when it comes to integrating SaaS into your multicloud tool(s), development or partners may be required.

Key Features

• Portability
• Cost management
• Automation across vendors
• Standardization of configuration
• Security alignment across vendors
• Unified provisioning and self-service

Info-Tech Insight

SaaS always presents a unique challenge for gathering necessary cloud management data. It’s important to understand what data is and isn’t available and how it can be accessed and made available to your multicloud management tools.

Understand your vendors

Define what you are looking for as a first step.

• To best understand your options, you need to understand the focus, features, and support services for each vendor. Depending on your requirements, you may need to adopt more than one tool.
• Remember that SaaS presents unique challenges in terms of accessing and ingesting data into your management tools. This will generally require development to leverage the provider’s API.
• Within the following slides, you will find a defined activity with a working template that will create a vendor profile for each vendor.

As a working example, you can review these vendors on the following slides:

• VMware CloudHealth
• ServiceNow ITOM
• CloudCheckr

Info-Tech Insight

Creating vendor profiles will help quickly identify the management tools that meet your multicloud needs.

Vendor Profile #1

VMware CloudHealth

Vendor Summary

CloudHealth is a VMware management suite that provides visibility into VMware-based as well as public cloud platforms. CloudHealth focuses on providing visibility to costs and governance as well as applying automation and standardization of configuration and performance across cloud platforms.

URL: cloudhealth.vmware.com

Supported Platforms

Supports AWS, Azure, GCP, OCI, VMware

Feature Sets

• Portability
• Cost management
• Automation across platforms
• Standardization of configuration
• Security alignment across platforms
• Unified provisioning and self-service

Vendor Profile #2

ServiceNow ITOM

Vendor Summary

ServiceNow IT Operations Management (ITOM) is a module for the ServiceNow platform that allows deep visibility and automated intervention/remediation for resources across multiple public and private cloud platforms. In addition to providing a platform for managing workload portability and costs across multiple cloud platforms, ServiceNow ITOM offers features focused on delivering “proactive digital operations with AIOps.”

URL: servicenow.com/products/it-operations-management.html

Supported Platforms

Supports CloudFormation, ARM, GDM, and Terraform templates. Also provisions virtualized VMware environments.

Feature Sets

• Portability
• Cost management
• Automation across platforms
• Standardization of configuration
• Security alignment across platforms
• Unified provisioning and self-service

Vendor Profile #3

CloudCheckr

Vendor Summary

CloudCheckr is a SaaS platform that provides end-to-end cloud management to control cost, ensure security, optimize resources, and enable services. Primarily focused on enabling management of public cloud services, CloudCheckr’s broad platform support and APIs can be used to deliver unified visibility across many multicloud postures.

URL: cloudcheckr.com

Supported Platforms

Supports AWS, Azure, GCP, SAP Hana

Feature Sets

• Portability
• Cost management
• Automation across platforms
• Standardization of configuration
• Security alignment across platforms
• Unified provisioning and self-service

Activity

Understand your vendor options

This activity involves the following participants:

• IT strategic direction decision makers
• Cloud governance team
• Cloud deployment team
• Vendor and portfolio management

Outcomes of this step:

• Vendor profile template (ppt)

Info-Tech Insight

This checkpoint process creates transparency around agreement costs with the business and gives the business an opportunity to reevaluate its requirements for a potentially leaner agreement.

Create your vendor profiles

Define what you are looking for and score vendors accordingly.

1. Create a vendor profile for every vendor of interest.
2. Leverage our starting list and template to track and record the advantages of each vendor.

• Morpheus (morpheusdata.com)
• OpenStack (openstack.org)
• Cloudify (cloudify.co)
• Cloudamize (cloudamize.com)
• Flexera (flexera.com)
• Virtana (virtana.com)
• IBM Multicloud Manager (ibm.com)

Vendor Profile Template

Land on your feet

Best practices to hit the ground running in multicloud

Focus your multicloud posture on SaaS (to start)

Where the data sits matters

With multiple SaaS workloads as well as IaaS and PaaS footprints, one of the biggest challenges to effective multicloud is understanding where any given data is, what needs access to it, and how to stitch it all together.

In short, you need a strategy to understand how to collect and consolidate data from your multiple footprints.

Relying solely on the built-in tools and dashboards provided by each provider inevitably leads to data fragmentation – disparate data sets that make it difficult to gain clear, unified visibility into your cloud’s data.

To address the challenge of fragmented data, many organizations will require a multicloud-capable management platform that can provide access and visibility to data from all sources in a unified way.

Weigh portability against nativeness

When it comes to multicloud, cloud-native design is both your enemy and your friend. On one hand, it provides the ability to fully leverage the power and flexibility of your chosen platform to run your workload in the most on-demand, performance-efficient, utility-optimized way possible.

But it’s important to remember that building cloud-native for one platform directly conflicts with that workload’s portability to other platforms! You need to understand the balance between portability and native effectiveness that works best for each of your workloads.

Info-Tech Insight

You can (sort of) have the best of both worlds! While the decision to focus on the cloud-native products, services, and functions from a given cloud platform must be weighed carefully, it’s still a good idea to leverage open standards and architectures for your workloads, as those won’t hamper your portability in the same way.

Broaden your cost management approach

Even on singular platforms, cloud cost management is no easy task. In multicloud, this is amplified by the increased scale and scope of providers, products, rates, and units of measure.

There is no easy solution to this – ultimately the same accountabilities and tasks that apply to good cost management on one cloud also apply to multicloud, just at greater scale and impact.

Info-Tech Insight

Evolving your tooling applies to cost management too. While the vendor-provided tools and dashboards for cost control on any given cloud provider’s platform are a good start and a critical source for data, to get a proper holistic view you will usually require multicloud cost management software (and possibly some development work).

Think about the sky between the clouds

A key theme in cloud service pricing is “it’s free to come in, but it costs to leave.” This is a critical consideration when designing the inflows and outflows of data, interactions, transactions, and resources among workloads sitting on different platforms and different regions or footprints.

When defining your multicloud posture, think about what needs to flow between your various clouds and make sure to understand how these flows will affect costs, performance, and throughput of your workloads and the business processes they support.

• Integration and Interfaces
• Business Process and Application Flows
• Inter-cloud Transit Costs

Mature your management technology

Info-Tech Insight

Embrace openness! Leveraging open standards and technologies doesn’t just ease portability in multicloud; it also helps rationalize telemetry and metrics across platforms, making it easier to achieve a unified management view.

Multicloud security

Multicloud security challenges remain focused around managing user and role complexity

• Fragmentation of identity and access management
• Controlling access across platforms
• Increased complexity of roles
• API security
• Managing different user types and subscriptions across different service models
• Managing security best practices across multiple platforms
• Potential increased attack surface

Info-Tech Insight

Don’t reinvent the wheel! Where possible, leverage your existing identity and access management platforms and role-based access control (RBAC) discipline and extend them out to your cloud footprints.

Don’t fall in reactively!

1. Multicloud isn’t bad or good.
2. Put everything the right place; understand the other right places.
3. Know where your data goes.
4. Automation is your friend.
5. Strategy fundamentals don’t change.
6. Focus on SaaS (to start).
7. Embrace openness.
8. Modernize your tools.

Related Info-Tech Research

Define Your Cloud Vision
This blueprint covers a workload-level approach to determining cloud migration paths

10 Secrets for Successful Disaster Recovery in the Cloud
This research set covers general cloud best practices for implement DR and resilience in the cloud.

Bibliography

“7 Best Practices for Multi-Cloud Management.” vmware.com, 29 April 2022. Web.
Brown, Chalmers. “Six Best Practices For Multi-Cloud Management.” Forbes, 22 Jan. 2019. Web.
Curless, Tim. “The Risks of Multi-Cloud Outweigh the Benefits.” AHEAD, n.d. Web.
Tucker, Ryan. “Multicloud Security: Challenges and Solutions.” Megaport, 29 Sept 2022. Web.
Velimirovic, Andreja. “How to Implement a Multi Cloud Strategy.” pheonixNAP, 23 June 2021. Web.
“What is a Multi-Cloud Strategy?” vmware.com, n.d. Web.

Hire or Develop a World-Class CISO

Find a strategic and security-focused champion for your business.

Analyst Perspective

Create a plan to become the security leader of tomorrow

The days are gone when the security leader can stay at a desk and watch the perimeter. The rapidly increasing sophistication of technology, and of attackers, has changed the landscape so that a successful information security program must be elastic, nimble, and tailored to the organization’s specific needs.

The Chief Information Security Officer (CISO) is tasked with leading this modern security program, and this individual must truly be a Chief Officer, with a finger on the pulses of the business and security processes at the same time. The modern, strategic CISO must be a master of all trades.

A world-class CISO is a business enabler who finds creative ways for the business to take on innovative processes that provide a competitive advantage and, most importantly, to do so securely.

Cameron Smith
Research Lead, Security & Privacy
Info-Tech Research Group

Executive Summary

Info-Tech Insight
The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.

Your challenge

This Info-Tech blueprint will help you hire and develop a strategic CISO

• Security without strategy is a hacker’s paradise.
• The outdated model of information security is tactical, where security acts as a watchdog and responds.
• The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.

Around one in five organizations don’t have an individual with the sole responsibility for security¹

¹ Navisite

Info-Tech Insight
Assigning security responsibilities to departments other than security can lead to conflicts of interest.

Common obstacles

It can be difficult to find the right CISO for your organization

• The smaller the organization, the less likely it will have a CISO or equivalent position.
• Because there is a shortage of qualified candidates, qualified CISOs can demand high salaries and many CISO positions will go unfilled.
• It is easier for larger companies to attract top CISO talent, as they generally have more resources available.

Source: Navisite

Only 36% of small businesses have a CISO (or equivalent position).

48% of mid-sized businesses have a CISO.

90% of large organizations have a CISO.

Source: Navisite

Strategic versus tactical

CISOs should provide leadership based on a strategic vision ¹

¹ Journal of Computer Science and Information Technology

Info-Tech has identified three key behaviors of the world-class CISO

To determine what is required from tomorrow’s security leader, Info-Tech examined the core behaviors that make a world-class CISO. These are the three areas that a CISO engages with and excels in.

Later in this blueprint, we will review the competencies and skills that are required for your CISO to perform these behaviors at a high level.

Align

Aligning security enablement with business requirements

Enable

Enabling a culture of risk management

Manage

Managing talent and change

Info-Tech Insight
Through these three overarching behaviors, you can enable a security culture that is aligned to the business and make security elastic, flexible, and nimble to maintain the business processes.

Info-Tech’s approach

Info-Tech’s methodology to Develop or Hire a World-Class CISO

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

CISO Core Competency Evaluation Tool

Assess the competency levels of a current or prospective CISO and identify areas for improvement.

Stakeholder Power Map Template

Visualize the importance of various stakeholders and their concerns.

Stakeholder Management Strategy Template

Document a plan to manage stakeholders and track actions.

Key deliverable:

CISO Development Plan Template

The CISO Development Plan Template is used to map specific activities and time frames for competency development to address gaps and achieve your goal.

Strategic competencies will benefit the organization and the CISO

Career development should not be seen as an individual effort. By understanding the personal core competencies that Info-Tech has identified, the individual wins by developing relevant new skills and the organization wins because the CISO provides increased value.

Measured value of a world-class CISO

Organizations with a CISO saw an average of $145,000 less in data breach costs.¹

However, we aren’t talking about hiring just any CISO. This blueprint seeks to develop your CISO’s competencies and reach a new level of effectiveness.

Organizations invest a median of around $375,000 annually in their CISO.² The CISO would have to be only 4% more effective to represent $15,000 more value from this position. This would offset the cost of an Info-Tech workshop, and this conservative estimate pales in comparison to the tangible and intangible savings as shown below.

Your specific benefits will depend on many factors, but the value of protecting your reputation, adopting new and secure revenue opportunities, and preventing breaches cannot be overstated. There is a reason that investment in information security is on the rise: Organizations are realizing that the payoff is immense and the effort is worthwhile.

¹ IBM Security
² Heidrick & Struggles International, Inc.

Case Study

In the middle of difficulty lies opportunity

SOURCE
Kyle Kennedy
CISO, CyberSN.com

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 6 to 10 calls over the course of 3 to 6 months.

Phase 1

Launch

Phase 1
1.1 Understand Core Competencies
1.2 Measure Security and Business Satisfaction and Alignment

Phase 2
2.1 Assess Stakeholder Relationships
2.2 Assess the Core Competencies

Phase 3
3.1 Identify Resources to Address Competency Gaps
3.2 Plan Approach to Improve Stakeholder Relationships

Phase 4
4.1 Decide Next Actions and Support Your CISO Moving Forward
4.2 Regularly Reassess to Measure Development and Progress

This phase will walk you through the following activities:

• Review and understand the core competencies of a world-class CISO.
• Launch your diagnostic survey.
• Evaluate current business satisfaction with IT security.
• Determine the competencies that are valuable to your IT security program’s needs.

Hire or Develop a World-Class CISO

Case study

Mark Lester
InfoSec Manager, SC Ports Authority

An organization hires a new Information Security Manager into a static and well-established IT department.

Situation: The organization acknowledges the need for improved information security, but there is no framework for the Security Manager to make successful changes.

Follow this case study throughout the deck to see this organization’s results

Step 1.1

Understand the Core Competencies of a World-Class CISO

Activities

Review core competencies the security leader must develop to become a strategic business partner

This step involves the following participants:

• CEO or other executive seeking to hire/develop a CISO

or

• Current CISO seeking to upgrade capabilities

Outcomes of this step
Analysis and understanding of the eight strategic CISO competencies required to become a business partner

Launch

Core competencies

Info-Tech has identified eight core competencies affecting the CISO’s progression to becoming a strategic business partner.

1.1 Understand the core competencies a CISO must focus on to become a strategic business partner

< 1 hour

Over the next few slides, review each world-class CISO core competency. In Step 1.2, you will determine which competencies are a priority for your organization.

1.1 Understand the core competencies (continued)

1.1 Understand the core competencies (continued)

1.1 Understand the core competencies (continued)

Step 1.2

Evaluate satisfaction and alignment between the business and IT security

Activities

• Conduct the Information Security Business Satisfaction and Alignment diagnostic
• Use your results as input into the CISO Core Competency Evaluation Tool

This step involves the following participants:

• CEO or other executive seeking to hire/develop a CISO

or

• Current CISO seeking to upgrade capabilities

Outcomes of this step
Determine current gaps in satisfaction and alignment between information security and your organization.

If seeking to hire/develop a CISO: Your diagnostic results will help develop a profile of the ideal CISO candidate to use as a hiring and interview guide.

If developing a current CISO, use your diagnostic results to identify existing competency gaps and target them for improvement.

For the CISO seeking to upgrade capabilities: Use the core competencies guide to self-assess and identify competencies that require improvement.

Launch

1.2 Get started by conducting Info-Tech’s Information Security Business Satisfaction and Alignment diagnostic

The primary goal of IT security is to protect the organization from threats. This does not simply mean bolting everything down, but it means enabling business processes securely. To do this effectively requires alignment between IT security and the overall business.

• Once you have completed the diagnostic, call Info-Tech to review your results with one of our analysts.
• The results from this assessment will provide insights to inform your entries in the CISO Core Competency Evaluation Tool.

Call an analyst to review your results and provide you with recommendations.

Info-Tech Insight
Focus on the high-priority competencies for your organization. You may find a candidate with perfect 10s across the board, but a more pragmatic strategy is to find someone with strengths that align with your needs. If there are other areas of weakness, then target those areas for development.

1.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to understand your organizational needs

After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.

• Your diagnostic results will indicate where your information security program is aligned well or poorly with your business.
• For example, the diagnostic may show significant misalignment between information security and executives over the level of external compliance. The CISO behavior that would contribute to solving this is aligning security enablement with business requirements.
  • This misalignment may be due to a misunderstanding by either party. The competencies that will contribute to resolving this are communication, technical knowledge, and business acumen.
  • This mapping method is what will be used to determine which competencies are most important for your needs at the present moment.

Download the CISO Core Competency Evaluation Tool

1.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to understand your organizational needs

After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.

1. Starting on Tab 2: CISO Core Competencies, use your understanding of each competency from section 1.1 along with the definitions described in the tool.
   • For each competency, assign a degree of importance using the drop-down menu in the second column from the right.
   • Importance ratings will range from not at all important at the low end to critically important at the high end.
   • Your importance score will be influenced by several factors, including:
     • The current alignment of your information security department.
     • Your organizational security posture.
     • The size and structure of your organization.
     • The existing skills and maturity within your information security department.

Download the CISO Core Competency Evaluation Tool

1.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to understand your organizational needs

After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.

2. Still on Tab 2. CISO Core Competencies, you will now assign a current level of effectiveness for each competency.
   • This will range from foundational at a low level of effectiveness up to capable, then inspirational, and at the highest rating, transformational.
   • Again, this rating will be very specific to your organization, depending on your structure and your current employees.
   • Fundamentally, these scores will reflect what you want to improve in the area of information security. This is not an absolute scale, and it will be influenced by what skills you want to support your goals and direction as an organization.

Download the CISO Core Competency Evaluation Tool

Phase 2

Assess

Phase 1
1.1 Understand Core Competencies
1.2 Measure Security and Business Satisfaction and Alignment

Phase 2
2.1 Assess Stakeholder Relationships
2.2 Assess the Core Competencies

Phase 3
3.2 Plan Approach to Improve Stakeholder Relationships

Phase 4
4.1 Decide Next Actions and Support Your CISO Moving Forward
4.2 Regularly Reassess to Measure Development and Progress

This phase will walk you through the following activities:

• Use the CISO Core Competency Evaluation Tool to create and implement an interview guide.
• Assess and analyze the core competencies of your prospective CISOs. Or, if you are a current CISO, use the CISO Core Competency Evaluation Tool as a self-analysis and identify areas for personal development.
• Evaluate the influence, impact, and support of key executive business stakeholders using the CISO Stakeholder Power Map Template.

Hire or Develop a World-Class CISO

Case study

Mark Lester
InfoSec Manager, SC Ports Authority

The new Security Manager engages with employees to learn the culture.

Outcome: Understand what is important to individuals in order to create effective collaboration. People will engage with a project if they can relate it to something they value.

Follow this case study throughout the deck to see this organization’s results

Step 2.1

Identify key stakeholders for the CISO and assess current relationships

Activities

Evaluate the power, impact, and support of key stakeholders

This step involves the following participants:

• CEO or other executive seeking to hire/develop a CISO

or

• Current CISO seeking to upgrade capabilities

Outcomes of this step

• Power map of executive business stakeholders
• Evaluation of each stakeholder in terms of influence, impact, and current level of support

Assess

Identify key stakeholders who own business processes that intersect with security processes

Info-Tech Insight
Most organizations don’t exist for the sole purpose of doing information security. For example, if your organization is in the business of selling pencils, then information security is in business to enable the selling of pencils. All the security in the world is meaningless if it doesn’t enable your primary business processes. The CISO must always remember the fundamental goals of the business.

The above insight has two implications:

1. The CISO needs to understand the key business processes and who owns them, because these are the people they will need to collaborate with. Like any C-level, the CISO should be one of the most knowledgeable people in the organization regarding business processes.
2. Each of these stakeholders stands to win or lose depending on the performance of their process, and they can act to either block or enable your progress.
   • To work effectively with these stakeholders, you must learn what is important to them, and pose your initiatives so that you both benefit.

When people are not receptive to the CISO, it’s usually because the CISO has not been part of the discussion when plans were being made. This is the heart of proactivity.

You need to be involved from the start … from the earliest part of planning.

The job is not to come in late and say “No” ... the job is to be involved early and find creative and intelligent ways to say “Yes.”

The CISO needs to be the enabling security asset that drives business.

– Elliot Lewis, CEO at Keyavi Data

Evaluate the importance of business stakeholders and the support necessary from them

The CISO Stakeholder Power Map Template is meant to provide a visualization of the CISO’s relationships within the organization. This should be a living document that can be updated throughout the year as relationships develop and the structure of an organization changes.

At a glance, this tool should show:

• How influential each stakeholder is within the company.
• How supportive they currently are of the CISO’s initiatives.
• How strongly each person is impacted by IT security activities.

Once this tool has been created, it provides a good reference as the CISO works to develop lagging relationships. It shows the landscape of influence and impact within the organization, which may help to guide the CISO’s strategy in the future.

Download the CISO Stakeholder Power Map Template

Evaluate the importance of business stakeholders and the support necessary from them

1. Identify key stakeholders.
   1. Focus on owners of important business processes.
2. Evaluate and map each stakeholder in terms of:
   1. Influence (up/down)
   2. Support (left/right)
   3. Impact (size of circle)
   4. Involvement (color of circle)
3. Decide whether the level of support from each stakeholder needs to change to facilitate success.

Info-Tech Insight
Some stakeholders must work closely with your incoming CISO. It is worth consideration to include these individuals in the interview process to ensure you will have partners that can work well together. This small piece of involvement early on can save a lot of headache in the future.

Where can you find your desired CISO?

Once you know which competencies are a priority in your new CISO, the next step is to decide where to start looking. This person may already exist in your company.

Ready to start looking for your ideal candidate? You can use Info-Tech’s Chief Information Security Officer job description template.

Use the CISO job description template

Alternatives to hiring a CISO

Small organizations are less able to muster the resources required to find and retain a CISO,

Why would an organization consider a vCISO?

• A vCISO can provide services that are flexible, technical, and strategic and that are based on the specific requirements of the organization.
• They can provide a small organization with program maturation within the organization’s resources.
• They can typically offer depth of experience beyond what a small business could afford if it were to pursue a full-time CISO.

Source: InfoSec Insights by Sectigo Store

Why would an organization not consider a vCISO?

• The vCISO’s attention is divided among their other clients.
• They won’t feel like a member of your organization.
• They won’t have a deep understanding of your systems and processes.

Source: Georgia State University

Step 2.2

Assess CISO candidates and evaluate their current competency

Activities

Assess CISO candidates in terms of desired core competencies

or

Self-assess your personal core competencies

This step involves the following participants:

• CEO or other executive seeking to hire/develop a CISO

or

• Current CISO seeking to upgrade capabilities

and

• Any key stakeholders or collaborators you choose to include in the assessment process

Outcomes of this step

• You have assessed your requirements for a CISO candidate.
• The process of hiring is under way, and you have decided whether to hire a CISO, develop a CISO, or consider a Counselor Seat as another option.

Assess

2.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to assess your CISO candidate

Download the CISO Core Competency Evaluation Tool

Info-Tech Insight
The most important competencies should be your focus. Unless you are lucky enough to find a candidate that is perfect across the board, you will see some areas that are not ideal. Don’t forget the importance you assigned to each competency. If a candidate is ideal in the most critical areas, you may not mind that some development is needed in a less important area.

2.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to evaluate your candidates

After deciding the importance of and requirements for each competency in Phase 1, assess your CISO candidates.

Your first pass on this tool will be to look at internal candidates. This is the develop a CISO option.

1. In the previous phase, you rated the Importance and Current Effectiveness for each competency in Tab 2. CISO Core Competencies. In this step, use Tab 3. Gap Analysis to enter a Minimum Level and a Desired Level for each competency. Keep in mind that it may be unrealistic to expect a candidate to be fully developed in all aspects.
2. Next, enter a rating for your candidate of interest for each of the eight competencies.
3. This scorecard will generate an overall suitability score for the candidate. The color of the output (from red to green) indicates the suitability, and the intensity of the color indicates the importance you assigned to that competency.

Download the CISO Core Competency Evaluation Tool

2.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to evaluate your candidates

• If the internal search does not identify a suitable candidate, you will want to expand your search.
• Repeat the scoring process for external candidates until you find your new CISO.
• You may want to skip your external search altogether and instead contact Info-Tech for more information on our Counselor Seat options.

Download the CISO Core Competency Evaluation Tool

Phase 3

Plan

Phase 1
1.1 Understand Core Competencies
1.2 Measure Security and Business Satisfaction and Alignment

Phase 2
2.1 Assess Stakeholder Relationships
2.2 Assess the Core Competencies

Phase 3
3.1 Identify Resources to Address Competency Gaps
3.2 Plan Approach to Improve Stakeholder Relationships

Phase 4
4.1 Decide Next Actions and Support Your CISO Moving Forward
4.2 Regularly Reassess to Measure Development and Progress

This phase will walk you through the following activities:

• Create a plan to develop your competency gaps.
• Construct and consider your organizational model.
• Create plan to cultivate key stakeholder relationships.

Hire or Develop a World-Class CISO

Case study

Mark Lester
InfoSec Manager, SC Ports Authority

The new Security Manager changes the security culture by understanding what is meaningful to employees.

Outcome: Engage with people on their terms. The CISO must speak the audience’s language and express security terms in a way that is meaningful to the audience.

Follow this case study throughout the deck to see this organization’s results

Step 3.1

Identify resources for your CISO to remediate competency gaps

Activities

Create a plan to remediate competency gaps

This step involves the following participants:

• CEO or other executive seeking to hire/develop a CISO
• The newly hired CISO

or

• Current CISO seeking to upgrade capabilities

Outcomes of this step

• Identification of core competency deficiencies
• A plan to close the gaps

Plan

3.1 Close competency gaps with Info-Tech’s Cybersecurity Workforce Development Training

Resources to close competency gaps

Info-Tech’s Cybersecurity Workforce Training develops critical cybersecurity skills missing within your team and organization. The leadership track provides the same deep coverage of technical knowledge as the analyst track but adds hands-on support and has a focus on strategic business alignment, program management, and governance.

The program builds critical skills through:

• Standardized curriculum with flexible projects tailored to business needs
• Realistic cyber range scenarios
• Ready-to-deploy security deliverables
• Real assurance of skill development

Info-Tech Insight
Investing in a current employee that has the potential to be a world-class CISO may take less time, effort, and money than finding a unicorn.

Learn more on the Cybersecurity Workforce Development webpage

3.1 Identify resources for your CISO to remediate competency gaps

< 2 hours

3.1 Identify resources for your CISO to remediate competency gaps (continued)

< 2 hours

Info-Tech Insight
Surround yourself with great people. Insecure leaders surround themselves with mediocre employees that aren’t perceived as a threat. Great leaders are supported by great teams, but you must choose that great team first.

3.1 Identify resources for your CISO to remediate competency gaps (continued)

< 2 hours

3.1 Identify resources for your CISO to remediate competency gaps (continued)

< 2 hours

3.1 Identify resources for your CISO to remediate competency gaps (continued)

< 2 hours

3.1 Create the CISO’s personal development plan

• Use Info-Tech’s CISO Development Plan Template to document key initiatives that will close previously identified competency gaps.
• The CISO Development Plan Template is used to map specific actions and time frames for competency development, with the goal of addressing competency gaps and helping you become a world-class CISO. This template can be used to document:
  • Core competency gaps
  • Security process gaps
  • Security technology gaps
  • Any other career/development goals
• If you have a coach or mentor, you should share your plan and report progress to that person. Alternatively, call Info-Tech to speak with an executive advisor for support and advice.
  • Toll-Free: 1-888-670-8889

What you will need to complete this exercise

• CISO Core Competency Evaluation Tool results
• Information Security Business Satisfaction and Alignment diagnostic results
• Insights gathered from business stakeholder interviews

Step 3.2

Plan an approach to improve your relationships

Activities

• Review engagement strategies for different stakeholder types
• Create a stakeholder relationship development plan

This step involves the following participants:

• CEO or other executive seeking to hire/develop a CISO
• The newly hired CISO

or

• Current CISO seeking to upgrade capabilities

Outcomes of this step

• Stakeholder relationship strategy deliverable

Plan

Where should the CISO sit?

Where the CISO sits in the organization can have a big impact on the security program.

• Organizations with CISOs in the C-suite have a fewer security incidents.¹
• Organizations with CISOs in the C-suite generally have better IT ability.¹
• An organization whose CISO reports to the CIO risks conflict of interest.¹
• 51% of CISOs believe their effectiveness can be hampered by reporting lines.²
• Only half of CISOs feel like they are in a position to succeed.²

A formalized security organizational structure assigns and defines the roles and responsibilities of different members around security. Use Info-Tech’s blueprint Implement a Security Governance and Management Program to determine the best structure for your organization.

Who the CISO reports to, by percentage of organizations³

Download the Implement a Security Governance and Management Program blueprint

1. Journal of Computer Science and Information
2. Proofpoint
3. Heidrick & Struggles International, Inc

3.2 Make a plan to manage your key stakeholders

Managing stakeholders requires engagement, communication, and relationship management. To effectively collaborate and gain support for your initiatives, you will need to build relationships with your stakeholders. Take some time to review the stakeholder engagement strategies for different stakeholder types.

When building relationships, I find that what people care about most is getting their job done. We need to help them do this in the most secure way possible.

I don’t want to be the “No” guy, I want to enable the business. I want to find to secure options and say, “Here is how we can do this.”

– James Miller, Information Security Director, Xavier University

Download the CISO Stakeholder Management Strategy Template

Key players – Engage

Info-Tech Insight
Listen to your key players. They understand what is important to other business stakeholders, and they can provide valuable insight to guide your future strategy.

Mediators – Satisfy

Info-Tech Insight
Don’t dictate to stakeholders. Make them feel like valued contributors by including them in development and decision making. You don’t have to incorporate all their input, but it is essential that they feel respected and heard.

Noisemakers – Inform

Spectators – Monitor

3.2 Create the CISO’s stakeholder management strategy

Develop a strategy to manage key stakeholders in order to drive your personal development plan initiatives.

• The purpose of the CISO Stakeholder Management Strategy Template is to document the results of the power mapping exercise, create a plan to proactively manage stakeholders, and track the actions taken.
• Use this in concert with Info-Tech’s CISO Stakeholder Power Map Template to help visualize the importance of key stakeholders to your personal development. You will document:
  • Stakeholder role and type.
  • Current relationship with the stakeholder.
  • Level of power/influence and degree of impact.
  • Current and desired level of support.
  • Initiatives that require the stakeholder’s engagement.
  • Actions to be taken – along with the status and results.

What you will need to complete this exercise

• Completed CISO Stakeholder Power Map
• Security Business Satisfaction and Alignment Diagnostic results

Download the CISO Stakeholder Management Strategy Template

Phase 4

Execute

Phase 1
1.1 Understand Core Competencies
1.2 Measure Security and Business Satisfaction and Alignment

Phase 2
2.1 Assess Stakeholder Relationships
2.2 Assess the Core Competencies

Phase 3
3.1 Identify Resources to Address Competency Gaps
3.2 Plan Approach to Improve Stakeholder Relationships

Phase 4
4.1 Decide Next Actions and Support Your CISO Moving Forward
4.2 Regularly Reassess to Measure Development and Progress

This phase will walk you through the following activities:

• Populate the CISO Development Plan Template with appropriate targets and due dates.
• Set review and reassess dates.
• Review due dates with CISO.

Hire or Develop a World-Class CISO

Case study

Mark Lester
InfoSec Manager, SC Ports Authority

The new Security Manager leverages successful cultural change to gain support for new security investments.

Outcome: Integrating with the business on a small level and building on small successes will lead to bigger wins and bigger change.

Step 4.1

Decide next actions and support your CISO moving forward

Activities

• Complete the Info-Tech CISO Development Plan Template
• Create a stakeholder relationship development plan

This step involves the following participants:

• CEO or other executive seeking to hire/develop a CISO
• The newly hired CISO

or

• Current CISO seeking to upgrade capabilities

Outcomes of this step

Next actions for each of your development initiatives

Execute

Establish a set of first actions to set your plan into motion

The CISO Development Plan Template provides a simple but powerful way to focus on what really matters to execute your plan.

• By this point, the CISO is working on the personal competency development while simultaneously overseeing improvements across the security program, managing stakeholders, and seeking new business initiatives to engage with. This can be a lot to juggle effectively.
• Disparate initiatives like these can hinder progress by creating confusion.
• By distilling your plan down to Subject > Action > Outcome, you immediately restore focus and turn your plans into actionable items.
• The outcome is most valuable when it is measurable. This makes progress (or lack of it) very easy to track and assess, so choose a meaningful metric.

Download the CISO Development Plan Template

4.1 Create a CISO development plan to keep all your objectives in one place

Use Info-Tech’s CISO Development Plan Template to create a quick and simple yet powerful tool that you can refer to and update throughout your personal and professional development initiatives. As instructed in the template, you will document the following:

Info-Tech Insight
A good plan doesn’t require anything that is outside of your control. Good measurable outcomes are behavior based rather than state based.
“Increase the budget by 10%” is a bad goal because it is ultimately reliant on someone else and can be derailed by an unsupportive executive. A better goal is “reduce spending by 10%.” This is something more within the CISO’s control and is thus a better performance indicator and a more achievable goal.

4.1 Create a CISO development plan to keep all your objectives in one place

Below you will find sample content to populate your CISO Development Plan Template. Using this template will guide your CISO in achieving the goals identified here.

The template itself is a metric for assessing the development of the CISO. The number of targets achieved by the due date will help to quantify the CISO’s progress.

You may also want to include improvements to the organization’s security program as part of the CISO development plan.

Check out the First 100 Days as CISO blueprint for guidance on bringing improvements to the security program

4.1 Use your action plan to track development progress and inform stakeholders

• As you progress toward your goals, continually update the CISO development plan. It is meant to be a living document.
• The Next Action Required should be updated regularly as you make progress so you can quickly jump in and take meaningful actions without having to reassess your position every time you open the plan. This is a simple but very powerful method.
• To view your initiatives in customizable ways, you can use the drop-down menu on any column header to sort your initiatives (i.e. by due date, completed status, area for development). This allows you to quickly and easily see a variety of perspectives on your progress and enables you to bring upcoming or incomplete projects right to the top.

Step 4.2

Regularly reassess to track development and progress

Activities

Create a calendar event for you and your CISO, including which items you will reassess and when

This step involves the following participants:

• CEO or other executive seeking to hire/develop a CISO
• The newly hired CISO

or

• Current CISO seeking to upgrade capabilities

Outcomes of this step

Scheduled reassessment of the CISO’s competencies

Execute

4.2 Regularly evaluate your CISO’s progress

< 1 day

As previously mentioned, your CISO development plan is meant to be a living document. Your CISO will use this as a companion tool throughout project implementation, but periodically it will be necessary to re-evaluate the entire program to assess your progress and ensure that your actions are still in alignment with personal and organizational goals.

Info-Tech recommends performing the following assessments quarterly or twice yearly with the help of our executive advisors (either over the phone or onsite).

1. Sit down and re-evaluate your CISO core competencies using the CISO Core Competency Evaluation Tool.
2. Analyze your relationships using the CISO Stakeholder Power Map Template.
3. Compare all of these against your previous results to see what areas you have strengthened and decide if you need to focus on a different area now.
4. Consider your CISO Development Plan Template and decide whether you have achieved your desired outcomes. If not, why?
5. Schedule your next reassessment, then create a new plan for the upcoming quarter and get started.

Summary of Accomplishment

Knowledge Gained

• Understanding of the competencies contributing to a successful CISO
• Strategic approach to integrate the CISO into the organization
• View of various CISO functions from a variety of business and executive perspectives, rather than just a security view

Process Optimized

• Hiring of the CISO
• Assessment and development of stakeholder relationships for the CISO
• Broad planning for CISO development

Deliverables Completed

• IT Security Business Satisfaction and Alignment Diagnostic
• CISO Core Competency Evaluation Tool
• CISO Stakeholder Power Map Template
• CISO Stakeholder Management Strategy Template
• CISO Development Plan Template

If you would like additional support, have our analysts guide you through an Info-Tech workshop or Guided Implementation

Contact your account representative for more information

workshop@infotech.com
1-888-670-8889

Related Info-Tech Research

Build an Information Security Strategy
Your security strategy should not be based on trying to blindly follow best practices but on a holistic risk-based assessment that is risk aware and aligns with your business context.

The First 100 Days as CISO
Every CISO needs to follow Info-Tech’s five-step approach to truly succeed in their new position. The meaning and expectations of a CISO role will differ from organization to organization and person to person, but the approach to the new position will be relatively the same.

Implement a Security Governance and Management Program
Business and security goals should be the same. Businesses cannot operate without security, and security's goal is to enable safe business operations.

Research Contributors

• Mark Lester, Information Security Manager, South Carolina State Ports Authority
• Kyle Kennedy, CISO, CyberSN.com
• James Miller, Information Security Director, Xavier University
• Elliot Lewis, Vice President Security & Risk, Info-Tech Research Group
• Andrew Maroun, Enterprise Security Lead, State of California
• Brian Bobo, VP Enterprise Security, Schneider National
• Candy Alexander, GRC Security Consultant, Towerall Inc.
• Chad Fulgham, Chairman, PerCredo
• Ian Parker, Head of Corporate Systems Information Security Risk and Compliance, Fujitsu EMEIA
• Diane Kelly, Information Security Manager, Colorado State Judicial Branch
• Jeffrey Gardiner, CISO, Western University
• Joey LaCour, VP & Chief Security, Colonial Savings
• Karla Thomas, Director IT Global Security, Tower Automotive
• Kevin Warner, Security and Compliance Officer, Bridge Healthcare Providers
• Lisa Davis, CEO, Vicinage
• Luis Brown, Information Security & Compliance Officer, Central New Mexico Community College
• Peter Clay, CISO, Qlik
• Robert Banniza, Senior Director IT Center Security, AMSURG
• Tim Tyndall, Systems Architect, Oregon State

Bibliography

Dicker, William. "An Examination of the Role of vCISO in SMBs: An Information Security Governance Exploration." Dissertation, Georgia State University, May 2, 2021. Accessed 30 Sep. 2022.

Heidrick & Struggles. "2022 Global Chief Information Security Officer (CISO) Survey" Heidrick & Struggles International, Inc. September 6, 2022. Accessed 30 Sep. 2022.

IBM Security. "Cost of a Data Breach Report 2022" IBM. August 1, 2022. Accessed 9 Nov. 2022.

Mehta, Medha. "What Is a vCISO? Are vCISO Services Worth It?" Infosec Insights by Sectigo, June 23, 2021. Accessed Nov 22. 2022.

Milica, Lucia. “Proofpoint 2022 Voice of the CISO Report” Proofpoint. May 2022. Accessed 6 Oct. 2022.

Navisite. "The State of Cybersecurity Leadership and Readiness" Navisite. November 9, 2021. Accessed 9 Nov. 2022.

Shayo, Conrad, and Frank Lin. “An Exploration of the Evolving Reporting Organizational Structure for the Chief Information Security Officer (CISO) Function” Journal of Computer Science and Information Technology, vol. 7, no. 1, June 2019. Accessed 28 Sep. 2022.

Optimize IT Project Intake, Approval, and Prioritization

Decide which IT projects to approve and when to start them.

ANALYST PERSPECTIVE

Capacity-constrained intake is the only sustainable path forward.

"For years, the goal of project intake was to select the best projects. It makes sense and most people take it on faith without argument. But if you end up with too many projects, it’s a bad strategy. Don’t be afraid to say NO or NOT YET if you don’t have the capacity to deliver. People might give you a hard time in the near term, but you’re not helping by saying YES to things you can’t deliver."

Barry Cousins,

Senior Director, PMO Practice

Info-Tech Research Group

Our understanding of the problem

This Research Is Designed For:

• PMO Directors who have trouble with project throughput
• CIOs who want to improve IT’s responsive-ness to changing needs of the business
• CIOs who want to maximize the overall business value of IT’s project portfolio

This Research Will Help You:

• Align project intake and prioritization with resource capacity and strategic objectives
• Balance proactive and reactive demand
• Reduce portfolio waste on low-value projects
• Manage project delivery expectations and satisfaction of business stakeholders
• Get optimized project intake processes off the ground with low-cost, high-impact tools and templates

This Research Will Also Assist:

• C-suite executives and steering committee members who want to ensure IT’s successful delivery of projects with high business impact
• Project sponsors and product owners who seek visibility and transparency toward proposed projects

This Research Will Help Them:

• Ensure that high-impact projects are approved and delivered in a timely manner
• Gain clarity and visibility in IT’s project approval process
• Improve your understanding of IT’s capacity to set more realistic expectations on what gets done

Executive summary

Situation

• As a portfolio manager, you do not have the authority to decline or defer new projects – but you also lack the capacity to realistically say yes to more project work.
• Stakeholders have unrealistic expectations of what IT can deliver. Too many projects are approved, and it may be unclear why their project is delayed or in a state of suspended animation.

Complication

• The cycle of competition is making it increasingly difficult to follow a longer-term strategy during project intake, making it unproductive to approve projects for any horizon longer than one to two years.
• As project portfolios become more aligned to “transformative” projects, resourcing for smaller, department-level projects becomes increasingly opaque.

Resolution

• Establish an effective scorecard to create transparency into IT’s capacity and processes. This will help set realistic expectations for stakeholders, eliminate “squeaky wheel” prioritization, and give primacy to the highest value requests.
• Build a centralized process that funnels requests into a single intake channel to eliminate confusion and doubt for stakeholders and staff while also reducing off-the-grid initiatives.
• Clearly define a series of project approval steps, and communicate requirements for passing them.
• Developing practices that incorporate the constraint of resource capacity to cap the amount of project approvals to that which is realistic will help improve the throughput of projects through the portfolio.

Info-Tech Insight

1. Approve only the right projects… Counterbalance stakeholder needs with strategic objectives of the business and that of IT, in order to maintain the value of your project portfolio at a high level.
2. …that you have capacity to deliver. Resource capacity-informed project approval process enables you to avoid biting off more than you can chew and, over time, build a track record of fulfilling promises to deliver on projects.

Most organizations are good at approving projects, but bad at starting them – and even worse at finishing them

Establishing project intake discipline should be a top priority from a long-term strategy and near-term tactical perspective.

Most organizations approve more projects than they can finish. In fact, many approve more than they can even start, leading to an ever-growing backlog where project ideas – often good ones – are never heard from again.

The appetite to approve more runs directly counter to the shortage of resources that plagues most IT departments. This tension of wanting more from less suggests that IT departments need to be more disciplined in choosing what to take on.

Info-Tech’s data shows that most IT organizations struggle with their project backlog (Source: N=397 organizations, Info-Tech Research Group PPM Current State Scorecard, 2017).

“There is a minimal list of pending projects”

“Last year we delivered the number of projects we anticipated at the start of the year”

The concept of fiduciary duty demonstrates the need for better discipline in choosing what projects to take on

Unless someone is accountable for making the right investment of resource capacity for the right projects, project intake discipline cannot be established effectively.

What is fiduciary duty?

Officers and directors owe their corporation the duty of acting in the corporation’s best interests over their own. They may delegate the responsibility of implementing the actions, but accountability can't be delegated; that is, they have the authority to make choices and are ultimately answerable for them.

No question is more important to the organization’s bottom line. Projects directly impact the bottom line because they require investment of resource time and money for the purposes of realizing benefits. The scarcity of resources requires that choices be made by those who have the right authority.

Who approves your projects?

Historically, the answer would have been the executive layer of the organization. However, in the 1990s management largely abdicated its obligation to control resources and expenditures via “employee empowerment.”

Controls on approvals became less rigid, and accountability for choosing what to do (and not do) shifted onto the shoulders of the individual worker. This creates a current paradigm where no one is accountable for the malinvestment…

…of resources that comes from approving too many projects. Instead, it’s up to individual workers to sink or swim as they attempt to reconcile, day after day, seemingly infinite organizational demand with their finite supply of working hours.

Ad hoc project selection schemes do not work

Without active management, reconciling the imbalance between demand with available work hours is a struggle that results largely in one of these two scenarios:

“Squeaky wheel”: Projects with the most vocal stakeholders behind them are worked on first.

• IT is seen to favor certain lines of business, leading to disenfranchisement of other stakeholders.
• Everything becomes the highest priority, which reinforces IT’s image as a firefighter, rather than a business value contributor
• High-value projects without vocal support never get resourced; opportunities are missed.

“First in, first out”: Projects are approved and executed in the order they are requested.

• Urgent or important projects for the business languish in the project backlog; opportunities are missed.
• Low-value projects dominate the project portfolio.
• Stakeholders leave IT out of the loop and resort to “underground economy” for getting their needs addressed.

80% of organizations feel that their portfolios are dominated by low-value initiatives that do not deliver value to the business (Source: Cooper).

Approve the right projects that you have capacity to deliver by actively managing the intake of projects

Project intake, approval, and prioritization (collectively “project intake”) reconciles the appetite for new projects with available resource capacity and strategic goals.

Project intake is a key process of project portfolio management (PPM). The Project Management Institute (PMI) describes PPM as:

"Interrelated organizational processes by which an organization evaluates, selects, prioritizes, and allocates its limited internal resources to best accomplish organizational strategies consistent with its vision, mission, and values."

(PMI, Standard for Portfolio Management, 3rd ed.)

Triple Constraint Model of the Project Portfolio

Project Intake:

• Stakeholder Need
• Strategic Objectives
• Resource Capacity

All three components are required for the Project Portfolio

Organizations practicing PPM recognize available resource capacity as a constraint and aim to select projects – and commit the said capacity – to projects that:

1. Best satisfy the stakeholder needs that constantly change with the market
2. Best align to the strategic objectives and contribute the most to business
3. Have sufficient resource capacity available to best ensure consistent project throughput

92% vs. 74%: 92% of high-performing organizations in PPM report that projects are well aligned to strategic initiatives vs. 74% of low performers (PMI, 2015).

82% vs. 55%: 82% of high-performing organizations in PPM report that resources are effectively reallocated across projects vs. 55% of low performers (PMI, 2015)

Info-Tech’s data demonstrates that optimizing project intake can also improve business leaders’ satisfaction of IT

CEOs today perceive IT to be poorly aligned to business’ strategic goals:

43% of CEOs believe that business goals are going unsupported by IT (Source: Info-Tech’s CEO-CIO Alignment Survey (N=124)).

60% of CEOs believe that improvement is required around IT’s understanding of business goals (Source: Info-Tech’s CEO-CIO Alignment Survey (N=124)).

Business leaders today are generally dissatisfied with IT:

30% of business stakeholders are supporters of their IT departments (Source: Info-Tech’s CIO Business Vision Survey (N=21,367)).

The key to improving business satisfaction with IT is to deliver on projects that help the business achieve its strategic goals:

Source: Info-Tech’s CIO Business Vision Survey (N=21,367)

Optimized project intake not only improves the project portfolio’s alignment to business goals, but provides the most effective way to improve relationships with IT’s key stakeholders.

Benchmark your own current state with overall & industry-specific data using Info-Tech’s Diagnostic Program.

However, establishing organizational discipline for project intake, approval, and prioritization is difficult

Capacity awareness

Many IT departments struggle to realistically estimate available project capacity in a credible way. Stakeholders question the validity of your endeavor to install capacity-constrained intake process, and mistake it for unwillingness to cooperate instead.

Many moving parts

Project intake, approval, and prioritization involve the coordination of various departments. Therefore, they require a great deal of buy-in and compliance from multiple stakeholders and senior executives.

Lack of authority

Many PMOs and IT departments simply lack the ability to decline or defer new projects.

Unclear definition of value

Defining the project value is difficult because there are so many different and conflicting ways that are all valid in their own right. However, without it, it's impossible to fairly compare among projects to select what's "best."

Establishing intake discipline requires a great degree of cooperation and conformity among stakeholders that can be cultivated through strong processes.

Info-Tech’s intake, approval, and prioritization methodology systemically fits the project portfolio to its triple constraint

Info-Tech’s Methodology

Info-Tech’s methodology for optimizing project intake delivers extraordinary value, fast

In the first step of the blueprint, you will prototype a set of scorecard criteria for determining project value.

Our methodology is designed to tackle your hardest challenge first to deliver the highest-value part of the deliverable. Since the overarching goal of optimizing project intake, approval, and prioritization process is to maximize the throughput of the best projects, one must define how “the best projects” are determined.

In nearly all instances…a key challenge for the PPM team is reaching agreement over how projects should rank.

– Merkhofer

A Project Value Scorecard will help you:

• Evolve the discussions on project and portfolio value beyond a theoretical concept
• Enable apples-to-apples comparisons amongst many different kinds of projects

The Project Value Scorecard Development Tool is designed to help you develop the project valuation scheme iteratively. Download the pre-filled tool with content that represents a common case, and then, customize it with your data.

This blueprint provides a clear path to maximizing your chance of success in optimizing project intake

Info-Tech’s practical, tactical research is accompanied by a suite of tools and templates to accelerate your process optimization efforts.

Organizational change and stakeholder management are critical elements of optimizing project intake, approval, and prioritization processes because they require a great degree of cooperation and conformity among stakeholders, and the list of key stakeholders are long and far-reaching.

This blueprint will provide a clear path to not only optimize the processes themselves, but also for the optimization effort itself. This research is organized into three phases, each requiring a few weeks of work at your team’s own pace – or all in one week, through a workshop facilitated by Info-Tech analysts.

Set Realistic Goals for Optimizing Project Intake, Approval, and Prioritization

Tools and Templates:

• Project Value Scorecard Development Tool (.xlsx)
• PPM Assessment Report (Info-Tech Diagnostics)
• Standard Operating Procedure Template (.docx)

Build Optimized Project Intake, Approval, and Prioritization Processes

Tools and Templates:

• Project Request Forms (.docx)
• Project Classification Matrix (.xlsx)
• Benefits Commitment Form (.xlsx)
• Proposed Project Technology Assessment Tool (.xlsx)
• Business Case Templates (.docx)
• Intake and Prioritization Tool (.xlsx)

Integrate the Newly Optimized Processes into Practice

Tools and Templates:

• Process Pilot Plan Template (.docx)
• Impact Assessment and Communication Planning Tool (.xlsx)

Info-Tech’s approach to PPM is informed by industry best practices and rooted in practical insider research

Info-Tech uses PMI and ISACA frameworks for areas of this research.

PMI’s Standard for Portfolio Management, 3rd ed. is the leading industry framework, proving project portfolio management best practices and process guidelines.

COBIT 5 is the leading framework for the governance and management of enterprise IT.

In addition to industry-leading frameworks, our best-practice approach is enhanced by the insights and guidance from our analysts, industry experts, and our clients.

33,000+

Our peer network of over 33,000 happy clients proves the effectiveness of our research.

1,000+

Our team conducts 1,000+ hours of primary and secondary research to ensure that our approach is enhanced by best practices.

Deliver measurable project intake success for your organization with this blueprint

Measure the value of your effort to track your success quantitatively and demonstrate the proposed benefits, as you aim to do so with other projects through improved PPM.

Optimized project intake, approval, and prioritization processes lead to a high PPM maturity, which will improve the successful delivery and throughput of your projects, resource utilization, business alignment, and stakeholder satisfaction ((Source: BCG/PMI).

Measure your success through the following metrics:

• Reduced turnaround time between project requests and initial scoping
• Number of project proposals with articulated benefits
• Reduction in “off-the-grid” projects
• Team satisfaction and workplace engagement
• PPM stakeholder satisfaction score from business stakeholders: see Info-Tech’s PPM Customer Satisfaction Diagnostics

$44,700: In the past 12 months, Info-Tech clients have reported an average measured value of $44,700 from undertaking a guided implementation of this research.

Add your own organization-specific goals, success criteria, and metrics by following the steps in the blueprint.

Case Study: Financial Services PMO prepares annual planning process with Project Value Scorecard Development Tool

CASE STUDY

Industry: Financial Services

Source: Info-Tech Client

Challenge

PMO plays a diverse set of roles, including project management for enterprise projects (i.e. PMI’s “Directive” PMO), standards management for department-level projects (i.e. PMI’s “Supportive” PMO), process governance of strategic projects (i.e. PMI’s “Controlling” PMO), and facilitation / planning / reporting for the corporate business strategy efforts (i.e. Enterprise PMO).

To facilitate the annual planning process, the PMO needed to develop a more data-driven and objective project intake process that implicitly aligned with the corporate strategy.

Solution

Info-Tech’s Project Value Scorecard tool was incorporated into the strategic planning process.

Results

The scorecard provided a simple way to list the competing strategic initiatives, objectively score them, and re-sort the results on demand as the leadership chooses to switch between ranking by overall score, project value, ability to execute, strategic alignment, operational alignment, and feasibility.

The Project Value Scorecard provided early value with multiple options for prioritized rankings.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Optimize Project Intake, Approval, and Prioritization – project overview

Workshop overview

Contact your account representative or email Workshops@InfoTech.com for more information.

Phase 1

Set Realistic Goals for Optimizing Project Intake, Approval, and Prioritization Process

Phase 1 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Get to value early with Step 1.1 of this blueprint

Define how to determine a project’s value and set the stage for maximizing the value of your project portfolio using Info-Tech’s Project Value Scorecard Development Tool.

Where traditional models of consulting can take considerable amounts of time before delivering value to clients, Info-Tech’s methodology for optimizing project intake, approval, and prioritization process gets you to value fast.

The overarching goal of optimizing project intake, approval, and prioritization process is to maximize the throughput of the best projects. To achieve this goal, one must have a clear way to determine what are “the best” projects.

In the first step of this blueprint, you will pilot a multiple-criteria scorecard for determining project value that will help answer that question. Info-Tech’s Project Value Scorecard Development Tool is pre-populated with a ready-to-use, real-life example that you can leverage as a starting point for tailoring it to your organization – or adopt as is.

Introduce objectivity and clarity to your discussion of maximizing the value of your project portfolio with Info-Tech’s practical IT research that drives measurable results.

Download Info-Tech’s Project Value Scorecard Development Tool.

Step 1.1: Define the criteria with which to determine project value

This step will walk you through the following activities:

• Learn how to use the Project Value Scorecard Development Tool
• Create a first-draft version of a project value-driven prioritized list of projects

This step involves the following participants:

• PMO Director/ Portfolio Manager
• Project Managers
• Business Analysts
• CIO (optional)

Outcomes of this step

• Understand the importance of devising a consensus criteria for project valuation.
• Try a project value scorecard-driven prioritization process with your currently proposed.
• Set the stage for optimizing project intake, approval, and prioritization processes.

Intake, Approval, and Prioritization is a core process in Info-Tech’s project portfolio management (PPM) framework

PPM is an infrastructure around projects that aims to ensure that the best projects are worked on at the right time with the right people.

PPM’s goal is to maximize the throughput of projects that provide strategic and operational value to the organization. To do this, a PPM strategy must help to:

1. Select the best projects
2. Pick the right time and people to execute the projects
3. Make sure the projects are okay
4. Make sure the projects get done
5. Make sure they were worth doing

If you don’t yet have a PPM strategy in place, or would like to revisit your existing PPM strategy before optimizing your project intake, approval, and prioritization practices, see Info-Tech’s blueprint, Develop a Project Portfolio Management Strategy.

“Too many projects, not enough resources” is the reality of most IT environments

A profound imbalance between demand (i.e. approved project work and service delivery commitments) and supply (i.e. people’s time) is the top challenge IT departments face today.

In today’s organizations, the desires of business units for new products and enhancements, and the appetites of senior leadership to approve more and more projects for those products and services, far outstrip IT’s ability to realistically deliver on everything.

The vast majority of IT departments lack the resourcing to meet project demand – especially given the fact that day-to-day operational demands frequently trump project work.

As a result, project throughput suffers – and with it, IT’s reputation within the organization.

Info-Tech Insight

Where does the time go? The portfolio manager (or equivalent) should function as the accounting department for time, showing what’s available in IT’s human resources budget for projects and providing ongoing visibility into how that budget of time is being spent.

Don’t weigh your portfolio down by starting more than you can finish

Focus on what will deliver value to the organization and what you can realistically deliver.

Most of the problems that arise during the lifecycle of a project can be traced back to issues that could have been mitigated during the initiation phase.

More than simply a means of early problem detection at the project level, optimizing your initiation processes is also the best way to ensure the success of your portfolio. With optimized intake processes you can better guarantee:

• The projects you are working on are of high value
• Your project list aligns with available resource capacity
• Stakeholder needs are addressed, but stakeholders do not determine the direction of the portfolio

80% of organizations feel their portfolios are dominated by low-value initiatives that do not deliver value to the business (Source: Cooper).

"(S)uccessful organizations select projects on the basis of desirability and their capability to deliver them, not just desirability" (Source: John Ward, Delivering Value from Information Systems and Technology Investments).

Establishing project value is the first – and difficult – step for optimizing project intake, approval, and prioritization

What is the best way to “deliver value to the organization”?

Every organization needs to explicitly define how to determine project value that will fairly represent all projects and provide a basis of comparison among them during approval and prioritization. Without it, any discussions on reducing “low-value initiatives” from the previous slide cannot yield any actionable plan.

However, defining the project value is difficult, because there are so many different and conflicting ways that are all valid in their own right and worth considering. For example:

• Strategic growth vs. operational stability
• Important work vs. urgent work
• Return on investment vs. cost containment
• Needs of a specific line of business vs. business-wide needs
• Financial vs. intangible benefits

This challenge is further complicated by the difficulty of identifying the right criteria for determining project value:

Managers fail to identify around 50% of the important criteria when making decisions (Source: Transparent Choice).

Info-Tech Insight

Sometimes it can be challenging to show the value of IT-centric, operational-type projects that maintain critical infrastructure since they don’t yield net-new benefits. Remember that benefits are only half the equation; you must also consider the costs of not undertaking the said project.

Find the right mix of criteria for project valuation with Info-Tech’s Project Value Scorecard Development Tool

Scorecard-driven approach is an easy-to-understand, time-tested solution to a multiple-criteria decision-making problem, such as project valuation.

This approach is effective for capturing benefits and costs that are not directly quantifiable in financial terms. Projects are evaluated on multiple specific questions, or criteria, that each yield a score on a point scale. The overall score is calculated as a weighted sum of the scores.

Info-Tech’s Project Value Scorecard is pre-populated with a best-practice example of eight criteria, two for each category (see box at bottom right). This example helps your effort to develop your own project scorecard by providing a solid starting point:

60%: On their own, decision makers could only identify around 6 of their 10 most important criteria for making decisions (Source: Transparent Choice).

Finally, in addition, the overall scores of approved projects can be used as a metric on which success of the process can be measured over time.

Download Info-Tech’s Project Value Scorecard Development Tool.

Categories of project valuation criteria

• Strategic alignment: projects must be aligned with the strategic goals of the business and IT.
• Operational alignment: projects must be aligned with the operational goals of the business and IT.
• Feasibility: practical considerations for projects must be taken into account in selecting projects.
• Financial: projects must realize monetary benefits, in increased revenue or decreased costs, while posing as little risk of cost overrun as possible.

Review the example criteria and score description in the Project Value Scorecard Development Tool

1.1.1 Project Value Scorecard Development Tool, Tab 2: Evaluation Criteria

This tab lists eight criteria that cover strategic alignment, operational alignment, feasibility, and financial benefits/risks. Each criteria is accompanied by a qualitative score description to standardize the analysis across all projects and analysts. While this tool supports up to 15 different criteria, it’s better to minimize the number of criteria and introduce additional ones as the organization grows in PPM maturity.

Type: It is useful to break down projects with similar overall scores by their proposed values versus ease of execution.

Scale: Five-point scale is not required for this tool. Use more or less granularity of description as appropriate for each criteria.

Blank Criteria: Rows with blank criteria are greyed out. Enter a new criteria to turn on the row.

Score projects and search for the right mix of criteria weighting using the scorecard tab

1.1.1 Project Value Scorecard Development Tool, Tab 3: Project Scorecard

In this tab, you can see how projects are prioritized when they are scored according to the criteria from the previous tab. You can enter the scores of up to 30 projects in the scorecard table (see screenshot to the right).

Value (V) or Execution (E) & Relative Weight: Change the relative weights of each criteria and review any changes to the prioritized list of projects change, whose rankings are updated automatically. This helps you iterate on the weights to find the right mix.

Feasibility: Custom criteria category labels will be automatically updated.

Overall: Choose the groupings of criteria by which you want to see the prioritized list. Available groupings are:

• Overall score
• By value or by execution
• By category

Ranks and weighted scores for each project is shown.

For example, click on the drop-down and choose “Execution.”

Project ranks are based only on execution criteria.

Create a first-draft version of a project value-driven prioritized list of projects

1.1.1 Estimated Time: 60 minutes

Follow the steps below to test Info-Tech’s example Project Value Scorecard and examine the prioritized list of projects.

1. Using your list of proposed, ongoing, and completed projects, identify a representative sample of projects in your project portfolio, varying in size, scope, and perceived value – about 10-20 of them.
2. Arrange these projects in the order of priority using any processes or prioritization paradigm currently in place in your organization.

• In the absence of formal process, use your intuition, as well as knowledge of organizational priorities, and your stakeholders.

• Avoid spending too much time at this step. Prioritization criteria will be refined in the subsequent parts of the blueprint.
• If multiple scorers are involved, allow some overlap to benchmark for consistency.

INPUT

• Knowledge of proposed, ongoing, and completed projects in your project portfolio

OUTPUT

• Prioritized project lists

Materials

• Project Value Scorecard Development Tool

Participants

• PMO Director/ Portfolio Manager
• Project Managers
• Business Analysts
• CIO (optional)

Iterate on the scorecard to set the stage for optimizing project intake, approval, and prioritization

1.1.2 Estimated Time: 60 minutes

Conduct a retrospective of the previous activity by asking these questions:

• How smooth was the overall scoring experience (Step 3 of Activity 1.1.1)?
• Did you experience challenges in interpreting and applying the example project valuation criteria? Why? (e.g. lack of information, absence of formalized business strategic goals, too much room for interpretation in scoring description)
• Did the prioritized project list agree with your intuition?

Iterate on the project valuation criteria:

• Manipulate the relatives weights of valuation criteria to fine-tune them.
• Revise the scoring descriptions to provide clarity or customize them to better fit your organization’s needs, then update the project scores accordingly.
• For projects that did not score well, will this cause concern from any stakeholders? Are the concerns legitimate? If so, this may indicate the need for inclusion of new criteria.
• For projects that score too well, this may indicate a bias toward a specific type of project or group of stakeholders. Try adjusting the relative weights of existing criteria.

INPUT

• Activity 1.1.1

OUTPUT

• Retrospective on project valuation
• Review of project valuation criteria

Materials

• Project Value Scorecard Development Tool

Participants

• PMO Director/ Portfolio Manager
• Project Managers
• Business Analysts
• CIO (optional)

Next steps: engage key PPM stakeholders to reach a consensus when establishing how to determine project value

Engage these key players to create the evaluation criteria that all stakeholders will support:

• Business units: Projects are undertaken to provide value to the business. Senior management from business units must help define how project will be valued.
• IT: IT must ensure that technical/practical considerations are taken into account when determining project value.
• Finance: The CFO or designated representative will ensure that estimated project costs and benefits can be used to manage the budget.
• PMO: PMO is the administrator of the project portfolio. PMO must provide coordination and support to ensure the process operates smoothly and its goals are realized.
• Business analysts: BAs carry out the evaluation of project value. Therefore, their understanding of the evaluation criteria and the process as a whole are critical to the success of the process.
• Project sponsors: Project sponsors are accountable for the realization of benefits for which projects are undertaken.

Optimize the process with the new project value definition to focus your discussion with stakeholders

This blueprint will help you not only optimize the process, but also help you work with your stakeholders to realize the benefits of the optimized process.

In this step, you’ve begun improving the definition of project value. Getting it right will require several more iterations and will require a series of discussions with your key stakeholders.

The optimized intake process built around the new definition of project value will help evolve a conceptual discussion about project value into a more practical one. The new process will paint a picture of what the future state will look like for your stakeholders’ requested projects getting approved and prioritized for execution, so that they can provide feedback that’s concrete and actionable. To help you with that process, you will be taken through a series of activities to analyze the impact of change on your stakeholders and create a communication plan in the last phase of the blueprint.

For now, in the next step of this blueprint, you will undergo a series of activities to assess your current state to identify the specific areas for process optimization.

"To find the right intersection of someone’s personal interest with the company’s interest on projects isn’t always easy. I always try to look for the basic premise that you can get everybody to agree on it and build from there… But it’s sometimes hard to make sure that things stick. You may have to go back three or four times to the core agreement."

-Eric Newcomer

Step 1.2: Envision your target state for your optimized project intake, approval, and prioritization process

This step will walk you through the following activities:

• Map your current project intake, approval, and prioritization workflow, and document it in a flowchart
• Enumerate and prioritize your key process stakeholders
• Determine your process capability level within Info-Tech’s Framework
• Establish your current and target states for project intake, approval, and prioritization process

This step involves the following participants:

• CIO
• PMO Director/Portfolio Manager
• Project Managers
• Business Analysts
• Other PPM stakeholders

Outcomes of this step

• Current project intake, approval, and prioritization process is mapped out and documented in a flowchart
• Key process stakeholders are enumerated and prioritized to inform future discussion on optimizing processes
• Current and target organizational process capability levels are determined
• Success criteria and key performance indicators for process optimization are defined

Use Info-Tech’s Diagnostic Program for an initial assessment of your current PPM processes

This step is highly recommended but not required. Call 1-888-670-8889 to inquire about or request the PPM Diagnostics.

Info-Tech's Project Portfolio Management Assessmentprovides you with a data-driven view of the current state of your portfolio, including your intake processes. Our PPM Assessment measures and communicates success in terms of Info-Tech’s best practices for PPM.

Use the diagnostic program to:

• Assess resource utilization across the portfolio.
• Determine project portfolio reporting completeness.
• Solicit feedback from your customers on the clarity of your portfolio’s business goals.
• Rate the overall quality of your project management practices and benchmark your rating over time.

Scope your process optimization efforts with Info-Tech’s high-level intake, approval, and prioritization workflow

Info-Tech recommends the following workflow at a high level for a capacity-constrained intake process that aligns to strategic goals and stakeholder need.

• Intake (Step 2.1)*
• Receive project requests
• Triage project requests and assign a liaison
• High-level scoping & set stakeholder expectations
• Approval (Step 2.2)*
• Concept approval by project sponsor
• High-level technical solution approval by IT
• Business case approval by business
• Resource allocation & greenlight projects
• Prioritization (Step 2.3)*
• Update project priority scores & available project capacity
• Identify high-scoring and “on-the-bubble” projects
• Recommend projects to greenlight or deliberate

* Steps denote the place in the blueprint where the steps are discussed in more detail.

Use this workflow as a baseline to examine your current state of the process in the next slide.

Map your current project intake, approval, and prioritization workflow

1.2.1 Estimated Time: 60-90 minutes

Conduct a table-top planning exercise to map out the processes currently in place for project intake, approval, and prioritization.

1. Use white 4”x6” recipe cards / large sticky notes to write out unique steps of a process. Use the high-level process workflow from the previous slides as a guide.
2. Arrange the steps into chronological order. Benchmark the arrangement through a group discussion.
3. Use green cards to identify artifacts or deliverables that result from a step.
4. Use yellow cards to identify who does the work (i.e. responsible parties), and who makes the decisions (i.e. accountable party). Keep in mind that while multiple parties may be responsible, accountability cannot be shared and only a single party can be accountable for a process.
5. Use red cards to identify issues, problems, or risks. These are opportunities for optimization.

INPUT

• Documentation describing the current process (e.g. standard operating procedures)
• Info-Tech’s high-level intake workflow

OUTPUT

• Current process, mapped out

Materials

• 4x6” recipe cards
• Whiteboard

Participants

• PMO Director/ Portfolio Manager
• Project Managers
• Business Analysts
• Other PPM stakeholders

Document the current project intake, approval, and prioritization workflow in a flowchart

1.2.2 Estimated Time: 60 minutes

Document the results of the previous table-top exercise (Activity 1.1.1) into a flow chart. Flowcharts provide a bird’s-eye view of process steps that highlight the decision points and deliverables. In addition, swim lanes can be used to indicate process stages, task ownership, or responsibilities (example below).

Review and customize section 1.2, “Overall Process Workflow” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

"Flowcharts are more effective when you have to explain status and next steps to upper management."

– Assistant Director-IT Operations, Healthcare Industry

Browser-based flowchart tool examples

• draw.io (https://www.draw.io/)
• Gliffy (https://www.gliffy.com/)
• Lucidchart (https://www.lucidchart.com/)
• Smartdraw (https://cloud.smartdraw.com/

INPUT

• Mapped-out project intake process (Activity 1.2.1)

OUTPUT

• Flowchart representation of current project intake workflow

Materials

• Microsoft Visio, flowchart software, or Microsoft PowerPoint

Participants

• PMO Director/ Portfolio Manager
• Project Managers
• Business Analysts

Example of a project intake, approval, and prioritization flow chart – without swim lanes

Example of a project intake, approval, and prioritization flow chart – with swim lanes

Download Info-Tech’s Project Intake Workflow Template (Visio and PDF)

Enumerate your key stakeholders for optimizing intake, approval, and prioritization process

1.2.3 30-45 minutes

In the previous activity, accountable and responsible stakeholders for each of the steps in the current intake, approval, and prioritization process were identified.

1. Based on your knowledge and insight of your organization, ensure that all key stakeholders with accountable and responsible stakeholders are accounted for in the mapped-out process. Note any omissions: it may indicate a missing step, or that the stakeholder ought to be, but are not currently, involved.
2. For each step, identify any stakeholders that are currently consulted or informed. Then, examine the whole map and identify any other stakeholders that ought to be consulted or informed.
3. Compile a list of stakeholders from steps 1-2, and write each of their names in two sticky notes.
4. Put both sets of sticky notes on a wall. Use the wisdom-of-the-crowd approach to arrange one set in a descending order of influence. Record their ranked influence from 1 (least) to 10 (most).
5. Rearrange the other set in a descending order of interest in seeing the project intake process optimized. Record their ranked interest from 1 (least) to 10 (most).

INPUT

• Mapped-out project intake process (Activity 1.2.1)
• Insight on organizational culture

OUTPUT

• List of stakeholders in project intake
• Ranked list in their influence and interest

Materials

• Sticky notes
• Walls

Participants

• PMO Director/ Portfolio Manager
• Project Managers
• Business Analysts
• Other PPM stakeholders

Prioritize your stakeholders for project intake, approval, and prioritization process

There are three dimensions for stakeholder prioritization: influence, interest, and support.

1. Map your stakeholders in a 2D stakeholder power map (top right) according to their relative influence and interest.
2. Rate their level of support by asking the following question: how likely is it that your stakeholder would welcome an improved process for project intake?

These parameters will inform how to prioritize your stakeholders according to the stakeholder priority heatmap (bottom right). This priority should inform how to focus your attention during the subsequent optimization efforts.

Info-Tech Insight

There may be too many stakeholders to be able to achieve complete satisfaction. Focus your attention on the stakeholders that matter the most.

Most organizations have low to medium capabilities around intake, approval, and prioritization

1.2.4 Estimated Time: 15 minutes

Use Info-Tech’s Intake Capability Framework to help define your current and target states for intake, approval, and prioritization.

Refer to the subsequent slides for more detail on these capability levels.

Level 1: Unmanaged

Use these descriptions to place your organization at the appropriate level of intake capability.

Symptoms

• Poorly defined – or a complete absence of – PPM processes.
• No formal approval committee.
• No processes in place to balance proactive and reactive demands.

Long Term

PMOs at this level should work to have all requests funneled through a proper request form within six months. Decision rights for approval should be defined, and a scorecard should be in place within the year.

Quick Win

To get a handle on your backlog, start tracking all project requests using the “Project Data” tab in Info-Tech’s Project Intake and Prioritization Tool.

Level 2: Defined

Use these descriptions to place your organization at the appropriate level of intake capability.

Symptoms

• Organization does not have clear concept of project capacity.
• There is a lack of discipline enforced on stakeholders.
• Immature PPM processes in general.

Long Term

PMOs at this level should strive for greater visibility into the portfolio to help make the case for declining (or at least deferring) requests. Within the year, have a formal PPM strategy up and running.

Quick Win

Something PMOs at this level can accomplish quickly without any formal approval is to spend more time with stakeholders during the ideation phase to better define scope and requirements.

Level 3: Engaged

Use these descriptions to place your organization at the appropriate level of intake capability.

Challenges

• Senior executives’ “best judgement” is frequently fallible or influenced. Pet projects still enter the portfolio and deplete resources.
• While approval processes “occasionally” filter out some low-value projects, many still get approved.

Long Term

PMOs at this level should advocate for a more formal cadence for prioritization and, within the year, establish a formal steering committee that will be responsible for prioritizing and re-prioritizing quarterly or monthly.

Quick Win

At the PMO level, employ Info-Tech’s Project Intake and Prioritization Tool to start re-evaluating projects in the backlog. Make this data available to senior executives when prioritization occurs.

Level 4: Aligned

Use these descriptions to place your organization at the appropriate level of intake capability.

Challenges

• The process of developing business cases can be too cumbersome, distracting resources from actual project work.
• “Future” resource capacity predictions are unreliable. Reactive support work and other factors frequently change actual resource availability.

Long Term

PMOs at this level can strive for more accurate and frequent resource forecasting, establishing a more accurate picture of project vs. non-project work within the year.

Quick Win

PMOs at this level can start using Info-Tech’s Business Case Template (Comprehensive or Fast Track) to help simplify the business case process.

Level 5: Optimizing

Use these descriptions to place your organization at the appropriate level of intake capability.

Challenges

• Establishing a reliable forecast for resource capacity remains a concern at this level as well.
• Organizations at this level may experience an increasing clash between Agile practices and traditional Waterfall methodologies.

PMOs at this level should look at Info-Tech’s Manage an Agile Portfolio for comprehensive tools and guidance on maintaining greater visibility at the portfolio level into work in progress and committed work.

Establish your current and target states for process intake, approval, and prioritization

1.2.5 Estimated Time: 20 minutes

• Having reviewed the intake capability framework, you should be able to quickly identify where you currently reside in the model. Document this in the “Current State” box below.
• Next, spend some time as a group discussing your target state. Make sure to set a realistic target as well as a realistic timeframe for meeting this target. Level 1s will not be able to become Level 5s overnight and certainly not without passing through the other levels on the way.
• A realistic goal for a Level 1 to become a Level 2 is within six to eight months.

INPUT

• Intake, approval, and prioritization capability framework (Activity 1.2.4)

OUTPUT

• Current and target state, with stated time goals

Materials

• Whiteboard

Participants

• CIO
• PMO Director/ Portfolio Manager
• Project Managers
• Business Analysts

Align your intake success with the strategic expectations of overall project portfolio management

A successful project intake, approval, and prioritization process puts your leadership in a position to best steer the portfolio, like a conductor of an orchestra.

To frame the discussion on deciding what intake success will look like, review Info-Tech’s PPM strategic expectations:

• Project Throughput: Maximize throughput of the best projects.
• Portfolio Visibility: Ensure visibility of current and pending projects.
• Portfolio Responsiveness: Make the portfolio responsive to executive steering when new projects and changing priorities need rapid action.
• Resource Utilization: Minimize resource waste and optimize the alignment of skills to assignments.
• Benefits Realization: Clarify accountability for post-project benefits attainment for each project, and facilitate the process of tracking/reporting those benefits.

For a more detailed discussion and insight on PPM strategic expectations see Info-Tech’s blueprint, Develop a Project Portfolio Management Strategy.

Decide what successful project intake, approval, prioritization process will look like

1.2.6 Estimated Time: 60 minutes

While assessing your current state, it is important to discuss and determine as a team how success will be defined.

• During this process, it is important to consider tentative timelines for success milestones and to ask the question: what will success look like and when should it occur by?
• Use the below table to help document success factors and timeliness. Follow the lead of our example in row 1.

Review and customize section 1.5, “Process Success Criteria” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

Info-Tech Insight

Establish realistic short-term goals. Even with optimized intake procedures, you may not be able to eliminate underground project economies immediately. Make your initial goals realistic, leaving room for those walk-up requests that may still appear via informal channels.

Prepare to optimize project intake and capture the results in the Intake, Approval, and Prioritization SOP

Standard Operating Procedure (SOP) is the reference document to get all PPM stakeholders on the same page with the new optimized process.

The current state explored and documented in this step will serve as a starting point for each step of the next phase of the blueprint. The next phase will take a deeper dive into each of the three components of Info-Tech’s project intake methodology, so that they can achieve the success criteria you’ve defined in the previous activity.

Info-Tech’s Project Intake, Approval, and Prioritization SOP Template is intended to capture the outcome of your process optimization efforts. This blueprint guides you through numerous activities designed for your core project portfolio management team to customize each section.

To maximize the chances of success, it is important that the team makes a concerted effort to participate. Schedule a series of working sessions over the course of several weeks for your team to work through it – or get through it in one week, with onsite Info-Tech analyst-facilitated workshops.

Download Info-Tech’s Project Intake, Approval, and Prioritization SOP.

Contact your account representative or email Workshops@InfoTech.com for more information.

Case study: PMO develops mature intake and prioritization processes by slowly evolving its capability level

CASE STUDY

Industry: Not-for-Profit

Source: Info-Tech Interview

Challenge

• A PMO for a large not-for-profit benefits provider had relatively high project management maturity, but the enterprise had low PPM maturity.
• There were strong intake processes in place for following up on requests. For small projects, project managers would assist as liaisons to help control scope. For corporate initiates, PMs were assigned to work with a sponsor to define scope and write a charter.

Solution

Prioritization was a challenge. Initially, the organization had ad hoc prioritization practices, but they had developed a scoring criteria to give more formality and direction to the portfolio. However, the activity of formally prioritizing proved to be too time consuming.

Off-the-grid projects were a common problem, with initiatives consuming resources with no portfolio oversight.

Results

After trying “heavy” prioritization, the PMO loosened up the process. PMO staff now go through and quickly rank projects, with two senior managers making the final decisions. They re-prioritize quarterly to have discussions around resource availability and to make sure stakeholders are in tune to what IT is doing on a daily basis. IT has a monthly meeting to go over projects consuming resources and to catch anything that has fallen between the cracks.

"Everything isn't a number one, which is what we were dealing with initially. We went through a formal prioritization period, where we painstakingly scored everything. Now we have evolved: a couple of senior managers have stepped up to make decisions, which was a natural evolution from us being able to assign a formal ranking. Now we are able to prioritize more easily and effectively without having to painstakingly score everything."

– PMO Director, Benefits Provider

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

Book a workshop with our Info-Tech analysts:

• To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
• Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
• Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

1.1.1-2

Pilot Info-Tech’s Project Value Scorecard-driven prioritization method

Use Info-Tech’s example to prioritize your current project backlog to pilot a project value-driven prioritization, which will be used to guide the entire optimization process.

1.2.1-3

Map out and document current project intake, approval, and prioritization process, and the involved key stakeholders

A table-top planning exercise helps you visualize the current process in place and identify opportunities for optimization.

Phase 2

Build an Optimized Project Intake, Approval, and Prioritization Process

Phase 2 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Step 2.1: Streamline intake to manage stakeholder expectations

This step will walk you through the following activities:

• Perform a deeper retrospective on current project intake process
• Optimize your process to receive project requests
• Revisit the definition of a project for triaging requests
• Optimize your process to triage project requests
• Optimize your process to follow up on project requests

This step involves the following participants:

• PMO Director / Portfolio Manager
• Project Managers
• Business Analysts
• PMO Administrative Staff

Outcomes of this Step

• Retrospective of the current project intake process: to continue doing, to start doing, and to stop doing
• A streamlined, single-funnel intake channel with the right procedural friction to receive project requests
• A refined definition of what constitutes a project, and project levels that will determine the necessary standard of rigor with which project requests should be scoped and developed into a proposal throughout the process
• An optimized process for triaging and following up on project requests to prepare them for the steps of project approval
• Documentation of the optimized process in the SOP document

Understand the risks of poor intake practices

Too much red tape could result in your portfolio falling victim to underground economies. Too little intake formality could lead to the Wild West.

Off-the-grid projects, i.e. projects that circumvent formal intake processes, lead to underground economies that can deplete resource capacity and hijack your portfolio.

These underground economies are typically the result of too much intake red tape. When the request process is made too complex or cumbersome, project sponsors may unsurprisingly seek alternative means to get their projects done.

While the most obvious line of defence against the appearance of underground economies is an easy-to-use and access request form, one must be cautious. Too little intake formality could lead to a Wild West of project intake where everyone gets their initiatives approved regardless of their business merit and feasibility.

Info-Tech Insight

Intake is intimately bound to stakeholder management. Finding the right balance of friction for your team is the key to successfully walking the line between asking for too much and not asking for enough. If your intake process is strong, stakeholders will no longer have any reason to circumvent formal process.

An excess number of intake channels is the telltale sign of a low capability level for intake

Excess intake channels are also a symptom of a portfolio in turmoil.

If you relate to the graphic below in any way, your first priority needs to be limiting the means by which projects get requested. A single, centralized channel with review and approval done in batches is the goal. Otherwise, with IT’s limited capacity, most requests will simply get added to the backlog.

Info-Tech Insight

The PMO needs to have the authority – and needs to exercise the authority – to enforce discipline on stakeholders. Organizations that solicit in verbal requests (by phone, in person, or during scrum) lack the orderliness required for PPM success. In these cases, it needs to be the mission of the PMO to demand proper documentation and accountability from stakeholders before proceeding with requests.

"The golden rule for the project documentation is that if anything during the project life cycle is not documented, it is the same as if it does not exist or never happened…since management or clients will never remember their undocumented requests or their consent to do something."

– Dan Epstein, “Project Initiation Process: Part Two”

Develop an intake workflow

Info-Tech recommends following a four-step process for managing intake.

1. Requestor fills out form and submits the request.

Project Request Form Templates

2. Requests are triaged into the proper queue.

1. Divert non-project request
2. Quickly assess value and urgency
3. Assign specialist to follow up on request
4. Inform the requestor

Project Intake Classification Matrix

3. BA or PM prepares to develop requests into a project proposal.

1. Follow up with requestor and SMEs to refine project scope, benefits, and risks
2. Estimate size of project and determine the required level of detail for proposal
3. Prepare for concept approval

Benefits Commitment Form Template

4. Requestor is given realistic expectations for approval process.

Perform a start-stop-continue exercise to help determine what is working and what is not working

2.1.1 Estimated Time: 45 minutes

Optimizing project intake may not require a complete overhaul of your existing processes. You may only need to tweak certain templates or policies. Perhaps you started out with a strong process and simply lost resolve over time – in which case you will need to focus on establishing motivation and discipline, rather than rework your entire process.

Perform a start-stop-continue exercise with your team to help determine what should be salvaged, what should be abandoned, and what should be introduced:

INPUT

• Current project intake workflow (Activity 1.2.2)
• Project intake success criteria (Activity 1.2.6)

OUTPUT

• Retrospective review of current intake process

Materials

• Whiteboard
• Sticky notes/markers

Participants

• PMO Director/ Portfolio Manager
• Project Managers
• Business Analysts
• PMO Admin Staff

Streamline project requests into a single funnel

It is important to identify all of the ways through which projects currently get requested and initiated, especially if you have various streams of intake competing with each other for resources and a place in the portfolio. Directing multiple channels into a single, centralized funnel is step number one in optimizing intake.

To help you identify project sources within your organization, we’ve broken project requests into three archetypes: the good, the bad, and the ugly.

1. The Good – Proper Requests: written formal requests that come in through one appropriate channel.

The Bad – Walk-Ups: requests that do not follow the appropriate intake channel(s), but nevertheless make an effort to get into the proper queue. The most common instance of this is a portfolio manager or CIO filling out the proper project request form on behalf of, and under direction from, a senior executive.

The Ugly – Guerilla Tactics: initiatives that make their way into the portfolio through informal methods or that consume portfolio resources without formal approval, authority, or oversight. This typically involves a key resource getting ambushed to work on a stakeholder’s “side project” without any formal approval from, or knowledge of, the PMO.

Funnel requests through a single portal to streamline intake

Decide how you would funnel project requests on a single portal for submitting project requests. Determining the right portal for your organization will depend on your current infrastructure options, as well as your current and target state capability levels.

Below are examples of a platform for your project request portal.

Increasing intake capability and infrastructure availability

Introduce the right amount of friction into your intake process

The key to an effective intake process is determining the right amount of friction to include for your organization. In this context, friction comes from the level of granularity within your project request form and the demands or level of accountability your intake processes place on requestors. You will want to have more or less friction on your intake form, depending on your current intake pain points.

If you are inundated with a high volume of requests:

• Make your intake form more detailed to deter “half-baked” requests.
• Have more managerial oversight into the process. Require approval for each request.

If you want to encourage the use of a formal channel:

• Make your intake form more concise and lightweight.
• Have less managerial oversight into the process. Inform managers of each request rather than requiring approval.

Download Info-Tech’s Detailed Project Request Form.

Download Info-Tech’s Light Project Request Form.

Info-Tech Insight

Optimizing a process should not automatically mean reducing friction. Blindly reducing friction could generate a tidal wave of poorly thought-out requests, which only drives up unrealistic expectations. Mitigate the risk of unrealistic stakeholder expectations by carefully managing the message: optimize friction.

Document your process to receive project requests

2.1.2 Estimated Time: 30-60 minutes

Review and customize section 2.2, “Receive project requests” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

The goal of optimizing this process is to consolidate multiple intake channels into a single funnel with the right amount of friction to improve visibility and manageability of incoming project requests.

The important decisions to document for this step include:

1. What data will be collected, and from whom? For example, Info-Tech’s Light Project Request Form Template will be used to collect project requests from everyone.
2. How will requests be collected, and from where? For example, the template will be available as a fillable form on a SharePoint site.
3. Who will be informed of the requests? For example, the PMO Director and the BA team will be notified with a hyperlink to the completed request form.
4. Who will handle exceptions? For example, PMO will maintain this process and will handle any questions or issues that pertain to this part of the process.

INPUT

• Retrospective of current process (Activity 2.1.1)

OUTPUT

• Customized Project Request Form
• Method of implementation

Materials

• Project Request Form Templates

Participants

• PMO Director/ Portfolio Manager
• Business Analysts

Info-Tech Best Practice

Whatever method of request collection you choose, ensure there is no doubt about how requesters can access the intake form.

Establish a triage process to improve portfolio success

Once a request has been submitted, it will need to be triaged. Triage begins as soon as the request is received. The end goal of the triage process is to set appropriate expectations for stakeholders and to ensure that all requests going forward for approval are valid requests.

PPM Triage Process

1. Divert non-project requests by validating that what is described on the request form qualifies as a “project.” Make sure requests are in the appropriate queue – for example, service desk request queue, change and release management queue, etc.
2. Quickly assess value and urgency to determine whether the request requires fast-tracking or any other special consideration.
3. Assign a specialist to follow up on the request. Match the request to the most suitable BA, PM, or equivalent. This person will become the Request Liaison (“RL”) for the request and will work with the requestor to define preliminary requirements.
4. Inform the requestor that the request has been received and provide clear direction on what will happen with the request next, such as who will follow up on it and when. See the next slide for some examples of this follow-up.

The PMO Triage Team

• Portfolio Manager, or equivalent
• Request Liaisons (business analysts, project managers, or equivalent)

“Request Liaison” Role

The BAs and PMs who follow up on requests play an especially important role in the triage process. They serve as the main point of contact to the requestor as the request evolves into a business case. In this capacity they perform a valuable stakeholder management function, helping to increase confidence and enhance trust in IT.

To properly triage project requests, define exactly what a project is

Bring color to the grey area that can exist in IT between those initiatives that fall somewhere in between “clearly a service ticket” and “clearly a project.”

What constitutes a project?

Another way of asking this question that gets more to the point for this blueprint – for what types of initiatives is project intake, approval, and prioritization rigor required?

This is especially true in IT where, for some smaller initiatives, there can be uncertainty in many organizations during the intake and initiation phase about what should be included on the formal project list and what should go to help desk’s queue.

As the definitions in the table below show, formal project management frameworks each have similar definitions of “a project.”

For each, a project is a temporary endeavor planned around producing a specific organizational/business outcome. The challenge of those small initiatives in IT is knowing when those endeavors require a business case, formal resource tracking, and project management rigor, and when they don’t.

Separating small projects from non-projects requires a consideration of approval rights

While conventional wisdom says to base your project definition on an estimation of cost, risk, etc., you also need to ask, “does this initiative require formal approval?”

In the next step, we will define a suggested minimum threshold for a small “level 1” project. While these level thresholds are good and necessary for a number of reasons – including triaging your project requests – you may still often need to exercise some critical judgment in separating the tickets from the projects. In addition to the level criteria that we will develop in this step, use the checklist below to help with your differentiating.

Info-Tech Insight

Guard the value of the portfolio. Because tickets carry with them an implicit approval, you need to be wary at the portfolio level of those that might possess a larger scope than their status of ticket implies. Sponsors that, for whatever reason, resist the formal intake process may use the ticketing process to sneak projects in through the backdoor. When assessing tickets and small projects at the portfolio level, you need to ask: is it possible that someone at an executive level might want to get updates on this because of its duration, scope, risk, cost, etc.? Could someone at the management level get upset that the initiative came in as a ticket and is burning up time and driving costs without any visibility?

Sample Project/Non-Project Separation Criteria

"If you worked for the help desk, over time you would begin to master your job since there is a certain rhythm and pattern to the work…On the other hand, projects are unique. This characteristic makes them hard to estimate and hard to manage. Even if the project is similar to one you have done before, new events and circumstances will occur. Each project typically holds its own challenges and opportunities"

– Jeffrey and Thomas Mochal

Define the minimum-threshold criteria for small projects

2.1.3 Estimated Time: 30 minutes

Follow the steps below to define the specifics of a “level 1” project for your organization.

1. Using your project list and/or ticketing system, identify a handful of small projects, large service desk tickets, and especially those items that fall somewhere in the grey area in between (anywhere between 10 to 20 of each). Then, determine the organizationally appropriate considerations for defining your project levels. Options include:

• Duration
• Budget/Cost
• Technology requirements
• Customer involvement
• Integration
• Organizational impact
• Complexity
• Number of cross-functional workgroups and teams involved

INPUT

• Data concerning small projects and service desk tickets, including size, duration, etc.

OUTPUT

• Clarity around how to define your level 1 projects

Materials

• Whiteboard

Participants

• PMO Director/ Portfolio Manager
• Project Managers
• Business Analysts

Remove room for stakeholder doubt and confusion by informing requests forward in a timely manner

During triaging, requestors should be notified as quickly as possible (a) that their request has been received and (b) what to expect next for the request. Make this forum as productive and informative as possible, providing clear direction and structure for the future of the request. Be sure to include the following:

• A request ID or ticket number.
• Some direction on who will be following up on the request –provide an individual’s name when possible.
• An estimated timeframe of when they can expect to hear from the individual following up.

The logistic of this follow-up will depend on a number of different factors.

• The number of requests you receive.
• Your ability to automate the responses.
• The amount of detail you would like to, or need to, provide stakeholders with.

Info-Tech Best Practice

Assign an official request number or project ID to all requests during this initial response. An official request number anchors the request to a specific and traceable dataset that will accompany the project throughout its lifecycle.

Sample “request received” emails

If you receive a high volume of requests or need a quick win for improving stakeholder relations:

Sample #1: Less detailed, automatic response

Hello Emma,

Thank you. Your project request has been received. Requests are reviewed and assigned every Monday. A business analyst will follow up with you in the next 5-10 business days. Should you have any questions in the meantime, please reply to this email.

Best regards,

Information Technology Services

If stakeholder management is a priority, and you want to emphasize the customer-facing focus:

Sample #2: More detailed, tailored response

Hi Darren,

Your project request has been received and reviewed. Your project ID number is #556. Business analyst Alpertti Attar has been assigned to follow up on your request. You can expect to hear from him in the next 5-10 business days to set up a meeting for preliminary requirements gathering.

If you have any questions in the meantime, please contact Alpertti at aattar@projectco.com. Please include the Project ID provided in this email in all future correspondences regarding this request.

Thank you for your request. We look forward to helping you bring this initiative to fruition.

Sincerely,

Jim Fraser

PMO Director, Information Technology Services

Info-Tech Insight

A simple request response will go a long way in terms of stakeholder management. It will not only help assure stakeholders that their requests are in progress but the request confirmation will also help to set expectations and take some of the mystery out of IT’s processes.

Document your process to triage project requests

2.1.4 Estimated Time: 30-60 minutes

Review and customize section 2.3, “Triage project requests” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

The goal of optimizing this process is to divert non-project requests and set an appropriate initial set of stakeholder expectations for next steps. The important decisions to document for this step include:

1. What defines a project? Record the outcomes of Activities 2.1.3 into the SOP.
2. Who triages the requests and assign request liaisons? Who are they? For example, a lead BA can assign a set roster of BAs to project requests.
3. What are the steps to follow for sending the initial response? See the previous slides on automated responses vs. detailed, tailored responses.
4. How will you account for the consumption of resource capacity? For example, impose a maximum of four hours per week per analyst, and track the hours worked for each request to establish a pattern for capacity consumption.
5. Who will handle exceptions? For example, PMO will maintain this process and will handle any questions or issues that pertain to this part of the process.

INPUT

• Results of activity 2.1.3

OUTPUT

• SOP for triaging project requests

Materials

• SOP Template

Participants

• PMO Director/ Portfolio Manager
• Business Analysts

Info-Tech Best Practice

Whatever method of request collection you choose, ensure there is no doubt about how requesters can access the intake form.

Follow up on requests to define project scope and set realistic expectations

The purpose of this follow-up is to foster communication among the requestor, IT, and the sponsor to scope the project at a high level. The follow-up should:

• Clarify the goals and value of the request.
• Begin to manage expectations based on initial assessment of feasibility.
• Ensure the right information is available for evaluating project proposals downstream. Every project should have the below key pieces of scope defined before any further commitments are made.

Focus on Defining Key Pieces of Scope

• Budget (funding, source)
• Business outcome
• Completion criteria
• Timeframes (start date and duration)
• Milestones/deliverables

Structure the Follow-Up Process to Enhance Alignment Between IT and the Business

Once a Request Liaison (RL) has been assigned to a request, it is their responsibility to schedule time (if necessary) with the requestor to perform a scoping exercise that will help define preliminary requirements. Ideally, this follow-up should occur no later than a week of the initial request.

Structure the follow-up for each request based on your preliminary estimates of project size (next slide). Use the “Key Pieces of Scope” to the left as a guide.

It may also be helpful for RLs and stakeholders to work together to produce a rough diagram or mock-up of the final deliverable. This will ensure that the stakeholder’s idea has been properly communicated, and it could also help refine or broaden this idea based on IT’s capabilities.

After the scoping exercise, it is the RL’s responsibility to inform the requestor of next steps.

Info-Tech Insight

More time spent with stakeholders defining high-level requirements during the ideation phase is key to project success. It will not only improve the throughput of projects, but it will enhance the transparency of IT’s capacity and enable IT to more effectively support business processes.

Perform a preliminary estimation of project size

Project estimation is a common pain point felt by many organizations. At this stage, a range-of-magnitude (ROM) estimate is sufficient for the purposes of sizing the effort required for developing project proposals with appropriate detail.

A way to structure ROM estimates is to define a set of standard project levels. It will help you estimate 80% of projects with sufficient accuracy over time with little effort. The remaining 20% of projects that don’t meet their standard target dates can be managed as exceptions.

The increased consistency of most projects will enable you to focus more on managing the exceptions.

Example of standard project sizes:

* Target completion date is simply that – a target, not a service level agreement (SLA). Some exceptions will far exceed the target date, e.g. projects that depend heavily on external or uncontrollable factors.

Info-Tech Best Practice

Project levelling is useful for right-sizing many downstream processes; it sets appropriate levels of detail and scrutiny expected for project approval and prioritization steps, as well as the appropriate extent of requirements gathering, project management, and reporting requirements afterwards.

Set your thresholds for level 2 and level 3 projects

2.1.5 Estimated Time: 30 minutes

Now that the minimum threshold for your smallest projects has been identified, it’s time to identify the maximum threshold in order to better apply project intake, approval, and prioritization rigor where it’s needed.

1. Looking at your project list (e.g. Activity 1.1.1, or your current project backlog), isolate the medium and large projects. Examine the two categories in turn.
2. Start with the medium projects. Using the criteria identified in Activity 2.1.3, identify where your level one category ends.

• What are the commonly recurring thresholds that distinguish medium-sized projects from smaller initiatives?
• Are there any criteria that would need to take on a greater importance when making the distinction? For instance, will cost or duration take on a greater weighting when determining level thresholds?
• Once you have reached consensus, record these in the table on the next slide.

• What are the commonly recurring thresholds that distinguish large and extra-large projects from medium-sized initiatives?
• Once you have reached consensus, records these in the table on the next slide.

INPUT

• Leveling criteria from Activity 2.1.3
• Project backlog, or list of projects from Activity 1.1.1

OUTPUT

• Clarity around how to define your level two and three projects

Materials

• Whiteboard
• The project level table on the next slide

Participants

• PMO Director/ Portfolio Manager
• Project Managers
• Business Analysts
• PMO Admin Staff

Sample Project Levels Table

Apply a computation decision-making method for project levelling

2.1.5 Project Intake Classification Matrix

Capture the project levels in Info-Tech’s Project Intake Classification Matrix Tool to benchmark your levelling criteria and to determine project levels for proposed projects.

Download Info-Tech’s Project Intake Classification Matrix tool.

1. Pick a category to define project levels.
2. Enter the descriptions for each project level.
3. Assign a relative weight for each category.

4. Enter a project name.
5. Choose the description that best fits the project. If unknown, leave it blank.
6. Suggested project levels are displayed.

Get tentative buy-in and support from an executive sponsor for project requests

In most organizations a project requires sponsorship from the executive layer, especially for strategic initiatives. The executive sponsor provides several vital factors for projects:

• Funding and resources
• Direct support and oversight of the project leadership
• Accountability, acting as the ultimate decision maker for the project
• Ownership of, and commitment to, project benefits

Sometimes a project request may be made directly by a sponsor; in other times, the Request Liaison may need to connect the project request to a project sponsor.

In either case, project request has a tentative buy-in and support of an executive sponsor before a project request is developed into a proposal and examined for approval – the subject of this blueprint’s next step.

PMs and Sponsors: The Disconnect

A study in project sponsorship revealed a large gap between the perception of the project managers and the perception of sponsors relative to the sponsor capability. The widest gaps appear in the areas of:

• Motivation: 34% of PMs say sponsors frequently motivate the team, compared to 82% of executive sponsors who say they do so.
• Active listening: 42% of PMs say that sponsors frequently listen actively, compared to 88% of executive sponsors who say they do so.
• Effective communication: 47% of PMs say sponsors communicate effectively and frequently, compared to 92% of executive sponsors who say they do so.
• Managing change: 37% of PMs say sponsors manage change, compared to 82% of executive sponsors who say they do so.

Source: Boston Consulting Group/PMI, 2014

Actively engaged executive sponsors continue to be the top driver of whether projects meet their original goals and business intent.

– PMI Pulse of the Profession, 2017

76% of respondents [organizations] agree that the role of the executive sponsor has grown in importance over the past five years.

– Boston Consulting Group/PMI, 2014

Document your process to follow up on project requests

2.1.6 45 minutes

Review and customize section 2.4, “Follow up on project requests” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

The goal of optimizing this process is to initiate communication among the requestor, IT, and the sponsor to scope the project requests at a high level. The important decisions to document for this step include:

1. How will you perform a scoping exercise with the requestor? Leverage existing organizational processes (e.g. high-level requirements gathering). Look to the previous slides for suggested outcomes of the exercise.
2. How will you determine project levels? Record the outcomes of activities 2.1.5 into the SOP.
3. How will the RL follow up on the scoped project request with a project sponsor? For example, project requests scoped at a high level will be presented to senior leadership whose lines of business are affected by the proposed project to gauge their initial interest.
4. How will you account for the consumption of resource capacity? For example, impose a maximum of 8 hours per week per analyst, and track the hours worked for each request to establish a pattern for capacity consumption.
5. Who will handle exceptions? For example, PMO will maintain this process and will handle any questions or issues that pertain to this part of the process.

INPUT

• Activity 2.1.5
• Existing processes for scoping exercises

OUTPUT

• SOP for following up on project requests

Materials

• SOP Template

Participants

• PMO Director/ Portfolio Manager
• Project Managers
• Business Analysts
• PMO Admin Staff

Examine the new project intake workflow as a whole and document it in a flow chart

2.1.7 Estimated Time: 30-60 minutes

Review and customize section 2.1, “Project Intake Workflow” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

In Step 1.2 of the blueprint, you mapped out the current project intake, approval, and prioritization workflow and documented it in a flow chart. In this step, take the time to examine the new project intake process as a whole, and document the new workflow in the form of a flow chart.

1. Requestor fills out form and submits the request.
2. Requests are triaged into the proper queue.
3. BA or PM prepares to develop requests into a project proposal.
4. Requestor is given realistic expectations for approval process.

Consider the following points:

1. Are the inputs and outputs of each step clear? Who’s doing the work? How long will each step take, on average?
2. Is the ownership of each step clear? How will we ensure a smooth handoff between each step and prevent requests from falling through the cracks?

INPUT

• New process steps for project intake (Activities 2.1.2-6)

OUTPUT

• Flowchart representation of new project intake workflow

Materials

• Microsoft Visio, flowchart software, or Microsoft PowerPoint

Participants

• PMO Director/ Portfolio Manager
• Project Managers
• Business Analysts
• PMO Admin Staff

Case study: Portfolio manager achieves intake and project success through detailed request follow-up

Case Study

Industry: Municipal Government

Source: Info-Tech Client

Challenge

• There is an IT department with a relatively high level of project management maturity.
• They have approximately 30 projects on the go, ranging from small to large.
• To help with intake, IT assembled a project initiation team. It was made up of managers from throughout the county. This group “owned the talent” and met once a month to assess requests. As a group, they were able to assemble project teams quickly.

Solution

• Project initiation processes kept failing. A lot of time was spent within IT getting estimations precise, only to have sponsors reject business cases because they did not align with what those sponsors had in mind.
• Off-the-grid projects were a challenge. Directors did not follow intake process and IT talent was torn in multiple directions. There was nothing in place for protecting the talent and enforcing processes on stakeholders.

Results

• IT dedicated a group of PMs and BAs to follow up on requests.
• Working with stakeholders, this group collects specific pieces of information that allows IT to get to work on requests faster. Through this process, requests reach the charter stage more quickly and with greater success.
• An intake ticketing system was established to protect IT talent. Workers are now better equipped to redirect stakeholders through to the proper channels.

Step 2.2: Set up steps of project approval to maximize strategic alignment while right-sizing the required effort

This step will walk you through the following activities:

• Perform a deeper retrospective on current project approval process
• Define the approval steps, their accountabilities, and the corresponding terminologies for approval
• Right-size effort and documentation required for each project level through the approval steps

This step involves the following participants:

• PMO Director / Portfolio Manager
• Project Managers
• Business Analysts
• PMO Administrative Staff

Outcomes of this step

• Retrospective of the current project intake process: to continue doing, to start doing, and to stop doing
• A series of approval steps are defined, in which their accountabilities, responsibilities, and the nomenclature for what is approved at each steps are clarified and documented
• A toolbox of deliverables for proposed projects that captures key information developed to inform project approval decisions at each step of the approval process, and the organizational standard for what to use for which project level
• Documentation of the optimized process in the SOP document

Set up an incremental series of approval stage-gates to tackle common challenges in project approval

This section will help you address key challenges IT leaders face around project approval.

Develop a project approval workflow

Clearly define a series of approval steps, and communicate requirements for passing them. “Approval” can be a dangerous word in project and portfolio management, so it is important to clarify what is required to pass each step, and how long the process will take.

Identify the decision-making paradigm at each step

In general, there are three different, mutually exclusive decision-making paradigms for approving projects:

Info-Tech Insight

The individual or party who has the authority to make choices, and who is ultimately answerable for those decisions, is said to be accountable. Understanding the needs of the accountable party is critical to the success of the project approval process optimization efforts.

Perform a start-stop-continue exercise to help determine what is working and what is not working

2.2.1 Estimated Time: 45 minutes

Optimizing project approval may not require a complete overhaul of your existing processes. You may only need to tweak certain templates or policies. Perhaps you started out with a strong process and simply lost resolve over time – in which case you will need to focus on establishing motivation and discipline, rather than rework your entire process.

Perform a start-stop-continue exercise with your team to help determine what should be salvaged, what should be abandoned, and what should be introduced:

INPUT

• Current project approval workflow (Activity 1.2.2)
• Project approval success criteria (Activity 1.2.6)

OUTPUT

• Retrospective review of current approval process

Materials

• Whiteboard
• Sticky notes/markers

Participants

• PMO Director/ Portfolio Manager
• Project Managers
• Business Analysts
• PMO Admin Staff

Customize the approval steps and describe them at a high level

2.2.2 Estimated Time: 30-60 minutes

Review and customize section 3.2, “Project Approval Steps” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

The goal of this activity is to customize the definition of the approval steps for your organization, so that it makes sense for the existing organizational governance structure, culture, and need. Use the results of the start-stop-continue to inform what to customize. Consider the following factors:

1. Order of steps: given the current decision-making paradigm, does it make sense to reorder the steps?
2. Dispositions at each step: what are the possible dispositions, and who is accountable for making the dispositions?
3. Project levels: do all projects require three-step approval before they’re up for prioritization? For example, IT steering committee may wish to be involved only for Level 3 projects and Level 2 projects with significant business impact, and not for Level 1 projects and IT-centric Level 2 projects.
4. Accountability at each step: who makes the decisions?
5. Who will handle exceptions? Aim to prevent the new process from being circumvented by vocal stakeholders, but also allow for very urgent requests. A quick win to strike this balance is to clarify who will exercise this discretion.

INPUT

• Retrospective of current process (Activity 2.2.1)
• Project level definition
• Approval steps in the previous slide

OUTPUT

• Customized project approval steps for each project level

Materials

• Whiteboard

Participants

• PMO Director/ Portfolio Manager
• Project Managers
• Business Analysts
• PMO Admin Staff

Specify what “approval” really means to manage expectations for what project work can be done and when

2.2.3 Estimated Time: 15 minutes

Review and customize section 3.2, “Project Approval Steps” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

In the old reality, projects were approved and never heard back from again, which effectively gave your stakeholders a blanket default expectation of “declined.” With the new approval process, manage your stakeholder expectations more explicitly by refining your vocabulary around approval.

Within this, decision makers should view their role in approval as approving that which can and should be done. When a project is approved and slated to backlog, the intention should be to allocate resources to it within the current intake cycle.

Customize the table to the right with organizationally appropriate definitions, and update your SOP.

Info-Tech Insight

Refine the nomenclature. Add context to “approved” and “declined.” Speak in terms of “not now” or “you can have it when these conditions are met.” With clear expectations of the resources required to support each request, you can place accountability for keeping the request alive back on the sponsors.

Continuously work out a balance between disciplined decision making and “analysis paralysis"

Info-Tech Insight

Estimates that form the basis of business cases are often based on flawed assumptions. Use early project phases or sprints to build working prototypes to test the assumptions on which business cases are built, rather than investing time improving precision of estimates without improving accuracy.

Right-size project approval process with Info-Tech’s toolbox of deliverables

Don’t paint every project with the same brush. Choose the right set of information needed for each project level to maximize the throughput of project approval process.

The next several slides will take you through a series of tools and templates that help guide the production of deliverables. Each deliverable wireframes the required analysis of the proposed project for one step of the approval process, and captures that information in a document. This breaks down the overall work for proposal development into digestible chunks.

As previously discussed, aim to right-size the approval process rigor for project levels. Not all project levels may call for all steps of approval, or the extent of required analysis within an approval step may differ. This section will conclude by customizing the requirement for deliverables for each project level.

Tools and Templates for the Project Approval Toolbox

• Benefits Commitment Form Template (.xlsx) Document the project sponsor’s buy-in and commitment to proposed benefits in a lightweight fashion.
• Proposed Technology Assessment Tool (.xlsx) Determine the proposed project’s readiness for adoption from a technological perspective.
• Business Case Templates (.docx) Guide the analysis process for the overall project proposal development in varying levels of detail.

Use Info-Tech’s lightweight Benefits Commitment Form Template to document the sponsor buy-in and support

2.2.4 Benefits Commitment Form Template

Project sponsors are accountable for the realization of project benefits. Therefore, for a project to be approved by a project sponsor, they must buy-in and commit to the proposed benefits.

Defining project benefits and obtaining project sponsor commitment has been demonstrated to improve the project outcome by providing the focal point of the project up-front. This will help reduce wasted efforts to develop parts of the proposals that are not ultimately needed.

Download Info-Tech’s Benefits Commitment Form Template.

Contents of a Benefits Commitment Form

• One-sentence highlight of benefits and risks
• Primary benefit, hard (quantitative) and soft (qualitative)
• Proposed measurements for metrics
• Responsible and accountable parties for benefits

For further discussion on benefits realization, use Info-Tech’s blueprint, Establish the Benefits Realization Process.

Use Info-Tech’s Proposed Project Technology Assessment Tool to analyze a technology’s readiness for adoption

2.2.4 Proposed Project Technology Assessment Tool

In some projects, there needs to be an initial idea of what the project might look like. Develop a high-level solution for projects that:

• Are very different from previous projects.
• Are fairly complex, or not business as usual.
• Require adoption of new technology or skill set.

IT should advise and provide subject matter expertise on the technology requirements to those that ultimately approve the proposed projects, so that they can take into account additional costs or risks that may be borne from it.

Info-Tech’s Proposed Project Technology Assessment Tool has a series of questions to address eight categories of considerations to determine the project’s technological readiness for adoption. Use this tool to ensure that you cover all the bases, and help you devise alternate solutions if necessary – which will factor into the overall business case development.

Download Info-Tech’s Proposed Project Technology Assessment Tool.

Enable project valuation beyond financial metrics with Info-Tech’s Business Case Templates

2.2.4 Business Case Template (Comprehensive and Fast Track)

Traditionally, a business case is centered around financial metrics. While monetary benefits and costs are matters of bottom line and important, financial metrics are only part of a project’s value. As the project approval decisions must be based on the holistic comparison of project value, the business case document must capture all the necessary – and only those that are necessary – information to enable it.

However, completeness of information does not always require comprehensiveness. Allow for flexibility to speed up the process of developing business plan by making a “fast-track” business case template available. This enables the application of the project valuation criteria with all other projects, with right-sized effort.

Alarming business case statistics

• Only one-third of companies always prepare a business case for new projects.
• Nearly 45% of project managers admit they are unclear on the business objectives of their IT projects.

(Source: Wrike)

Download Info-Tech’s Comprehensive Business Case Template.

Download Info-Tech’s Fast Track Business Case Template.

Info-Tech Insight

Pass on that which is known. Valuable information about projects is lost due to a disconnect between project intake and project initiation, as project managers are typically not brought on board until project is actually approved. This will be discussed more in Phase 3 of this blueprint.

Document the right-sized effort and documentation required for each project level

2.2.4 Estimated Time:60-90 minutes

Review and customize section 3.3, “Project Proposal Deliverables” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

The goal of this activity is to customize the requirements for project proposal deliverables, so that it properly informs each of the approval steps discussed in the previous activity. The deliverables will also shape the work effort required for projects of various levels. Consider the following factors:

1. Project levels: what deliverables should be required, recommended, or suggested for each of the project levels? How will exceptions be handled, and who will be accountable?
2. Existing project proposal documents: what existing proposal documents, tools and templates can we leverage for the newly optimized approval steps?
3. Skills availability: do these tools and templates represent a significant departure from the current state? If so, is there capacity (time and skill) to achieve the desired target state?
4. How will you account for the consumption of resource capacity? Do a rough order of estimate for the resource capacity consumed the new deliverable standard.
5. Who will handle exceptions? For example, PMO will maintain this process and will handle any questions or issues that pertain to this part of the process.

INPUT

• Process steps (Activity 2.2.2)
• Current approval workflow(Activity 1.2.1)
• Artifacts introduced in the previous slides

OUTPUT

• Requirement for artifacts and effort for each approval step

Materials

• Whiteboard

Participants

• PMO Director/ Portfolio Manager
• Project Managers
• Business Analysts
• PMO Admin Staff

Examine the new project approval workflow as a whole and document it in a flow chart

2.2.5 Estimated Time: 30-60 minutes

Review and customize section 3.1, “Project Approval Workflow” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

In Step 1.2 of the blueprint, you mapped out the current project intake, approval, and prioritization workflow and documented it in a flow chart. In this step, take the time to examine the new project intake process as a whole, and document the new workflow in the form of a flow chart.

Consider the following points:

1. Are the inputs and outputs of each step clear? Who’s doing the work? How long will each step take, on average?
2. Is the ownership of each step clear? How will we ensure a smooth hand-off between each step and prevent requests from falling through the cracks?

INPUT

• New process steps for project approval (Activities 2.2.2-4)

OUTPUT

• Flowchart representation of new project approval workflow

Materials

• Microsoft Visio, flowchart software, or Microsoft PowerPoint

Participants

• PMO Director/ Portfolio Manager
• Project Managers
• Business Analysts
• PMO Admin Staff

Step 2.3: Prioritize projects to maximize the value of the project portfolio within the constraint of resource capacity

This step will walk you through the following activities:

• Perform a deeper retrospective on current project prioritization process
• Optimize your process to maintain resource capacity supply and project demand data
• Optimize your process to formally make disposition recommendations to appropriate decision makers

This step involves the following participants:

• PMO Director / Portfolio Manager
• Project Managers
• Business Analysts
• PMO Administrative Staff

Outcomes of this step

• Retrospective of the current project prioritization process: to continue doing, to start doing, and to stop doing
• Realistic estimate of available resource capacity, in the absence of a resource management practice
• Optimized process for presenting the decision makers with recommendations and facilitating capacity-constrained steering of the project portfolio
• Project Intake and Prioritization Tool for facilitating the prioritization process
• Documentation of the optimized process in the SOP document

The availability of staff time is rarely factored into IT project and service delivery commitments

A lot gets promised and worked on, and staff are always busy, but very little actually gets done – at least not within given timelines or to expected levels of quality.

Organizations tend to bite off more than they can chew when it comes to project and service delivery commitments involving IT resources.

While the need for businesses to make an excess of IT commitments is understandable, the impacts of systemically over-allocating IT are clearly negative:

• Stakeholder relations suffer. Promises are made to the business that can’t be met by IT.
• IT delivery suffers. Project timelines and quality frequently suffer, and service support regularly lags.
• Employee engagement suffers. Anxiety and stress levels are consistently high among IT staff, while morale and engagement levels are low.

76%: 76% of organizations say they have too many projects on the go and an unmanageable and ever-growing backlog of things to get to.

– Cooper, 2014

70%: Almost 70% of workers feel as though they have too much work on their plates and not enough time to do it.

– Reynolds, 2016

Unconstrained, unmanaged demand leads to prioritization of work based on consequences rather than value

Problems caused by the organizational tendency to make unrealistic delivery commitments is further complicated by the reality of the matrix environment.

Today, many IT departments use matrix organization. In this system, demands on a resource’s time come from many directions. While resources are expected to prioritize their work, they lack the authority to formally reject any demand. As a result, unconstrained, unmanaged demand frequently outstrips the supply of work-hours the resource can deliver.

When this happens, the resource has three options:

1. Work more hours, typically without compensation.
2. Choose tasks not to do in a way that minimizes personal consequences.
3. Diminish work quality to meet quantity demands.